American IT Solutions

American IT Solutions · Compliance

Types of IT compliance

A generic rundown of common IT compliance frameworks businesses encounter. This page is educational reference material that explains what each framework is and who it generally applies to, not a statement of American IT Solutions’ specific support, certification, or audit posture.

Talk to us about complianceCall +1-866-343-9419

This page is reference material. It does not claim that American IT Solutions is audited, certified, or attested under any specific framework. Specific framework alignment and engagement scope are reviewed with the team.

Why compliance shows up

Frameworks businesses commonly encounter

Most organizations end up touching at least one IT compliance framework, driven by industry, customers, regulators, or contracts. The frameworks below are the ones that come up most often in business IT conversations.

Frameworks

What each framework is, briefly

Short, neutral explainers drawn from public source material. This is not legal or compliance advice; consult a qualified advisor about obligations specific to your business.

  • NIST CSF

    NIST Cybersecurity Framework

    A voluntary cybersecurity framework from the US National Institute of Standards and Technology.

    Organizes cybersecurity practice into a small number of core functions: Identify, Protect, Detect, Respond, Recover (and, in CSF 2.0, Govern). Widely adopted as a common language for assessing posture, planning improvements, and communicating cybersecurity risk to non-technical leadership.

    Commonly applies to

    Voluntary across all industries. Often adopted as a posture-and-improvement framework, sometimes as a stepping stone toward more prescriptive standards.

  • CMMC

    Cybersecurity Maturity Model Certification

    US Department of Defense compliance program for the defense industrial base.

    Requires contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) to demonstrate cybersecurity maturity at one of several levels. Aligned closely with NIST SP 800-171 (and 800-172 at higher levels).

    Commonly applies to

    Companies in the US defense industrial base bidding on or holding DoD contracts that touch FCI or CUI.

  • DFARS 800-171

    Defense Federal Acquisition Regulation Supplement clauses based on NIST SP 800-171

    DoD acquisition rules that incorporate NIST SP 800-171 controls for protecting CUI.

    DFARS clauses (notably 252.204-7012, 7019, 7020) require defense contractors handling Controlled Unclassified Information to implement the security requirements specified in NIST SP 800-171 and to report assessment scores. Closely related to and often discussed alongside CMMC.

    Commonly applies to

    DoD contractors and subcontractors processing, storing, or transmitting CUI on covered information systems.

  • SOC 2

    Service Organization Control 2

    An audit standard from the AICPA for service organizations.

    Reports cover one or more of the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type 1 report attests to controls at a point in time; a Type 2 report attests to operating effectiveness over a period. Performed by an independent CPA firm.

    Commonly applies to

    B2B service organizations, especially SaaS providers and IT/MSP vendors, whose customers ask for an independent attestation of their controls.

  • HIPAA

    Health Insurance Portability and Accountability Act

    US federal law setting privacy and security standards for protected health information (PHI).

    The HIPAA Security Rule establishes administrative, physical, and technical safeguards for electronic PHI. Covered entities and their business associates must implement these safeguards and execute Business Associate Agreements where PHI is handled.

    Commonly applies to

    Healthcare providers, health plans, and healthcare clearinghouses (covered entities), plus their business associates that create, receive, maintain, or transmit PHI.

  • SEC Cybersecurity Rules

    US Securities and Exchange Commission cybersecurity disclosure rules

    SEC rules requiring public companies to disclose material cybersecurity incidents and governance.

    Among other requirements, public registrants must disclose material cybersecurity incidents on Form 8-K within prescribed timing, and must include annual disclosures about cybersecurity risk management, strategy, and governance.

    Commonly applies to

    Public companies registered with the SEC. Effective dates and specific obligations vary by filer status.

  • FINRA

    Financial Industry Regulatory Authority

    A self-regulatory organization that oversees US broker-dealers.

    Cybersecurity expectations for FINRA-regulated firms appear across regulatory notices, supervision rules, and exam priorities, with substantial overlap with SEC requirements and broader industry best practices.

    Commonly applies to

    Broker-dealers and associated persons subject to FINRA oversight.

How AIT can help

Aligning IT with your compliance posture

American IT Solutions provides managed IT, cybersecurity, help desk, and device support that can align with the compliance frameworks above where engagements require it. Specific framework alignment is scoped per engagement.

Managed IT

Patch, backup, and operational hygiene that compliance programs typically expect.

Cybersecurity

Endpoint, email, account, and user-awareness practices that frameworks consistently call for.

Meeting Room & Video Conferencing Support

User-facing support tied to room readiness, request routing, and collaboration-technology coordination.

Have a specific framework in mind?

Use the contact form for a focused question, request an IT assessment for a broader review, or call directly. Final framework support and engagement scope are aligned with the team after the request is received.

Call +1-866-343-9419Contact usIT assessment