Who TACSOP is for.

§ 03 — CUSTOMER QUESTIONNAIRE

Did a customer send you a security questionnaire?

The questionnaire comes in a familiar format. SIG. CAIQ. A custom version from the customer's procurement team. The questions are from a standard list; the answers don't have to be invented every time. TACSOP gives you a response template you populate once and reuse for every customer that asks.

Four businesses we built this for

The SaaS startup with a first enterprise prospect. An early-stage SaaS company whose first enterprise prospect just sent a 200-question security questionnaire as part of vendor due diligence. The founder doesn't want to lose the deal but also doesn't want to invent answers. TACSOP gives the company a written security program that produces honest answers to most of the questions, with the SOC 2 conversation reserved for the stage when SOC 2 Type 2 attestation becomes the actual requirement.

The boutique law firm in M&A due diligence. A 12-attorney firm in the Southwest representing corporate clients in middle-market acquisitions. The firm receives security questionnaires from opposing counsel during due diligence, from corporate clients with vendor management programs, and from the firm's own professional liability carrier. The managing partner wants documented answers that hold up under any of these scrutiny patterns. TACSOP's Customer Security Questionnaire Response Template provides answers; the firm reuses them across all three contexts.

The professional services firm responding to RFPs. A 30-person consultancy in the Mid-Atlantic whose recent RFP responses started asking detailed security questions alongside the standard business and reference questions. The partner handling RFP responses doesn't want each one to take three days of cybersecurity research. TACSOP's Customer Security Questionnaire Response Template provides the answers; the firm copies them into each RFP response.

The custom manufacturer responding to customer audits. A 40-person shop in the Midwest whose largest customers conduct annual security audits as part of supplier qualification. The shop's IT lead has been answering audit questions ad hoc; TACSOP provides the documented program the auditors actually want to see.

§ 04 — STATE SAFE HARBOR

Are you in a state with a cybersecurity safe harbor statute?

Texas, Connecticut, Ohio, and Utah each offer liability protection to businesses that align with a recognized cybersecurity framework and document the alignment. TACSOP aligns with CIS Controls IG1 and produces the State Safe Harbor Self-Attestation that documents the protection trigger.

Two businesses we built this for

The Texas accounting firm using SB 2610. A CPA practice in North Texas operating under Texas SB 2610, which provides safe harbor protection for businesses aligned with recognized cybersecurity frameworks including CIS Controls. The firm needs the documented attestation that triggers the protection. TACSOP produces it.

The Ohio manufacturer using SB 220. A custom shop in central Ohio operating under Ohio SB 220, which offers an affirmative defense against tort actions arising from data breaches for businesses aligned with a recognized framework. The shop's general counsel reviews the kit's alignment, the owner signs the attestation, and the protection is documented before it's needed.

§ 05 — AUDIT / REGULATOR / BOARD

Are you preparing for an audit, a regulator visit, or a board review?

The question is what you can produce. A customer audit asks for documentation. A regulator visit asks for documentation. A board member's first cybersecurity question is also a question about documentation. TACSOP is what you produce.

Four businesses we built this for

The CPA firm preparing for an FTC Safeguards Rule review. An 8-person tax and accounting practice in North Texas, classified as a financial institution under the FTC Safeguards Rule because the firm prepares returns. The Safeguards Rule expects a written information security program with named coordinators, documented risk assessments, vendor management, and incident response procedures. The firm's CPA owner wants the documented program ready before any FTC review, customer audit, or AICPA peer review surfaces it as a gap. TACSOP provides the program; the firm customizes and adopts it.

The legal practice preparing for an ABA professional responsibility review. A 12-attorney firm whose state bar's ethics committee has started asking about technology competence under Model Rule 1.1 and vendor management under Formal Opinion 477R. The managing partner wants documented procedures the firm can point to. TACSOP provides them.

The custom manufacturer preparing for a customer audit. A 40-person shop in the Midwest whose top three customers each conduct an annual on-site supplier audit, with cybersecurity now a standing audit category. The operations leader knows the audits will keep coming and wants documented procedures rather than scrambling each year. TACSOP gives him the program; the audits become a presentation rather than a project.

The IT manager preparing for the board's cybersecurity question. An IT manager at a 75-person professional services firm who has been handed compliance as a side responsibility, alongside keeping the network running. The board's quarterly meeting has added cybersecurity as a recurring agenda item, and the CEO needs a briefing-quality answer. TACSOP gives the IT manager the written program the board wants to see.

§ 06 — OPERATIONAL FIT

The right size, the right operational fit.

TACSOP is built for businesses with roughly 5-99 employees. Inside that range, the kit serves multiple roles and operational structures.

Owner-operators

Owners of small professional practices and small businesses who handle compliance themselves alongside running the business. The implementation guide is written so an owner can self-pace through it without prior security background.

Office managers and operations leads

Non-technical professionals who have been handed compliance as a real responsibility. The guide assumes intelligence but not specialization; the procedures are step-by-step rather than abstract.

IT managers and IT generalists

Technical professionals at companies that haven't hired a dedicated security person yet. The IT manager is often the most natural implementer; the kit gives him a structured program rather than a pile of frameworks to translate.

Foxtrot 7 Tech clients

Existing clients receive TACSOP through Managed Compliance Services. The Foxtrot consultant is the implementation lead; the client's role is owner sponsorship and decision authority on policy approvals.

§ 07 — WHAT YOU BRING

What you bring.

TACSOP works when four things are in place. None of them require technical skill; all of them require commitment.

Owner sponsorship

The owner has to be on board with the program even when they're not the one implementing. The kit's policies require owner approval; the program's operational changes require owner backing when they create friction with employees. Without sponsorship, the program doesn't happen.

An implementation lead

One named person responsible for working through the 90-day program. For an owner-operator, this is usually the owner. For a 20-99 employee company, it might be the office manager, operations lead, or IT generalist. For a Foxtrot client, the consultant. Without a named owner, the program drifts.

Time on the calendar

Four to eight hours per week for 90 days, calendar-flexible. Not a lunch break. Not a weekend project. A part-time job for three months, blocked on the calendar and protected from interruption.

Basic IT in place

Workstations, email, cloud applications functioning. Access to administrative credentials for primary systems. A current employee roster. TACSOP assumes a working business; it doesn't build IT from scratch.

§ 08 — IF NOT YOUR FIT

If TACSOP isn't your fit.

Some businesses are better served by something other than TACSOP. Here's how to recognize the situations where the kit isn't the right answer, and where to look instead.

If you have technical confidence to build your own program

Some IT generalists at small companies have the time, framework fluency, and operational knowledge to assemble a security program from primary sources (CIS Controls v8.1, NIST CSF 2.0, AICPA's SOC 2 guidance). For someone with those resources and that interest, building your own documentation can be the better answer. TACSOP saves you the assembly work, but it doesn't save you anything you wouldn't want to save.

If your primary compliance driver is NIST 800-171 or CMMC

Defense contractors handling Controlled Unclassified Information need NIST 800-171 specifically, and CMMC certification when their contracts require it. ComplianceForge specializes in that documentation and is the right starting place. TACSOP can complement CMMC documentation if you also have cyber insurance, customer questionnaire, or state safe harbor needs, but it doesn't replace specialized contractor documentation.

If you handle protected health information and your primary need is HIPAA

The HIPAA Security Rule has framework-specific requirements TACSOP doesn't address. HIPAA-specialized documentation vendors like Compliancy Group and HIPAA One are the right starting place for the framework-specific work. TACSOP can complement HIPAA documentation for secondary compliance needs (cyber insurance, vendor security questionnaires) but doesn't replace the HIPAA-specific work.

If you need continuous evidence collection for SOC 2 Type 2

Once SOC 2 Type 2 attestation becomes a real customer requirement (typically at 20+ employees with enterprise prospects, or earlier in security-conscious verticals), you need a continuous monitoring platform like Vanta, Drata, or Sprinto. TACSOP serves the stage before that; the work you do at TACSOP carries forward to the platform.

If your business has more than 250 employees

TACSOP is sized for 5-99 employee businesses. Companies in the 100-249 range can use the kit with some accommodation; companies past 250 typically need either a vCISO consulting engagement, an enterprise compliance platform, or both. We're happy to refer you to options that fit your size if you ask.