Compliance & Regulatory Readiness
Compliance Isn't a Checklist.
It's an Operating Discipline.
HIPAA, CMMC, FTC Safeguards, SOC 2, and cyber insurance requirements demand more than documentation. They demand implemented controls, continuous monitoring, and evidence that your security program actually works.
Regulatory compliance in healthcare, defense, financial services, and legal is not getting simpler. The HIPAA Security Rule is being updated for the first time since 2013. CMMC 2.0 assessments are now required for DoD contract eligibility. The FTC Safeguards Rule was overhauled in 2023 with specific technical mandates. Cyber insurance carriers are denying claims and refusing renewals when controls are missing.
Most organizations struggle not because they ignore compliance, but because they treat it as a documentation exercise instead of an operational discipline. They write policies, create binders, and check boxes on questionnaires, but never implement, test, or maintain the actual controls those documents describe. When an auditor, examiner, or insurer tests the real environment, the gaps become obvious.
NorthStar takes a different approach. Through our Protect → Propel™ framework, we build security controls that satisfy regulatory requirements by design, not as an afterthought. The documentation flows from the controls, not the other way around.
Regulatory Frameworks
Frameworks We Support
Each framework has specific technical requirements. We implement the controls, maintain the monitoring, and produce the documentation that auditors and examiners expect.
HIPAA
Healthcare Data Protection
The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic protected health information (ePHI). HHS OCR has settled over 152 enforcement cases totaling more than $144.8 million, with the proposed 2025 Security Rule update eliminating the distinction between required and addressable specifications.
What we implement:
- Annual Security Risk Assessments (SRA)
- Access controls and identity management
- Encryption at rest and in transit
- Audit logging with review procedures
- Backup and disaster recovery with 72-hour restoration targets
- Incident response plans with tabletop exercises
- Business Associate Agreement management
- Workforce security awareness training
CMMC 2.0
Defense Contractor Certification
The Cybersecurity Maturity Model Certification requires defense contractors to demonstrate specific cybersecurity practices to maintain DoD contract eligibility. Level 1 covers 15 basic practices for Federal Contract Information (FCI). Level 2 maps to all 110 NIST SP 800-171 controls for Controlled Unclassified Information (CUI) and requires third-party assessment by a C3PAO.
What we implement:
- NIST 800-171 control alignment across all 14 families
- System Security Plan (SSP) development
- Plan of Action and Milestones (POA&M) management
- CUI boundary definition and network segmentation
- Access control and MFA on all CUI-adjacent systems
- Continuous monitoring and audit log retention
- C3PAO assessment preparation
FTC Safeguards Rule
Financial Data Protection
Updated in 2023, the FTC Safeguards Rule under GLBA requires financial institutions to implement comprehensive information security programs. The definition of "financial institution" is broad: it covers RIAs, broker-dealers, insurance agencies, CPA firms, auto dealerships, tax preparers, and any entity significantly engaged in financial services. The updated rule mandates a designated Qualified Individual, written risk assessments, and specific technical controls.
What we implement:
- Qualified Individual (QI) program establishment
- Written Information Security Program (WISP)
- Risk assessment documentation and annual review
- MFA on all systems accessing customer financial information
- Encryption of customer data at rest and in transit
- Service provider oversight and vendor management
- Incident response plan with reporting procedures
- Annual board/management reporting
Cyber Insurance Readiness
Insurability & Premium Optimization
Cyber insurance carriers have dramatically tightened underwriting requirements since 2022. Policies are being denied, claims rejected, and premiums increased when organizations cannot demonstrate specific security controls. The controls carriers require closely mirror what HIPAA, CMMC, and FTC Safeguards already mandate, which means compliance-aligned organizations often find insurance easier to obtain and more affordable to maintain.
What we implement:
- MFA on email, VPN, and remote access
- Endpoint detection and response (EDR) on all devices
- Tested backups with offline/air-gapped copies
- Documented and tested incident response plan
- Annual security awareness training with phishing simulations
- Vulnerability scanning and penetration testing
- Privileged access management
Common Gaps
Why Compliance Programs Fail
These are the gaps NorthStar finds most often when we assess a new client's compliance posture. Every one of them creates audit risk, insurance exposure, or both.
No documented risk assessment
Required by HIPAA, CMMC, and FTC Safeguards. Without one, every other compliance effort lacks a defensible foundation.
Policies exist but controls don't
Organizations write security policies to check a box but never implement the technical controls those policies describe. Auditors test both.
Backups are untested
Having backups is not the same as having working backups. The proposed HIPAA Security Rule requires restoration within 72 hours. Most practices have never timed a full restore.
MFA is incomplete
MFA on email is not enough. HIPAA, FTC Safeguards, CMMC, and insurance carriers require MFA on every system that accesses protected data, including remote access, VPN, and cloud applications.
No incident response plan
When a breach occurs, organizations without a written, tested incident response plan lose days to confusion. Those days translate directly into regulatory exposure and financial damage.
Vendor oversight is missing
HIPAA requires Business Associate Agreements. FTC Safeguards requires documented vendor oversight. Most organizations have neither for their critical IT vendors.
Our Approach
How We Deliver Compliance Differently
Most providers react when an audit is scheduled. We operate differently.
Controls First, Documentation Follows
We implement the actual technical controls, then generate documentation from the running environment. Auditors test reality, not binders.
Continuous Monitoring
Compliance posture is monitored year-round with automated alerting on drift. Not rushed quarterly when a renewal or audit approaches.
Multi-Framework Alignment
A single security program that satisfies HIPAA, CMMC, FTC Safeguards, and insurance requirements simultaneously. No duplicated effort.
Executive Reporting
Leadership receives clear, regular reporting on compliance status, risk posture, and remediation progress. No surprises during board reviews.
Frequently Asked Questions
About the author
Ken Satkunam, CISM
President & Founder, NorthStar Technology Group
Ken has spent over 25 years in IT leadership, serving in roles from technical support to CIO for organizations as large as 23,000 employees. He founded NorthStar Technology Group in 2000 to help regulated organizations build secure, compliant, and operationally resilient technology environments. Ken holds the Certified Information Security Manager (CISM) credential from ISACA and is the co-author of the Amazon best-seller "Cyber Attack Prevention." He has been quoted in industry publications including eWeek and DM News, and NorthStar has been recognized on the Inc. 5000 list in both 2024 and 2025.