HIPAA, PCI-DSS, CMMC, SOC 2, FTC Safeguards. Policy documentation, risk assessments, gap analysis, evidence collection.
Compliance is not a binary state. You are never "HIPAA-compliant" in a permanent sense — you are HIPAA-compliant today, based on the controls you have in place today, validated by evidence you can produce today. Frameworks operate on a continuous attestation model. The question is not "did we pass once?" — it's "can we prove we still meet the standard right now?"
That's where most SMBs fail. They scramble before an audit, get certified, then drift over the next 6 months as projects pile up, employees turn over, and controls quietly degrade.
Maverick's approach: build the controls correctly, document everything as you go, and run quarterly internal reviews so the next external audit is a formality rather than a fire drill.
Healthcare. Security Rule + Privacy Rule + Breach Notification Rule. We deliver the technical safeguards (access control, audit logs, encryption, transmission security), administrative safeguards (policies, training, risk assessment), and physical safeguards required. BAAs in place with every vendor we operate. Annual HIPAA risk assessment included.
Anyone processing, storing, or transmitting payment card data. We help define the cardholder data environment (CDE), segment it from the rest of the network, implement the technical controls, and prepare documentation for your SAQ or QSA audit.
Defense contractors. We have taken clients through both Level 1 and Level 2 assessments. SSP development, POA&M management, gap analysis against NIST 800-171's 110 controls, evidence preparation.
Service organizations claiming Trust Services Criteria. We support SOC 2 Type I and Type II audits, working alongside your auditor to deliver controls and continuous evidence collection.
Financial institutions including auto dealers, mortgage brokers, tax preparers, and accountants under the expanded 2023 definition. Designated Qualified Individual, risk assessment, WISP, MFA, encryption, vendor management, incident response plan.
Tennessee Information Protection Act, California CCPA/CPRA, New York SHIELD, and the growing patchwork of state laws.
We are vendor-aligned with the platforms our engineers actually trust in production. Here is what powers this service line:
Compliance work is mandatory when:
There is no government-issued "HIPAA certification" for MSPs — anyone claiming one is misrepresenting their credentials. What matters is whether the MSP signs a BAA with you, implements the required Security Rule safeguards, conducts annual risk assessments, and documents everything. Maverick does all of those.
For a typical defense contractor starting from a moderate security baseline, CMMC L2 prep runs 6 to 12 months. That includes scoping CUI, building the SSP, implementing the 110 NIST 800-171 controls, training staff, collecting evidence, and remediating gaps via the POA&M.
Type I evaluates whether your controls are properly designed at a single point in time. Type II evaluates whether those controls actually operated effectively over a period (typically 6 to 12 months). Type II is the report most enterprise customers want to see.
Yes. The 2023 amendments expanded the rule to cover "financial institutions" much more broadly — including auto dealers, mortgage brokers, retail installment plan providers, tax preparation firms, collection agencies, and other non-bank financial businesses. Enforcement has been active.
No, and we are explicit about that separation. We implement the controls and documentation; an independent auditor or QSA evaluates them. The same firm cannot both build the system and certify it. We work alongside auditors and refer to qualified firms when clients need one.