Resources
Seven whitepapers on what audit-grade compliance deliverables actually look like in 2026. One universal opener on recipient-verifiability, four framework-specific guides (HIPAA, PCI, CMMC, Logistics), and two cross-cutting closers on the readiness rubric and the missing middle of the compliance market.
~13,000 words total. Each piece reads independently. Read in order for the full thesis.
- #1Cross-framework· 10 min read
Why your compliance vendor’s PDF is not assessment evidence
A buyer’s guide to recipient-verifiable compliance deliverables
What assessors actually need on audit day, why most compliance platforms can’t ship it, and the 5 properties that distinguish an assessment-grade deliverable from a vendor claim.
- #2CMMC · Fortress· 9 min read
32 CFR Part 170: why your CMMC RP and your C3PAO cannot be the same firm
A CMMC vendor-selection guide for Defense Industrial Base contractors
What the regulation requires, why the separation between prep-side and assessment-side vendors exists, and how to structure your CMMC vendor stack to survive scrutiny.
- #3Logistics · Nexus· 9 min read
The 72-hour TSA cyber-incident clock: what surface-transport operators need pre-staged
A practical guide for motor carriers, freight rail, transit, and pipeline operators
What TSA SD-1580 / SD-1582 actually require, the multi-regulator notification matrix, the Stop Movement Order risk, and what a working incident playbook looks like before the clock starts.
- #4PCI DSS · Vault· 9 min read
Two-party attestation: how the PCI AoC handoff should work
A PCI DSS v4.0.1 guide for merchants and service providers
Why the single-signature AoC has structural weakness, what two-party attestation means in practice, and how to ship the document to your QSA and your acquirer as two independently verifiable artifacts.
- #5HIPAA · Aegis· 9 min read
Cryptographic integrity for HIPAA evidence: hash-anchored audit logs and the OCR question
A HIPAA Security Rule guide for covered entities and business associates
What 45 CFR §164.312(b) actually requires, why mutable audit logs fail OCR scrutiny, and what hash-anchored evidence infrastructure looks like in 2026.
- #6Cross-cutting· 7 min read
A / B / C readiness: what an auditor-comprehensible tier rubric actually looks like
A buyer’s guide to compliance scoring
Why the 0–100 dashboards every SaaS compliance vendor ships fail at the executive table, and what a working readiness rubric looks like when you need to make real decisions about audit-day exposure.
- #7Cross-cutting· 11 min read
From DIY SaaS to firm engagement: the missing middle of compliance
A buyer’s decision framework for compliance vendor selection
Why the two markets every compliance buyer evaluates — SaaS automation and big-firm engagements — both fail specific buyer segments, what the missing middle actually requires, and how to evaluate vendors who claim to fill it.
Ready for the diagnostic?
The Mission Brief is a 90-minute engagement with Tammie and a practitioner. You walk out with your initial readiness tier and the regulator-ready artifact for your framework.