Compliance frameworks can feel like alphabet soup, but underneath the acronyms, most of them are asking for the same basic things: know what data you have, control who can access it, and be able to prove it. Here's a plain-English breakdown of three of the most common frameworks SMBs run into.
HIPAA — healthcare data
If you handle protected health information (PHI) — even indirectly, as a business associate — HIPAA applies to you. At the IT level, this means access controls, encryption of PHI at rest and in transit, audit logging, and a documented risk assessment.
- Access controls tied to individual users, not shared logins
- Encryption for PHI in storage and in transit
- Regular, documented risk assessments
- Breach notification procedures
CMMC — defense contractors
The Cybersecurity Maturity Model Certification applies to businesses in the Department of Defense supply chain. It's built on NIST 800-171 and requires documented security controls across a wide range of domains, from access control to incident response.
- Formal system security plan (SSP)
- Multi-factor authentication on all access
- Incident response plan and testing
- Controlled unclassified information (CUI) handling procedures
PCI-DSS — payment card data
If you store, process, or transmit credit card data, PCI-DSS applies. The core idea is to minimize where card data lives and lock down everything around it — network segmentation, vulnerability scanning, and strict access control.
- Network segmentation around cardholder data
- Regular vulnerability scanning
- Strong access control and unique credentials
- Logging and monitoring of access to cardholder data
The common thread
Every framework above comes back to the same fundamentals: know your data, control access, monitor activity, and document everything. Build IT operations around those fundamentals and most compliance work becomes a documentation exercise, not a scramble.
Where Crossguard fits in
Our Command tier builds compliance alignment directly into how we manage your environment — gap assessments, policy development, and audit-ready documentation, without hiring a separate compliance consultant.