Frequently asked questions.

Three public tiers. Self-Service at $499 one-time, Onboarding at $748 one-time, Managed Implementation at $1,999 one-time. All three include 12 months of updates. After the first year, the annual maintenance plan is $99 per year.

The tiers vary in how much help you want with the implementation work, not in what you get. Self-Service is the kit on its own. Onboarding adds a one-hour scoping call to confirm your starting place. Managed Implementation adds eight hours of consulting time through Phase 1.

Self-Service if you have time and a clear starting place. Onboarding if you want a quick human check before you start. Managed Implementation if you want a partner alongside you for the heaviest phase. The pricing page has a side-by-side comparison.

No. The kit is a delivered product, not a subscription, so a trial doesn't fit the structure. A sample chapter from the implementation guide and a sample policy template are both available on the Kit page; the sample content is enough to evaluate whether the voice and depth fit your business.

Yes. If the kit doesn't fit your business, request a refund within 30 days of purchase. Refunds are full and processed within five business days.

Per business. One license covers everyone in your organization who needs access to the kit content.

Yes. Self-Service to Onboarding is $249 incremental, available within 12 months of your original purchase. Self-Service to Managed Implementation reflects the difference between the two tiers ($1,500). Talk to us first to schedule the consulting time.

Yes. The buyer field on the purchase form accepts a different name and email than the licensee. If you're an MSP buying for a client, talk to us first about whether a multi-client arrangement makes sense.

TACSOP is included with Managed Compliance Services. You don't need to buy through the site; your consultant has everything you need.

90 days of part-time work, 4-8 hours per week. Roughly 36 to 72 hours of total effort across three months. The first 30 days (Phase 1) are the heaviest; Phases 2 and 3 are lighter and increasingly focused on cadence and maintenance.

One named person responsible for working through the 90-day program. For an owner-operator, this is usually the owner. For a 20-99 employee company, it might be the office manager, operations lead, or IT generalist. For a Foxtrot client, the consultant. Without a named owner, the program drifts.

No. The implementation guide assumes intelligence but not specialization. The procedures are step-by-step rather than abstract. Buyers without technical backgrounds have implemented the kit successfully; the limiting factor is usually time and owner sponsorship, not technical skill.

Yes. Your license key and kit arrive at purchase; you can start whenever your calendar allows. CPA firms typically implement outside tax season, retail outside Q4, schools during summer. The 12 months of included updates run from your purchase date, so buying months before you start means a portion of your update window passes before you begin.

Yes. The 90-day timeline assumes consistent weekly effort, but you can pause and resume as needed. Each pause adds calendar time. Resume Phase 1 fully rather than skipping ahead if the pause is long.

Yes. The week-by-week structure in Phase 1 is a default, not a requirement. A capable implementer running parallel workstreams can compress Phase 1 to 2-3 weeks of focused effort. The sequencing matters less than the outputs.

The program will fail without it. Adopting a policy requires owner approval; the program's operational changes require owner backing when they create friction with employees. If the owner won't sponsor, the kit isn't the right solution at this moment, regardless of how good the implementation lead is.

CPA firms preparing tax returns are financial institutions under the FTC Safeguards Rule (16 CFR Part 314), which requires a written information security program with named coordinators, documented risk assessments, vendor management, employee training, and incident response procedures. TACSOP's policies, procedures, and templates align with each of those requirements. The kit produces the written program the rule expects. Your firm still adopts, customizes, and operationalizes the program; the rule requires doing the work, not just having the documentation.

Yes. The kit's CIS Controls IG1 alignment is a recognized cybersecurity framework under each of the four state safe harbor statutes. Texas SB 2610 names CIS Controls explicitly. Ohio SB 220, Connecticut Public Act 21-119, and Utah's Cybersecurity Affirmative Defense Act each accept alignment with a recognized framework. The kit's State Safe Harbor Self-Attestation is the documented attestation that triggers the statutory liability protection in those four states.

The kit's documented procedures address what each of those touchstones describes. Model Rule 1.1's technology competence duty is supported by documented security procedures the firm can point to. Formal Opinion 477R's vendor management expectations are addressed by the kit's Vendor and Third-Party Management Policy and the Vendor Onboarding and Annual Review Procedure. Formal Opinion 512's AI use guidance is addressed by the kit's Acceptable Use Policy and Data Classification and Handling Policy. ABA opinions describe duties; TACSOP gives you procedures that demonstrate the duties are being met. Privilege determinations remain a matter for counsel.

Yes. The kit's policies and procedures are the documented program a customer auditor wants to see. The Customer Security Questionnaire Response Template lets you populate answers once and reuse them across customers. The Vendor Security Questionnaire (the one you send to your vendors) demonstrates that your supply chain is part of your security program. Customer audits become a presentation of an existing program rather than a project triggered by the audit notice.

No. These manufacturing-specific frameworks need framework-specific work TACSOP doesn't address. TACSOP documents the IT side of your security program. OT and ICS systems (PLCs, SCADA, plant-floor controls) need vendor-specific guidance the kit doesn't replace. If your environment includes OT or specialized industrial systems, talk to us first about whether the kit and the consulting hours are the right fit before you buy.

For SOC 2 Type 1, the kit gives you most of the documentation foundation. For SOC 2 Type 2, you need a continuous monitoring platform like Vanta, Drata, or Sprinto. TACSOP is the stage before Type 2; the work you do at TACSOP carries forward to the platform.

No. The HIPAA Security Rule has framework-specific requirements TACSOP doesn't address. HIPAA-specialized documentation vendors like Compliancy Group and HIPAA One are the right starting place for the framework-specific work. TACSOP can complement HIPAA documentation for secondary compliance needs (cyber insurance, vendor security questionnaires) but doesn't replace the HIPAA-specific work.

No. Defense contractors handling Controlled Unclassified Information need NIST 800-171 specifically. ComplianceForge specializes in CMMC documentation and is the right starting place. TACSOP can complement CMMC documentation if you also have cyber insurance, customer questionnaire, or state safe harbor needs, but it doesn't replace specialized contractor documentation.

TACSOP documents the IT side of your security program. OT and ICS systems (PLCs, SCADA, plant-floor controls) need vendor-specific guidance the kit doesn't replace. Manufacturing-specific frameworks (NIST SP 800-82, IEC 62443, AS9100, IATF 16949, ITAR) need framework-specific work TACSOP doesn't address. If your environment includes OT or specialized industrial systems, talk to us first about whether the kit and the consulting hours are the right fit before you buy.

TACSOP doesn't determine privilege questions; those remain a matter for counsel. The kit's documentation is your firm's documentation, written for your business by your business. How privilege applies to the documentation, and to any incident response work that draws on it, is a question for your firm's professional responsibility process.

The kit's framework alignment still supports general defensibility through documented evidence of due care. The four-state safe harbor protection requires the specific statutes. Consult counsel for state-specific implications outside the four covered states. The implementation guide also notes the safe harbor coverage applies to incidents affecting residents of qualifying states, which matters for multi-state operations.

The kit's state safe harbor coverage applies to incidents affecting residents of qualifying states. If you operate in multiple states including TX, CT, OH, or UT, the safe harbor protection applies to incidents affecting residents of those qualifying states. The kit's general security program approach supports defensibility regardless of state.

TACSOP is sized for 5-99 employees. Companies in the 100-249 range can use the kit with some accommodation. Companies past 250 employees typically need either a vCISO consulting engagement, an enterprise compliance platform, or both. We're happy to refer you to options that fit your size if you ask.

Most buyers with mixed compliance drivers can use TACSOP alongside specialized framework documentation. A defense contractor with CMMC needs can use ComplianceForge for CMMC and TACSOP for cyber insurance, customer questionnaires, and state safe harbor. A healthcare practice can use a HIPAA-specialized vendor for HIPAA and TACSOP for adjacent needs. TACSOP complements specialized documentation; it doesn't replace it.

Every kit update we ship during the year. CIS Controls revisions when CIS publishes them. Updated framework crosswalks when NIST CSF or SOC 2 change. New stakeholder communication templates as buyer patterns surface. New FAQ entries based on what buyers actually ask.

Compliance frameworks change. State safe harbor statutes get amended. New threats emerge. The kit you buy on Day 1 should not be the same kit you have on Day 365 of Year 5. The maintenance plan funds the work of keeping the kit current.

Twelve months from the date of purchase, included in the purchase price across all three tiers. After that, the maintenance plan is $99 per year and renews automatically.

Your kit content is yours forever. The maintenance plan covers updates. If you let maintenance lapse, you can re-up at any time, but you pay catch-up for missed years (capped at two years). You don't lose what you bought; you just don't get newer versions until you renew.

Yes. Cancel any time from the customer dashboard. No phone call required.

Email notification to the address associated with your license key. Updates are typically released annually with patch updates as needed for major framework or threat landscape changes.

Foxtrot 7 Tech reviews the change, updates the kit's mappings and references, and ships an updated version to maintenance plan customers. Major version changes (e.g., CIS Controls v8 to v9) trigger a substantial revision; minor version changes trigger an update with limited rework.

A downloadable archive containing every artifact in two formats: editable Word documents for the policies, procedures, and templates, plus Markdown source files for buyers who prefer plain-text editing. The implementation guide is delivered as a PDF for reading plus Markdown for integration. Your license key arrives by email at the address you provide.

Yes. That's the point. Every policy, procedure, and template is a starting framework; the implementation guide walks you through customizing each one for your business. Names, scope, terminology, signature lines, and operational specifics all get adjusted to fit. You're not adopting Foxtrot's documentation; you're using Foxtrot's documentation as the starting place for yours.

Yes. The Markdown source files are designed for this. Teams that maintain documentation in git, Notion, or similar systems can manage the kit's policies and procedures the same way they manage anything else. Multiple contributors, version history, change review, and integration with existing documentation workflows all work normally because Markdown is just text. The Word versions are provided for buyers who don't have those workflows.

After purchase, a Foxtrot consultant reaches out to schedule the one-hour call. You don't need to book anything at checkout; we'll find a time that works.

The eight hours cover Phase 1 work: inventorying your environment, customizing the Phase 1 templates for your business, and working alongside you through the foundational controls (Days 1-30). The specifics of how the hours are scoped and used are worked out on the kickoff call, including whether any time can be banked for later questions. If you'd like to know more before buying, talk to us first.

Self-Service tier buyers get email support for kit-related questions. Onboarding tier buyers get the same plus the one-hour scoping call. Managed Implementation tier buyers get the same plus the eight hours of consulting time. Foxtrot 7 Tech clients get questions handled through their existing service relationship.

A documented program with a quarterly cadence. Quarterly access reviews, quarterly log reviews, quarterly compliance health checks, annual risk assessment, annual policy review, annual safe harbor attestation update. The implementation guide Section 6 walks through the Year 2+ cadence in detail.

When your business passes 100 employees with continuous monitoring needs, when customers demand SOC 2 Type 2 attestation, when regulators require more advanced controls, or when vendor risk volume requires continuous monitoring. TACSOP IG1 graduates to TACSOP IG2 (when available) or to SaaS platforms like Vanta, Drata, or Sprinto.