惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
月光博客
月光博客
腾讯CDC
Last Week in AI
Last Week in AI
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园_首页
量子位
博客园 - 聂微东
Jina AI
Jina AI
小众软件
小众软件
The Cloudflare Blog
有赞技术团队
有赞技术团队
V
V2EX
博客园 - 司徒正美
Apple Machine Learning Research
Apple Machine Learning Research
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
博客园 - 三生石上(FineUI控件)
WordPress大学
WordPress大学
阮一峰的网络日志
阮一峰的网络日志
B
Blog
MongoDB | Blog
MongoDB | Blog
L
LangChain Blog
宝玉的分享
宝玉的分享
C
Check Point Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
IT之家
IT之家
N
Netflix TechBlog - Medium
I
InfoQ
J
Java Code Geeks
S
SegmentFault 最新的问题
V
Visual Studio Blog
Microsoft Security Blog
Microsoft Security Blog
博客园 - 叶小钗
D
DataBreaches.Net
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
B
Blog RSS Feed
S
Schneier on Security
Webroot Blog
Webroot Blog
P
Proofpoint News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Threatpost
Project Zero
Project Zero
Scott Helme
Scott Helme
C
CERT Recently Published Vulnerability Notes
P
Privacy International News Feed
T
The Exploit Database - CXSecurity.com
D
Darknet – Hacking Tools, Hacker News & Cyber Security

Todyl Blog

CyberChef: How to Decode & Decrypt Malicious Scripts (Step-by-Step Guide) Achieving Zero Trust with SASE: A Practical Roadmap for Modern Network Securityso like MSP Security Maturity Assessment: Why 79% of MSPs Are Stuck in 2025 The Rising Threat of Malicious AI: What Every Organization Needs to Know Iran Cyber Threat 2026: What SMBs and MSPs Need to Know The OneStart AI Browser Deception Cyber Insurance Requirements Based on Industry Why Third-Party Security Certification Is Your MSP's Competitive Edge Why Cyber Insurance Carriers Are Shifting to Security Assurance Iran Conflict and Cyber Risk: What North American Organizations Need to Know ‍ Why Cyber Resilience Requires Security, Compliance, and Insurance MSP Security Services: How to Position Identity Protection as Competitive Advantage Identity Security Gap Assessment: A Step-by-Step Guide for MSPs How Credential Theft Attacks Are Costing MSP Clients Millions Do I Need Cyber Insurance as a Small Business? Advanced Persistent Threats (APTs) Explained Preparing for CMMC Level 1: What Your Organization Needs to Do The Real Cost of Doing Nothing in Cybersecurity MSP Security: Build vs Buy SOC The Rise of a Cybercrime Alliance: What LockBit, Qilin, and DragonForce Mean for Business Risk Cyber Threat Recovery Strategies for MSPs What MSPs Need to Know about CIRCIA Final Rule ClickFix: The Evolution of Copy-Paste Social Engineering Akira Ransomware: Threat Assessment of a Scalable RaaS Operation The Dos and Don’ts of Applying for a Cyber Insurance Policy What Is Threat Hunting? A Practical Guide for MSPs and SMBs The Business Case for Cyber Threat Management Evaluating Free and Open Source SIEM Tools in 2026 How organizations can combat BEC Using SASE to help meet cyber insurance requirements Introducing the Anomaly Framework Stopping Identity Threats with ITDR through MXDR Security Operations Over Tools Beyond Tools: A Strategic Approach to Data Security Cyber Threat Response Strategies for MSPs Threat Advisory: Email Account Compromise BECs In the Wild: When Millions of People Are Expecting the Same Email Michigan and Wisconsin Proposed Age Verification Bills and the Impact on VPNs and SASE: What You Need to Know Cyber Threat Detection Strategies for MSPs Cyber Threat Prevention Strategies for MSPs Simplifying CMMC Level 1 with Todyl GRC How to Complete Your CMMC Level 1 Self-Assessment: A Step-by-Step Walkthrough Cyber Threats Don't Take Time Off How MSPs Build Lasting Client Relationships Through Proactive Operations Risk Management for MSPs: Why Business Context Changes Everything 5 Pillars for Security Program Growth in 2025 One Action MSPs can take to Address Risk and Secure Clients Building Resilience in a Perimeter-less World with Defense-in-Depth Aligning Technology Implementation to Business Outcomes Top 5 Myths about Cybersecurity How Conditional Access Transforms Your Cybersecurity Program Why MSPs need to embrace a prescriptive model How Texas SB 2610 Positions MSPs as Strategic Risk Advisors Simplifying cybersecurity maturity with managed cloud SIEM Addressing firewall vulnerabilities Understanding the Pitfalls of RDP MSP Zero-Day Response Plan: When Security Tools Can't Help You Old is Gold: Tackling Persistent Vulnerabilities How MXDR drives operational efficiencies Using SASE for secure remote access How to find the best endpoint security solution The Cyber Insurance Crisis: Why MSPs and Their Clients Are Struggling What to ask of a prospective endpoint security vendor Thinking Red, Acting Blue: Turning Attack Tactics in Your Favor Zero-Day Attacks and False Alarms: Lessons for MSPs Dissecting the Recent Rise in 2025 Zero Days MSP Security Monitoring Strategy: Identity and Cloud Blind Spots Introducing the Todyl Community: A Collaborative Platform for MSPs Threat Advisory: PDFast Freeware Compromise Navigating Today’s Cybersecurity Threat Landscape: Where MSPs Should Start Threat Advisory: Understanding the Recent SonicWall SSL VPN Vulnerability and How to Protect Your Clients Partner Spotlight: GoTech IT Solutions Threat Advisory: SQL Injection in FortiClient CVE-2023-48788 The Importance of SSL Inspection Making the most of SASE Web Filtering Iran & Middle-East Geopolitical Shifts: Emerging Cyber Risks for SMBs MSP Security KPIs That Matter: Beyond Vanity Metrics to Business Outcomes MSP Challenges Looking into 2025 Combining EDR and NGAV for Defense-in-Depth Starting Your Security Framework Journey: A Practical Implementation Guide Cyber Insurance vs. Warranties: Key Risk Management Elements Akira Ransomware: A Persistent Threat to MSP Operations Transforming Cyber Insurance for MSPs and Their Clients Two Truths, Double Whammy: Why Vulnerability Remediation Needs a Rethink Using LAN ZeroTrust for segmentation The role of SIEM in incident response Partner Spotlight: 917 Solutions Threat Advisory: Business Email Compromise Campaign using OVPN for Obfuscation Beyond Implementation: Creating an Ongoing Security Framework Program ClickFix: Fake Captcha Leads to Real Damage Streamlining Security and Compliance Information Gathering with Assessments EpiBrowser: A Sophisticated PUP Masquerading as Chromium Partner Spotlight: AnchorSix Tips to Help MSPs Set Goals for the New Year How SIEM helps detect insider threats Massive Wave of Network Security Vulnerabilities Demands Immediate Action FortiJump: The FortiManager Zero-Day Vulnerability Explained Use cases of SASE: Software-defined perimeter Threat Advisory: LightPerlGirl Malware Why MSPs Must Prioritize CIS Critical Security Controls v8.1 for Client Success
Navigating Compliance Frameworks: Common Challenges and Effective Solutions
Andrew Scott · 2026-01-09 · via Todyl Blog

Compliance is no longer optional: for most companies, it’s a critical requirement. Organizations across many different industries and countries must demonstrate adherence to regulatory frameworks, many of which demand robust cybersecurity measures. As an MSP, you’re the one responsible for guiding clients through these frameworks. Not only must you effectively implement their security programs, but you must also prepare them for audits.

Yet, meeting these standards is often easier said than done. Compliance frameworks require technical depth, continuous monitoring in real time, and the ability to map security controls to specific requirements. For MSPs, the complexity compounds given the fact that many clients fall under scope for more than one framework.

Thankfully, governance, risk, and compliance (GRC) solutions provide a way to streamline compliance management across multiple clients at scale. But, before exploring some real world examples, let's first detail several prominent frameworks, their requirements, and potential difficulties.

The Weight of Compliance Frameworks on Security Programs

Compliance frameworks extend far beyond paperwork, placing real demands on how organizations structure their cybersecurity programs. Organizations must implement, test, and document controls in a way that can withstand external audit scrutiny. For MSPs, this means not only deploying security technologies but also proving they align with framework-specific requirements.

In addition, frameworks often require organizations to demonstrate security maturity over time. Auditors require ongoing evidence of patch management, incident response readiness, or user access reviews across multiple months or years. These requirements move compliance out of the realm of “one-time projects” and into the continuous discipline of GRC. Without clear processes and tooling, maintaining this level of readiness is difficult for organizations of any size.

Prominent Compliance Frameworks and Their Requirements

Center for Internet Security (CIS) Controls v8.1

Many experts recognize CIS Controls as one of the most practical sets of cybersecurity best practices available today. Unlike regulatory requirements, CIS is a prescriptive framework that any organization can follow adopt to strengthen their defenses. Version 8.1 reflects the latest evolution of these controls, designed to combat the most pervasive, real-world cyber threats.

What makes CIS particularly important is its tiered, priority-driven model. The framework organizes 18 control families into “Implementation Groups.” These allow organizations to scale their adoption based on their resources and risk profile.

From asset management to incident response, CIS provides a roadmap that directly ties security activities to threat reduction. For MSPs, CIS provides a starting point for clients with limited budgets while remaining relevant for more mature organizations. It also gives a platform from which MSPs can build consistency into their cybersecurity operations across every tenant.

NIST Cybersecurity Framework (CSF)

Initially developed for U.S. critical infrastructure, the NIST Cybersecurity Framework (CSF) is one of the most widely adopted cybersecurity models worldwide. It organizes cybersecurity practices into five core functions: Identify, Protect, Detect, Respond, and Recover.

Rather a requirement checklist, NIST CSF provides a structure for organizations to iterate on their cybersecurity maturity over time. As such, many organizations use NIST CSF as a baseline to align with other frameworks. It also create a method to communicate the evolution of cybersecurity posture to executives and stakeholders. For MSPs, CSF provides a common language for discussing risk and resilience with clients and government agencies.

NIST Special Publication (SP) 800-171

NIST SP 800-171 is a standard that sets specific requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. For federal contractor organizations, where safeguarding CUI is a prerequisite for doing business, NIST SP 800-171 is imperative.

The framework contains 110 security requirements organized into 14 control families, covering everything from access control to system integrity. What makes NIST SP 800-171 important is its direct linkage to federal contracts, serving as a baseline for CMMC requirements.

Cybersecurity Maturity Model Certification (CMMC)

The U.S. Department of Defense developed the Cybersecurity Maturity Model Certification (CMMC) to protect sensitive information within the defense supply chain. Unlike voluntary frameworks like CIS v8.1, CMMC is mandatory for contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Many CMMC requirements map directly to NIST SP 800-171, demanding contractors to implement specific technical and procedural safeguards.

In practice, CMMC doesn’t just require organizations to “check the box” on security. It establishes tiered maturity levels, ranging from foundational practices to advanced protections. Organizations must meet each level based on the sensitivity of the work they perform and its associated data.  For MSPs serving government contractors, CMMC is non-negotiable: failing to achieve certification can disqualify clients from winning contracts.

Cyber Essentials

Cyber Essentials is a UK government-backed certification designed to help organizations reduce risks and protect themselves against threats. Unlike broader frameworks, Cyber Essentials focuses scope on five core security controls: firewalls, secure configuration, access control, malware protection, and patch management.

When implemented, Cyber Essentials establishes a cybersecurity best practice baseline. Many UK government contracts require Cyber Essentials, but it also serves as a confidence signal for private-sector clients. Certification demonstrates that an organization has taken practical steps to secure its IT environment. For MSPs, guiding UK clients through Cyber Essentials easily establishes credibility and reducing exposure to common cyberattacks.

Cyber Assessment Framework (CAF)

The National Cyber Security Centre (NCSC) developed the UK's CAF to provide a structured approach to assessing cybersecurity in critical national infrastructure. Unlike prescriptive lists of controls, CAF focuses on achieving specific security outcomes. These outcomes span governance, risk management, resilience, and incident response—areas critical to national security.

More stringent than Cyber Essentials, CAF shifts the focus away from achieving compliance for its own sake. Instead, it emphasizes whether organizations are capable of managing risks to maintains essential functions even under attack. For MSPs supporting clients in regulated UK industries, CAF assessments are a requirement. Therefore, they must align these clients' cybersecurity practices with its outcome-driven expectations.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) applies to U.S. financial institutions and their service providers. It requires these entities to safeguard sensitive customer financial information through comprehensive administrative, technical, and physical protections. Federal regulators such as the Federal Trade Commission (FTC) require GLBA for any organization dealing with finances.

Given that it pertains to individuals' financial information, GLBA matters because the stakes are high. Financial data is a prime target for cyber criminals. Naturally, regulators expect institutions to take measurable steps to protect it.

So, GLBA compliance is both a legal obligation and a key part of customer trust. The GLBA Safeguards Rule compels organizations to conduct regular risk assessments, design security programs, and oversee service providers. As an MSP with clients in banking, insurance, or financial services, this responsibility falls directly on you.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is one of the most widely recognized compliance frameworks in the United States. It sets strict requirements for safeguarding protected health information (PHI) on healthcare providers, health plans, and their business associates. HIPAA’s Security Rule outlines administrative, technical, and physical safeguards that organizations must put in place.

What makes HIPAA particularly challenging is the scope of enforcement. The U.S. Department of Health and Human Services regularly audits and investigates reported breaches. Noncompliance results in substantial fines, making it critical that organizations remain up to date on all their controls. For MSPs supporting healthcare clients, HIPAA compliance requires not only strong cybersecurity controls but also rigorous documentation and training programs.

Healthcare Industry Cybersecurity Practices (HICP)

The U.S. Department of Health and Human Services, in collaboration with industry stakeholders, developed the Healthcare Industry Cybersecurity Practices (HICP) guidelines. Unlike HIPAA, HICP is not a regulatory mandate but rather a set of voluntary practices designed to help healthcare organizations improve cybersecurity resilience.

HICP's design recognizes the unique challenges faced by healthcare providers. From small-practice resource constraints to complex hospital IT systems, the guidance tailors approaches based on organizational size. HICP gives MSPs a blueprint to align cybersecurity services with industry-driven best practices, even for HIPAA-focused clients.

Common Cybersecurity Challenges for MSPs and Their Clients

When viewed together, these frameworks share common cybersecurity undertones: access control, monitoring, incident response, and continuous improvement. However, mapping security controls across multiple frameworks creates significant challenges for MSPs:

  • Implementing overlapping requirements without duplicating effort
  • Tracking controls across different frameworks with varying wording and terms
  • Keeping up with evolving standards and audit cycles
  • Ensuring clients have both the technical protections and the documentation to pass audits

These challenges often result in resource strain, difficulty demonstrating compliance to clients, and gaps in audit readiness.

Client case studies: Traxyl & Fritz Clinic

An example of these struggles from a client's perspective is the story of Traxyl, a U.S. government contractor. Traxyl needed their business operations to comply with CMMC as well as International Traffic in Arms Regulations (ITAR).

Yet, the nature of Traxyl's business made it difficult to manage their own compliance program and security risks. They needed a partner to implement a program that met the industry data security standards of their government customers.

Another such organization is the Fritz Clinic, a rural healthcare provider. During the COVID-19 pandemic, they had to weigh the risks of endangering their patients and staff against their compliance risks. They needed a way to maintain operations by implementing a more remote treatment model. This, of course, drew questions regarding HIPAA and the management of patient health records and other personal data.

At the time, Fritz Clinic didn't have any digital infrastructure or information security management systems in place. But, they also couldn't safely keep their usual in-office visits. They needed a partner to innovate their approach while also maintaining corporate governance to keep them HIPAA compliant.

MSP case study: Iron Dome

One example of these struggles from the MSP side is the experiences of the Iron Dome, a UK-based IT service provider. As they expanded their operations to support clients with compliance needs like Cyber Essentials, they found that their tool stack sprawl held them back. Iron Dome needed a way to consolidate their efforts while still ensuring effective security outcomes for their clients. They needed to save time to remain ahead of a shifting compliance landscape.

The Solution: Unifying Security and Compliance with Todyl

Iron Dome found their path to streamlined security and Cyber Essentials compliance through Todyl. Using the comprehensive security platform, Iron Dome cut out stack bloat while delivering better security to their clients. Implementing Todyl GRC also helped Iron Dome to demonstrate technical controls, perform security assessments, and document policies. This gave their clients additional reassurance and confidence in Iron Dome's value.

You can read their full story here.

As for Traxyl, they turned to their local compliance experts and Todyl partner, Queen Consulting. Queen Consulting used the breadth of the Todyl platform to:

  • Secure Traxyl's remote connections and international data transfer via SASE.
  • Manage endpoints and prevent end user system compromise using Endpoint Security.
  • Maintain extensive visibility and threat detection and response through SIEM.
  • Deliver 24/7 coverage over Traxyl's security and compliance needs with MXDR.

In fact, by partnering with Todyl, Queen Consulting covered nearly 50% of CMMC requirements in just one solution. Learn more about their proactive approach here.

Fritz Clinic reached out to MSP, SIP Oasis, another Todyl partner to tackle their growing need for innovation. SIP Oasis used Todyl SASE to overhaul the entire operation. They created secure remote connections between doctors and patients without putting lives or sensitive data at risk. What's more, it only took 3 days to do it all, keeping Fritz Clinic HIPAA compliant the entire time.

Read about their secure, compliant telehealth implementation here.

Streamlining Compliance Framework Management with GRC

For MSPs who need to support their clients' compliance requirements, Todyl GRC makes it easy to understand and implement the proper security controls. GRC provides a simplified Compliance Assistant for checking which frameworks and regulations clients may be in scope for. Todyl automatically maps security controls to the the frameworks covered above and many others to give you a straightforward view into what needs to be addressed to make clients audit ready. A native policy documentation repository helps you consolidate governance data and present procedures to auditors and other stakeholders.

And, since GRC is part of the Todyl platform, you can streamline your compliance efforts in the same pane of glass you use to manage client security programs and reduce risk. Check out GRC and the rest of the Todyl platform today in your own personalized demo. Contact us to get started.