The Challenge

A Series B payments platform needed SOC 2 Type II certification within 5 months to close an enterprise contract with a Fortune 500 client. They had no formal security program, no policies, and a scattered patchwork of controls across their AWS infrastructure.

What We Did

• Full gap assessment against SOC 2 Trust Services Criteria
• Built 22-policy library from scratch
• Designed and implemented 47 technical and operational controls
• Ran 8-week evidence collection program
• Coordinated with Big 4 auditor through Type II observation period

The Outcome

SOC 2 Type II report issued with zero exceptions on first attempt. The company closed their enterprise contract, unlocking $2.1M in ARR. The GRC foundation built during this engagement continues to support ongoing compliance with zero major findings 18 months later.

The Challenge

Following an HHS OCR investigation triggered by a breach notification, a regional health system faced a corrective action plan with 18 mandated remediation items and a 12-month deadline. Their existing compliance team lacked the bandwidth and specialized GRC expertise to execute.

What We Did

• Conducted full HIPAA Security Rule gap analysis across all 18 CAP items
• Rebuilt risk analysis and risk management program per §164.308(a)(1)
• Designed workforce training and sanctions policy program
• Implemented business associate agreement management system
• Prepared all CAP documentation for OCR submission

The Outcome

All 18 corrective action items resolved within 9 months — 3 months ahead of the OCR deadline. The resolution was accepted without additional investigation. The health system now operates with a sustainable HIPAA compliance program that has passed two subsequent internal audits.

The Challenge

A mid-size defense contractor handling Controlled Unclassified Information (CUI) needed CMMC Level 2 certification to maintain eligibility for DoD contracts. They had an incomplete NIST 800-171 self-assessment score of 52 (out of 110) and no formal CUI program.

What We Did

• NIST 800-171 practice-by-practice gap assessment
• Built System Security Plan (SSP) and Plan of Action & Milestones (POA&M)
• Designed and implemented CUI identification and handling program
• Remediated 43 of 46 outstanding practices within engagement scope
• Prepared organization for C3PAO third-party assessment

The Outcome

NIST 800-171 assessment score improved from 52 to 104. The contractor passed their CMMC Level 2 third-party assessment and retained their DoD contract portfolio. The CUI program built during our engagement is now a competitive differentiator when bidding new government contracts.