Cyberfox Security

Phone Icon (833) 463-6804

SSL Secure Connection

Compliance and 3rd Party Audits


Compliance Button

Compliance and 3rd Party Audits

We understand the burden associated with cybersecurity and regulatory compliance. Our mission is to transfer that burden so you can focus on your business.  This service helps clients understand and attain compliance. It can be similar in scope to the aforementioned assessment types, but with a focus on mandatory controls identified in one or more of the below compliance groups.

  • DoD Cybersecurity Maturity Model Certification (CMMC)
  • NIST SP 800-53
  • NIST SP 800-171
  • Massachusetts 201 CMR 17.00
  • Gramm-Leach-Bliley Act (GLBA)


The following information does not include the totality of compliance groups that exist. Nor does it provide full details for the below groups. We recommend consulting your legal team or counsel to determine what laws, regulations or other requirements your company is required to meet, or feel free to contact Cyberfox Security for additional information. We will be happy to assist.

Group Applies To Authority Address Risk Penalties
General Data Protection Regulation (GDPR) Organizations located within and outside the European Union that offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location EU Council Privacy of EU citizen data Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher
Federal Information Security Management Act /NIST 800-53r4 U.S. government systems Legislature Misuse of federal systems Penalties already exist for not complying with acquisition clauses. By signing a contract and submitting an invoice, an organization agrees to comply with all clauses in the contract.
DFARS 252.204-7012 / NIST 800-171 Federal contractors processing Controlled Unclassified Information (CUI) Legislature Protection of CUI residing in non-federal information systems and organizations Penalties already exist for not complying with acquisition clauses. By signing a contract and submitting an invoice, an organization agrees to comply with all clauses in the contract.
Gramm Leach Bliley Businesses that are "significantly engaged" in "financial activities" as described in section 4(k) of the Bank Holding Company Act including those that provide financial, investment or economic advisory services including credit counselors, financial planners, tax preparers, accountants, and investment advisors Legislature Privacy of financial data Fines of up to $100,000 per violation, with fines for officers and directors of up to $10,000 per violation. And criminal penalties of up to five years in prison, and the revocation of licenses
Health Information Portability & Accountability Act Covered entities and associates. This includes providers such as:
•Doctors
•Clinics
•Psychologists
•Dentists
•Chiropractors
•Nursing Homes
•Pharmacies
Others
Statutory Misuse of medical records Up to $50,000 per violation, with an annual maximum of $1.5 million for civil violations; criminal violations of up to $250,000 and imprisonment up to 10 years
Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of residents of the Commonwealth of Massachusetts Applies to all persons or organizations that own or license personal information about a resident of the Commonwealth of Massachusetts Massachusetts Legislature Ensure the security and confidentiality of customer information. •Up to $50,000 per improper disposal
•Maximum of $5,000 per violation
Payment Card Industry (PCI) Processors of card holder data Industry Monetary losses due to credit card theft The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions