Security & Compliance

Our commitment to maintaining rigorous security standards and continuously improving our compliance posture.

Our Approach

At Voss Alan, we maintain an ongoing commitment to information security and regulatory compliance. We implement industry-standard frameworks, conduct regular risk assessments, and continuously improve our security posture to protect client data and maintain operational integrity.

We believe in transparency about our compliance journey. Below, we outline our current status across key frameworks, our implemented controls, and our roadmap for formal third-party attestation.

Compliance Frameworks

NIST Cybersecurity Framework (CSF 2.0)

Aligned & Implementing

We have aligned our cybersecurity program with the NIST Cybersecurity Framework, implementing controls across all five core functions:

  • Identify: Asset management, risk assessment, and governance policies
  • Protect: Access controls, data security, training programs, and protective technology
  • Detect: Continuous monitoring, logging, and anomaly detection
  • Respond: Incident response planning and communications procedures
  • Recover: Recovery planning and continuous improvement processes

Current Status: We meet requirements for NIST CSF Low-Impact baseline and are actively implementing controls to achieve higher maturity levels across all functions.

HIPAA (Health Insurance Portability and Accountability Act)

Self-Assessment Complete • Continuous Improvement

We have conducted a comprehensive HIPAA compliance self-assessment and maintain administrative, physical, and technical safeguards aligned with HIPAA Security and Privacy Rules when handling Protected Health Information (PHI) as a Business Associate.

Implemented Controls:

  • Risk assessment and management program
  • Access controls and user authentication
  • Encryption for data at rest and in transit
  • Audit logging and monitoring
  • Breach notification procedures
  • Employee training and awareness programs
  • Business Associate Agreements (BAAs) with vendors

Important Note: The U.S. Department of Health & Human Services (HHS) does not offer formal "HIPAA certification." We represent our internal compliance program based on documented policies, procedures, and controls aligned with HIPAA requirements. We conduct regular risk assessments and maintain ongoing compliance monitoring.

SOC 2 (Service Organization Control 2)

Readiness Assessment In Progress

We are actively conducting a SOC 2 readiness self-assessment and have documented controls aligned with the AICPA Trust Services Criteria. Our control framework addresses:

  • Security: Information and systems are protected against unauthorized access
  • Availability: Systems are available for operation and use as committed
  • Confidentiality: Confidential information is protected as committed
  • Processing Integrity: System processing is complete, valid, accurate, and authorized
  • Privacy: Personal information is collected, used, retained, and disclosed appropriately

Next Steps: We are preparing for formal SOC 2 Type II audit engagement with an accredited third-party auditor. We will update this page when attestation is achieved.

Core Security Practices

Foundational controls we maintain across all client engagements

Access Control & Authentication

  • Multi-factor authentication (MFA) required
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews and audits

Data Protection

  • Encryption at rest and in transit (TLS 1.3)
  • Secure data handling and classification
  • Data retention and disposal policies
  • Regular backup and recovery testing

Monitoring & Response

  • 24/7 security monitoring and logging
  • Incident response procedures
  • Vulnerability scanning and patch management
  • Security event alerting and escalation

Governance & Training

  • Security policies and procedures documentation
  • Annual security awareness training
  • Vendor risk management program
  • Regular policy reviews and updates

Government Contracting

Voss Alan is registered with the System for Award Management (SAM) and maintains an active CAGE Code for federal contracting opportunities.

CAGE Code: 9NFU7

CMMC Roadmap: We are preparing for Cybersecurity Maturity Model Certification (CMMC) requirements and will pursue formal assessment as DoD contract opportunities arise.

Continuous Improvement Commitment

Security and compliance are not one-time achievements—they require ongoing vigilance and improvement. We are committed to:

  • Conducting regular risk assessments and control reviews
  • Advancing our NIST CSF maturity to higher implementation tiers
  • Pursuing formal SOC 2 Type II attestation
  • Preparing for CMMC assessment when required for DoD contracts
  • Staying current with evolving security threats and best practices
  • Maintaining transparency with clients about our compliance posture

Questions About Our Security Posture?

We're happy to discuss our security controls, compliance status, and roadmap in detail.

Contact Us