About TACSOP.
TACSOP is a compliance documentation kit, sold as a product. This page explains who built it, why it exists, and what we commit to.
What TACSOP is.
TACSOP is a 174-page implementation guide plus 48 supporting templates that walk a small or mid-sized business from purchase to operational compliance posture in 90 days of part-time work. The kit is built on CIS Controls v8.1 Implementation Group 1, with mappings to NIST CSF 2.0, SOC 2 Trust Services Criteria, and the state safe harbor statutes in Texas, Connecticut, Ohio, and Utah. It's sized for 5-99 employee businesses with cyber insurance, customer questionnaire, safe harbor, or audit-prep compliance needs. The kit is currently at version 1.0; updates ship through the annual maintenance plan.
About the name
TACSOP stands for Tactical Standard Operating Procedure. The name comes from military doctrine, where a TACSOP is a unit's written set of standard operating procedures for routine operations. The brand reflects what the kit produces: a working set of standard operating procedures for the foundational cybersecurity work a small business actually has to do.
Who built TACSOP.
TACSOP comes from the team at Foxtrot 7 Tech, a Texas IT and compliance consultancy that serves primarily professional services clients (CPAs, law firms, and similar small practices) with managed IT, compliance program development, and the operational work behind both. The kit reflects the documentation Foxtrot's compliance practice produces for its own clients, distilled into a self-service form for businesses that want the same documentation without the full consulting engagement.
The kit's audience is broader than Foxtrot's consulting clientele because the work itself is vertical-agnostic. CIS Controls Implementation Group 1 was designed by the Center for Internet Security to apply across small businesses regardless of industry. The foundational controls (asset inventory, account management, MFA, backup verification, vendor risk management) and the documentation pattern that supports them work the same way for an accounting firm, a custom manufacturer, an early-stage SaaS startup, or a 75-person company with an IT generalist. The kit is built on that framework-agnostic foundation, with honest scoping where verticals diverge (OT and ICS for manufacturers, privilege for law practices, framework-specific work for HIPAA or CMMC).
The kit's design choices reflect Foxtrot's operational experience: small businesses don't need IG2 or IG3 maturity to start; documentation in plain language outlasts documentation in framework jargon; sequencing the work into a 90-day program respects the part-time reality of the implementer; and honest scoping about what the kit doesn't cover prevents the buyer from discovering it the hard way. Each of those choices comes from watching real implementations succeed or fail, not from theory.
The kit reflects the documentation Foxtrot's compliance practice produces for its own clients, distilled into a self-service form.
What we commit to.
Honesty about scope
Every page of the site, and every page of the implementation guide, is honest about what the kit doesn't cover. HIPAA. CMMC. ISO 27001. OT and ICS systems. Continuous monitoring for SOC 2 Type 2. We name the gaps and point you to alternatives when alternatives are the right answer. Sales don't justify scope dishonesty; the cost of the wrong buyer discovering the gap after purchase is higher than the cost of losing the sale up front.
Annual updates that keep the kit current
Compliance frameworks change. State safe harbor statutes get amended. The CIS Controls revise on their own cadence. The annual maintenance plan funds the work of keeping the kit aligned with frameworks as they evolve, and the work of incorporating recurring buyer feedback into kit improvements. What you bought on Day 1 should not be what you have on Day 365 of Year 5.
Buyer feedback as a real input
The TACSOP roadmap is shaped partly by what buyers ask, struggle with, and tell us. Recurring questions become FAQ entries. Recurring friction points become procedure clarifications. Recurring template requests become new templates. The kit improves because real buyers are using it; that loop is the maintenance plan's reason for existing.
How to reach us.
Three paths, depending on what you need.
Questions about the kit
Email us at support@tacsop.io. We answer real questions over email, before or after purchase. No pressure to buy after the conversation.
Citing TACSOP to a regulator, carrier, or auditor
If you're asked to identify the source of your security program documentation, the standard reference is TACSOP, from Foxtrot 7 Tech, with the kit version (currently v1.0) and the framework basis (CIS Controls v8.1 Implementation Group 1). The kit's documentation is your business's documentation once you customize and adopt it; the citation acknowledges where the framework originated without implying ongoing third-party authorship.
About Foxtrot 7 Tech
If you're interested in Foxtrot's IT or compliance services rather than the TACSOP kit, the Foxtrot 7 Tech website covers the consulting side of the business directly. The TACSOP site stays focused on the kit.