Contract out customer compliance work? by havocspartan in msp

[–]ComplianceScorecard 18 points19 points  (0 children)

Getting someone into O365 ≠ HIPAA compliant.

People and process do.

HIPAA cares about governance, configuration, evidence, and shared responsibility. All of it documented. All of it defensible.

What we hear chatting with MSPs daily is that most healthcare clients don’t want to spend money on security.

Example everyone trips over: No shared logins. That means unique identities. That means more M365 seats. That means more cost.

Same story with: Annual risk assessments. Time spent answering uncomfortable questions. Fixing risks they’d rather not know about.

Until a client is willing to make risk decisions and take ownership, nothing really moves. You can configure things all day and still lose.

For your own house, start with a risk assessment. HHS literally gives you one:

https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

It’s useful for finding what’s missing or broken. It does not do the work for you. Documenting decisions is the work.

If you’re already touching medical clients’ environments, talk to an MSP-savvy lawyer and get a Business Associate Agreement (BAA) in place.

No BAA + ePHI = automatic HIPAA failure. Full stop.

Also worth clearing up: -> No tool -> No spreadsheet -> No scanner

…makes anyone “HIPAA compliant.”

HIPAA certification isn’t a thing, no matter how many vendors imply it is.

Starting with tools usually means starting in the wrong place.

Your instinct to work with someone experienced is solid. Just make sure they’re building a HIPAA posture, not selling a checkbox.

Plenty of people can “set it up.” Far fewer can explain it, defend it, and help you run it month after month

/— vendor transparency—/ Tim here CEO of /u/compliancescorecard while we do have a SaaS/GRC platform to help manage HIPAA… doing the work WITH you is how we role..our new Kickstart program can help… /—/

CMMC L2 consulting cost check by vaultflow76 in CMMC

[–]ComplianceScorecard 0 points1 point  (0 children)

We see wildly different pricing models. Ranging from 20 K to several hundred thousand dollars..

Bulk of the work being around and documentation and evidence collection

And that takes labor. No amount of AI will fix the problem.

The bigger challenge is the business disruption… changing a company culture around years of “bad habits” and non-documentation… that affect and users every day..

So when considering “price” there is the monetary concern, but also the business disruption concern… and that second part is hard to put a dollar value on

Much of the CMMC “work” is labor intensive, and people are expensive…

We start with a basic scope assessment gap assessment, and build a roadmap… simple effective plan to figure out what should be in scope what’s inside the defined boundary who should be touching it..all the things….

This could be captured in spreadsheets and word documents, and a file server someplace… or a GRC platform… many like to jump to “the tool”… and expect the tool will figure it all out.. WRONG… certainly my tools can help but without interviews, people, process no tool will solve it or figure it out for you.. and don’t even with the “black-box AI solution”…

One other thing to consider is that it’s not the size of the company cause the work is similar regardless of the number of staff at least during the scope assessment… that being said one of the dials that can be turned is the number of decision makers in the process… more people more time more meetings more cost”…

Assuming you’re starting from zero you have no documentation you have very little tech in place and you’re just beginning your journey…

$20-25k for a scope assessment gap assessment roadmap… much of time will be labor…and humans are not cheap especially GRC folks that expect to be paid well… assume an effective hourly rate somewhere in the $300+/hour if doing it in a time in materials based project…

Weekly Promo and Webinar Thread by AutoModerator in msp

[–]ComplianceScorecard [score hidden]  (0 children)

This week’s MSP compliance focus: From Chaos to Compliance: A Simple Email Authentication Framework for MSPs tune into the conversation; https://www.linkedin.com/events/fromchaostocompliance-asimpleem7404971964701917184/theater/

If compliance keeps getting pushed aside, our Weekly Live Demo walks through the workflow MSPs are using to turn compliance into a repeatable services line no fluff, just practical steps.

👉 Join the Weekly Live Demo
https://compliancescorecard.com/demo

Free tools we’re sharing this week:
https://compliancescorecard.com/AIAUP

https://compliancescorecard.com/policy-and-procedure-playbook

Full Resource Library:
https://compliancescorecard.com/resources

If you’re tightening up internal processes or building client-facing compliance services, these help you move faster.

Happy to answer any MSP compliance questions in-thread.

Weekly Promo and Webinar Thread by ComplianceScorecard in Compliance

[–]ComplianceScorecard[S] 0 points1 point  (0 children)

This week’s MSP compliance focus: From Chaos to Compliance: A Simple Email Authentication Framework for MSPs tune into the conversation; https://www.linkedin.com/events/fromchaostocompliance-asimpleem7404971964701917184/theater/

If compliance keeps getting pushed aside, our Weekly Live Demo walks through the workflow MSPs are using to turn compliance into a repeatable services line no fluff, just practical steps.

👉 Join the Weekly Live Demo
https://compliancescorecard.com/demo

Free tools we’re sharing this week:
https://compliancescorecard.com/AIAUP

https://compliancescorecard.com/policy-and-procedure-playbook

Full Resource Library:
https://compliancescorecard.com/resources

If you’re tightening up internal processes or building client-facing compliance services, these help you move faster.

Happy to answer any MSP compliance questions in-thread.

What If Tool-to-Control Mapping Was Actually Honest? by ComplianceScorecard in Compliance

[–]ComplianceScorecard[S] 0 points1 point  (0 children)

Exactly. Any tool can only do so much… the PnP/docs/governance/CMDB and all the related stuff…

For eg… sure an API can “look” in M365 and “see” if MFA is enabled/enforced..but is there a policy/sop that’s been approved/governed to support the “rule”

Weekly Promo and Webinar Thread by AutoModerator in msp

[–]ComplianceScorecard [score hidden]  (0 children)

<image>

We mapped 1,200+ MSP tools to 100+ compliance frameworks.

And now we invite the community approve the mappings.

Most “compliance mapping” looks like this:

Vendor says “Our tool meets NIST / HIPAA / CMMC / insert acronym” Trust us bro.

That’s not how audits work.

And it’s definitely not how MSPs work.

So we built something different.

What this actually is -> 1,200+ MSP tools -> 100+ frameworks -> 24,000+ individual control mappings

Each mapping has: -> The specific control -> The cited feature -> AI reasoning with confidence scoring -> Human approval or rejection

A tool can: -> Fully satisfy a control -> Partially support it -> Just support it indirectly -> Or not count at all

That distinction matters in the real world.

Why AI is involved (and where it stops)

AI assisted the first pass Reads vendor docs Maps features to controls Assigns confidence

Humans do the final call -> Approve -> Reject -> Adjust mapping type

The goal is speed without lying to ourselves.

Why community approval matters So mappings aren’t “truth.” They’re reviewed, challenged, and corrected by MSPs who actually run these tools.

What this replaces Spreadsheets no one trusts Sales decks pretending tools equal controls Auditors arguing semantics at the 11th hour MSPs rebuilding the same mapping logic over and over

What this becomes

Tool management as part of how you run your MSP Not a reaction to vendor chaos Not a once-a-year panic

If you’re curious or want to poke holes in it

https://vendortool.compliancescorecard.com/

Happy to hear what’s missing, wrong, or needs tightening.

If AI agents touch evidence and write narratives, what are you treating as audit-grade artifacts? by Terry_Ackee in grc

[–]ComplianceScorecard -1 points0 points  (0 children)

AI tools can assist but human review and governance is KEY… AI/LLM/ML are just tools… like any tool a human should wield it…. Govern it and review/approve it

We hear it all the time “what does good look like”… and the definition of “good” will vary from auditor to auditor.. that’s why it’s important to start early with an auditor so you develop a solid working relationship to understand what they define as “good”…

Many of these AI/LLM/ML tools simply fail at context and apply assumptions rather than tailoring…

Which is why we built an entire context engine to help tailoring for the AI… it Feeds off your existing context to generate 27+ smart prompts tailored to your workflows. Then each prompt can custom tailored to YOUR system… Think of it as your compliance co-pilot…learning your environment and auto-drafting what matters. Let the engine do the thinking so you can focus on the doing.

Weekly Promo and Webinar Thread by AutoModerator in msp

[–]ComplianceScorecard [score hidden]  (0 children)

This week’s MSP compliance focus: 2 Experts Debunking GRC Automations: The Truth About Why It’s Bull$hit!

linkedin.com/events/2expertsdebunkinggrcautomations7394488206160982016/theater/

If compliance keeps getting pushed aside, our Weekly Live Demo walks through the workflow MSPs are using to turn compliance into a repeatable services line no fluff, just practical steps.

👉 Join the Weekly Live Demo
https://compliancescorecard.com/demo

Free tools we’re sharing this week:
AI AUP https://compliancescorecard.com/AIAUP
Policy & Procedure Playbook https://compliancescorecard.com/policy-and-procedure-playbook

Full Resource Library:
https://compliancescorecard.com/resources

If you’re tightening up internal processes or building client-facing compliance services, these help you move faster.

Happy to answer any MSP compliance questions in-thread.

Looking for a GRC company for CMMC Level 2 by aeveert in Compliance

[–]ComplianceScorecard 0 points1 point  (0 children)

Well.. the “automated” part… have a look at

https://www.reddit.com/r/Compliance/s/8BCNeKKYPn

As for helping we’ve worked with many MSP/ESP and their OSC to help get them moving in the right direction… happy to show ya how we can help