Security & Compliance

Security and compliance built into the systems we design, deploy, and operate.

Our Approach

Security and compliance are built into the systems we design, deploy, and operate — not treated as a separate layer. Our approach integrates security practices directly into infrastructure, application development, and ongoing operations.

We believe in transparency about our compliance journey. Below, we outline our current status across key frameworks, our implemented controls, and our roadmap for formal third-party attestation.

Compliance Frameworks

NIST Cybersecurity Framework (CSF 2.0)

Aligned & Implementing

We have aligned our cybersecurity program with the NIST Cybersecurity Framework, implementing controls across all five core functions:

  • Identify: Asset management, risk assessment, and governance policies
  • Protect: Access controls, data security, training programs, and protective technology
  • Detect: Continuous monitoring, logging, and anomaly detection
  • Respond: Incident response planning and communications procedures
  • Recover: Recovery planning and continuous improvement processes

Current Status: We meet requirements for NIST CSF Low-Impact baseline and are actively implementing controls to achieve higher maturity levels across all functions.

HIPAA (Health Insurance Portability and Accountability Act)

Operating with controls aligned to HIPAA Security and Privacy requirements

We implement and operate controls aligned to HIPAA requirements and support clients in maintaining compliant environments, including execution under Business Associate Agreements (BAAs) when required.

HIPAA-aligned environments are implemented and operated as part of our engagements, not treated as a separate compliance layer. Compliance responsibility remains with the covered entity unless explicitly contracted.

Implemented Controls:

  • Risk assessment and management program
  • Access controls and user authentication
  • Encryption for data at rest and in transit
  • Audit logging and monitoring
  • Breach notification procedures
  • Employee training and awareness programs
  • Business Associate Agreements (BAAs) with vendors

Important Note: The U.S. Department of Health & Human Services (HHS) does not offer formal "HIPAA certification." We represent our internal compliance program based on documented policies, procedures, and controls aligned with HIPAA requirements. We conduct regular risk assessments and maintain ongoing compliance monitoring.

SOC 2 (Service Organization Control 2)

Readiness Assessment In Progress

We are actively conducting a SOC 2 readiness self-assessment and have documented controls aligned with the AICPA Trust Services Criteria. Our control framework addresses:

  • Security: Information and systems are protected against unauthorized access
  • Availability: Systems are available for operation and use as committed
  • Confidentiality: Confidential information is protected as committed
  • Processing Integrity: System processing is complete, valid, accurate, and authorized
  • Privacy: Personal information is collected, used, retained, and disclosed appropriately

Next Steps: We are preparing for formal SOC 2 Type II audit engagement with an accredited third-party auditor. We will update this page when attestation is achieved.

Security in Practice

Foundational controls we implement and operate across all client engagements.

We leverage integrated security platforms, monitoring systems, and governance frameworks as part of our delivery model, aligning environments to industry requirements where applicable.

Access Control & Authentication

  • Multi-factor authentication (MFA) required
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews and audits

Data Protection

  • Encryption at rest and in transit (TLS 1.3)
  • Secure data handling and classification
  • Data retention and disposal policies
  • Regular backup and recovery testing

Monitoring & Response

  • 24/7 security monitoring and logging
  • Incident response procedures
  • Vulnerability scanning and patch management
  • Security event alerting and escalation

Governance & Training

  • Security policies and procedures documentation
  • Annual security awareness training
  • Vendor risk management program
  • Regular policy reviews and updates

Government Contracting

Voss Alan is registered with the System for Award Management (SAM) and maintains an active CAGE Code for federal contracting opportunities.

CAGE Code: 9NFU7

CMMC Roadmap: We are preparing for Cybersecurity Maturity Model Certification (CMMC) requirements and will pursue formal assessment as DoD contract opportunities arise.

Compliance & Execution Model

We align environments to industry frameworks and support clients in achieving and maintaining compliance. Formal compliance ownership remains with the client organization unless explicitly contracted.

These controls are implemented and operated as part of our engagements — not provided as standalone advisory.

Our security and compliance capabilities are expanding as part of our managed security and compliance offering. We are committed to:

  • Conducting regular risk assessments and control reviews
  • Advancing NIST CSF maturity to higher implementation tiers
  • Pursuing formal SOC 2 Type II attestation
  • Preparing for CMMC assessment when required for DoD contracts
  • Staying current with evolving security threats and best practices
  • Maintaining transparency with clients about our compliance posture

Questions About Our Security Posture?

We discuss our security controls, compliance status, and roadmap in detail with prospective clients.

Contact Us