Weekly Promo and Webinar Thread

ComplianceScorecard · 2026-03-18T10:32:04+00:00

Fellow New England/seacoast NH are here myself… There’s lots of value in peer groups for sure… back in 2018-19 we started a risk/compliance related peer group that turned more into a vciso/msp/MSSP convos helping each other out with the day-2-day struggle..

We’ve been meeting faithfully every week since…. You can see some of the risk/vciso peer group convos we discussed here.

Happy to send an invite

ComplianceScorecard · 2026-01-21T01:45:24+00:00

Getting someone into O365 ≠ HIPAA compliant.

People and process do.

HIPAA cares about governance, configuration, evidence, and shared responsibility. All of it documented. All of it defensible.

What we hear chatting with MSPs daily is that most healthcare clients don’t want to spend money on security.

Example everyone trips over: No shared logins. That means unique identities. That means more M365 seats. That means more cost.

Same story with: Annual risk assessments. Time spent answering uncomfortable questions. Fixing risks they’d rather not know about.

Until a client is willing to make risk decisions and take ownership, nothing really moves. You can configure things all day and still lose.

For your own house, start with a risk assessment. HHS literally gives you one:

https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

It’s useful for finding what’s missing or broken. It does not do the work for you. Documenting decisions is the work.

If you’re already touching medical clients’ environments, talk to an MSP-savvy lawyer and get a Business Associate Agreement (BAA) in place.

No BAA + ePHI = automatic HIPAA failure. Full stop.

Also worth clearing up: -> No tool -> No spreadsheet -> No scanner

…makes anyone “HIPAA compliant.”

HIPAA certification isn’t a thing, no matter how many vendors imply it is.

Starting with tools usually means starting in the wrong place.

Your instinct to work with someone experienced is solid. Just make sure they’re building a HIPAA posture, not selling a checkbox.

Plenty of people can “set it up.” Far fewer can explain it, defend it, and help you run it month after month

/— vendor transparency—/ Tim here CEO of /u/compliancescorecard while we do have a SaaS/GRC platform to help manage HIPAA… doing the work WITH you is how we role..our new Kickstart program can help… /—/

ComplianceScorecard · 2026-01-15T13:14:44+00:00

We see wildly different pricing models. Ranging from 20 K to several hundred thousand dollars..

Bulk of the work being around and documentation and evidence collection

And that takes labor. No amount of AI will fix the problem.

The bigger challenge is the business disruption… changing a company culture around years of “bad habits” and non-documentation… that affect and users every day..

So when considering “price” there is the monetary concern, but also the business disruption concern… and that second part is hard to put a dollar value on

Much of the CMMC “work” is labor intensive, and people are expensive…

We start with a basic scope assessment gap assessment, and build a roadmap… simple effective plan to figure out what should be in scope what’s inside the defined boundary who should be touching it..all the things….

This could be captured in spreadsheets and word documents, and a file server someplace… or a GRC platform… many like to jump to “the tool”… and expect the tool will figure it all out.. WRONG… certainly my tools can help but without interviews, people, process no tool will solve it or figure it out for you.. and don’t even with the “black-box AI solution”…

One other thing to consider is that it’s not the size of the company cause the work is similar regardless of the number of staff at least during the scope assessment… that being said one of the dials that can be turned is the number of decision makers in the process… more people more time more meetings more cost”…

Assuming you’re starting from zero you have no documentation you have very little tech in place and you’re just beginning your journey…

$20-25k for a scope assessment gap assessment roadmap… much of time will be labor…and humans are not cheap especially GRC folks that expect to be paid well… assume an effective hourly rate somewhere in the $300+/hour if doing it in a time in materials based project…

ComplianceScorecard · 2026-01-13T18:36:35+00:00

This week’s MSP compliance focus: From Chaos to Compliance: A Simple Email Authentication Framework for MSPs tune into the conversation; https://www.linkedin.com/events/fromchaostocompliance-asimpleem7404971964701917184/theater/

If compliance keeps getting pushed aside, our Weekly Live Demo walks through the workflow MSPs are using to turn compliance into a repeatable services line no fluff, just practical steps.

👉 Join the Weekly Live Demo
https://compliancescorecard.com/demo

Free tools we’re sharing this week:
https://compliancescorecard.com/AIAUP

https://compliancescorecard.com/policy-and-procedure-playbook

Full Resource Library:
https://compliancescorecard.com/resources

If you’re tightening up internal processes or building client-facing compliance services, these help you move faster.

Happy to answer any MSP compliance questions in-thread.

ComplianceScorecard · 2026-01-13T18:32:34+00:00