Compliance

IT Compliance Services

HIPAA, NIST/CMMC, SOC 2, and cyber-insurance controls — built, operated, and documented to survive an audit.

Get a Compliance Gap Assessment (918) 270-6600

Regulated industries don’t just need IT that works — they need IT that survives an audit. ArcLight Group helps Tulsa-area businesses align with HIPAA, NIST 800-171 / CMMC, SOC 2, and cyber-insurance requirements using the same concrete, auditable controls our own SOC 2 Type 1 engagement demanded.

Frameworks we work with

  • HIPAA / HITECH — encryption at rest & in transit, access controls, audit logging, Business Associate Agreements, breach notification procedures. HIPAA Risk Assessment →
  • NIST 800-171 & CMMC — the 110 controls required for DoD contractors. We map your current environment, identify gaps, and build a prioritized remediation roadmap. CMMC Readiness →
  • SOC 2 — Type 1 and Type 2 readiness for SaaS and service companies. We’ve been through it ourselves, so we know which controls auditors actually test. SOC 2 Support →
  • Cyber insurance renewal — insurers now require MFA, EDR, backup isolation, and a documented incident response plan. We map your renewal questionnaire to real configurations. Cyber Insurance Checklist →
  • PCI-DSS — network segmentation and endpoint controls for Oklahoma businesses taking card payments.

What the controls look like in practice

Every framework above boils down to roughly the same handful of technical controls. If you implement these well, most audits become a paperwork exercise rather than a remediation crisis.

  • Multi-factor authentication enforced on every user, every application, every network edge — with phishing-resistant methods for admins.
  • Endpoint Detection & Response (EDR) monitored 24/7, not just antivirus.
  • Immutable, tested backups — an encrypted copy attackers can’t delete, verified by a quarterly restore drill.
  • Least-privilege access — separate admin accounts, documented access reviews, and auto-disabling for terminated users.
  • Encryption at rest on every laptop and server, in transit across every link.
  • Audit logging centralized and retained for the period your framework requires (90 days to 7 years).
  • Written incident response plan — who declares, who contacts insurance, who powers down what, and the Oklahoma breach notification timeline.

How we work with compliance clients

1. Free 27-point assessment

A certified engineer reviews your environment against the framework you’re targeting. You receive a written gap analysis with prioritized recommendations — whether or not you hire us.

2. Remediation roadmap

We lay out what to fix immediately (audit-blockers), what to fix this quarter (cost savings + risk), and what can wait. Everything is mapped back to specific framework controls.

3. Ongoing managed compliance

Monthly retained support covering help desk, proactive maintenance, quarterly access reviews, annual policy updates, and evidence collection your auditor can drop straight into their workpapers.

ArcLight Group is SOC 2 Type 1 certified. We’ve sat on your side of the audit table — so we know exactly which controls examiners test, which “nice-to-have” policies are actually non-negotiable, and which vendor questionnaire answers they’ll push back on.

Who this is for

  • Medical practices, dental offices, and specialty clinics preparing for OCR HIPAA audits.
  • Oklahoma manufacturers and DoD subcontractors working toward CMMC Level 2.
  • SaaS and professional services firms going through SOC 2 for the first time.
  • Any business whose cyber-insurance renewal questionnaire just got 3× longer.
  • Law firms and financial services firms where client-confidentiality rules drive the same technical controls as HIPAA/SOC 2.

Ready to move forward?

Two hours with a real engineer. A written report. Zero obligation, zero sales pitch.

Schedule My Free Assessment (918) 270-6600

No hard sell. No obligation. Month-to-month after — cancel anytime.