Texas Small‑Business Tech Checklist – HIPAA, FERPA, PCI‑DSS, and CMMC Made Simple
- Christopher nester
- Dec 3
- 6 min read
Why These Four Frameworks Matter
Even if you run a boutique coffee shop or a local consulting firm, you may still fall under one—or more—of the following regulations because of the data you handle:
Regulation | Typical Texas‑business examples | Core “must‑do” focus |
HIPAA (Health Insurance Portability & Accountability Act) | Medical clinics, dental offices, physical‑therapy centers, health‑tech startups, tele‑health services. | Protect protected health information (PHI) with administrative, physical, and technical safeguards. |
FERPA (Family Educational Rights and Privacy Act) | Private schools, tutoring centers, after‑school programs, education‑technology platforms that store student records. | Secure student education records and limit unauthorized disclosures. |
PCI‑DSS (Payment Card Industry Data Security Standard) | Any business that accepts credit‑card payments—retail stores, restaurants, e‑commerce sites, subscription services. | Encrypt cardholder data, maintain a secure network, and regularly test security controls. |
CMMC (Cybersecurity Maturity Model Certification) | Contractors and subcontractors working with the U.S. Department of Defense (DoD) or handling Controlled Unclassified Information (CUI). | Meet a maturity level (1‑5) of cybersecurity practices defined by the DoD. |
Missing any of these requirements can trigger hefty fines, loss of contracts, or even criminal liability. Below is a practical, step‑by‑step guide that tells you exactly what to know and what to do with your technology to stay compliant.
1. HIPAA – Protecting Patient Health Information
1.1 Know When HIPAA Applies
You are a covered entity (health‑care provider, health‑plan, or health‑care clearinghouse) or
You are a business associate (any vendor that creates, receives, transmits, or stores PHI on your behalf).
1.2 Core Technical Controls
Control | What It Looks Like in Practice |
Encryption (at rest & in transit) | Use TLS 1.2+ for email, web portals, and VPN connections; enable full‑disk encryption on laptops and mobile devices. |
Access Controls | Role‑based permissions, unique user IDs, and strong passwords (≥12 characters) plus Multi‑Factor Authentication (MFA) for any remote access. |
Audit Logging | Enable detailed logs for all systems that store PHI (EHR, file servers, email). Retain logs for at least 6 years. |
Backup & Disaster Recovery | Perform encrypted backups daily, store them off‑site (or in a HIPAA‑compliant cloud), and test restores quarterly. |
Secure Disposal | Use shredding or cryptographic wiping when decommissioning devices that held PHI. |
1.3 Administrative Steps
Risk Assessment: Conduct a formal HIPAA risk analysis at least annually. Document findings and remediation plans.
Policies & Training: Adopt a HIPAA Privacy and Security Policy; train all staff (including contractors) on handling PHI.
Business Associate Agreements (BAAs): Sign a BAA with every vendor that touches PHI (cloud storage, email, transcription services, etc.).
2. FERPA – Safeguarding Student Records
2.1 When FERPA Applies
You receive federal funding (directly or indirectly) and maintain education records for students.
You are a private K‑12 school that voluntarily complies with FERPA (many do to assure parents).
2.2 Technical Safeguards
Control | Implementation Tips |
Encryption | Secure any portal where grades, transcripts, or disciplinary records are accessed. Use HTTPS with HSTS and encrypt stored files. |
Access Controls | Assign role‑based access (e.g., teachers vs. administrators). Require MFA for any remote login. |
Logging | Log all accesses to student records; review logs weekly for unusual activity. |
Secure File Sharing | Use encrypted file‑transfer services (e.g., Proton Drive) instead of unsecured email attachments. |
Device Management | Enforce full‑disk encryption on school laptops/tablets; implement mobile device management (MDM) to remotely wipe lost devices. |
2.3 Administrative Actions
FERPA Notice: Publish a clear notice describing parents’ and students’ rights to inspect and amend records.
Consent Management: Obtain written consent before disclosing personally identifiable information (PII) from education records, unless an exception applies.
Staff Training: Conduct annual FERPA awareness sessions for teachers, administrators, and support staff.
3. PCI‑DSS – Securing Credit‑Card Transactions
3.1 Determine Your PCI Scope
Identify cardholder data environment (CDE): any system that stores, processes, or transmits credit‑card numbers.
Reduce scope wherever possible (e.g., use tokenization or third‑party payment gateways that keep card data off your network).
3.2 Mandatory Technical Controls
Requirement | Practical Implementation |
Build & Maintain a Secure Network | Install a firewall, change default passwords, and segment the CDE from the rest of your network. |
Protect Cardholder Data | Store only the last four digits of PAN; use AES‑256 encryption for any stored data; enforce TLS 1.2+ for transmission. |
Vulnerability Management | Run quarterly vulnerability scans (external) and monthly internal scans; patch OS and applications within 30 days. |
Access Control | Implement least‑privilege access, unique IDs, and MFA for all personnel with CDE access. |
Monitoring & Testing | Enable real‑time intrusion detection/prevention (IDS/IPS); maintain logs for at least 1 year and review them daily. |
Security Policies | Document an information‑security policy and incident‑response plan; train staff on secure card‑handling procedures. |
3.3 Validation Options
SAQ A – If you outsource all payment processing to a PCI‑validated provider (e.g., Stripe, Square) and never touch card data.
SAQ D – If you host your own e‑commerce platform and store card data.
Tip: Most small Texas retailers qualify for SAQ A by using a hosted checkout page, dramatically simplifying compliance.
4. CMMC – Meeting DoD Cybersecurity Requirements
4.1 Who Needs CMMC?
Any defense contractor or subcontractor that handles Controlled Unclassified Information (CUI) for the Department of Defense.
4.2 Choosing a Maturity Level
Level 1 – Basic “Foundational” cyber hygiene (mostly for low‑risk, non‑CUI work).
Level 2 – Intermediate (acts as a transition to higher levels).
Levels 3‑5 – Advanced to “Expert” (required for high‑value CUI).
Most small Texas firms start at Level 2 or Level 3.
4.3 Core Practices (Common Across Levels)
Domain | Example Controls |
Access Control (AC) | MFA, least‑privilege, session timeout. |
Awareness & Training (AT) | Quarterly security awareness, phishing simulations. |
Audit & Accountability (AU) | Centralized logging, log retention ≥ 90 days, regular review. |
Configuration Management (CM) | Hardened baseline images, change‑control process. |
Identification & Authentication (IA) | Strong passwords, password vaults, hardware tokens. |
Incident Response (IR) | Formal IR plan, designated response team, post‑incident lessons learned. |
Maintenance (MA) | Remote maintenance secured via VPN and MFA. |
Media Protection (MP) | Encrypted removable media, controlled disposal. |
Physical Protection (PE) | Locked server rooms, visitor logs. |
Personnel Security (PS) | Background checks for personnel with CUI access. |
Risk Management (RM) | Annual risk assessments aligned with NIST SP 800‑171. |
System & Communications Protection (SC) | End‑to‑end encryption, segmented networks. |
System & Information Integrity (SI) | Anti‑malware, patch management, integrity checks. |
4.4 Getting Certified
Self‑Assess against the chosen CMMC level using the official model.
Remediate Gaps (most gaps involve MFA, encryption, and documentation).
Engage a CMMC Third‑Party Assessor Organization (C3PAO) for an official audit.
Tip for Texas SMEs: Partner with an MSP that already holds a CMMC certification. They can extend their compliant environment to your organization, reducing the cost and effort of a standalone audit.
5. Putting It All Together – A Unified Tech‑Compliance Roadmap
Phase | Action Items (All Regulations) |
1️⃣ Discover & Classify | Run an automated asset inventory. Tag each system as PHI, Student Data, Cardholder Data, CUI, or None. |
2️⃣ Harden the Foundation | Deploy firewalls, enable MFA, encrypt disks, and enforce strong password policies across every device. |
3️⃣ Segment & Isolate | Create network zones: HIPAA zone, PCI zone, CUI zone. Use VLANs or separate subnets to prevent cross‑contamination. |
4️⃣ Implement Specific Controls | • HIPAA – BAAs, audit logs, secure email.<br>• FERPA – role‑based access, encrypted portals.<br>• PCI – tokenization, quarterly scans.<br>• CMMC – documentation, incident‑response playbook. |
5️⃣ Document & Train | Write concise policies for each regulation. Conduct quarterly staff trainings (phishing, data‑handling, incident reporting). |
6️⃣ Continuous Monitoring | Enable a 24/7 SOC or managed detection service. Receive alerts for any unauthorized access to PHI, student records, or card data. |
7️⃣ Test & Audit | Perform quarterly mock breach drills, annual risk assessments, and internal audits against each framework’s checklist. |
8️⃣ Review Contracts | Ensure every vendor you work with signs the appropriate BAA, PCI‑DSS Attestation, or CMMC‑aligned subcontractor agreement. |
6. How TodoSecure Can Be Your Compliance Co‑Pilot
Service | How It Aligns With the Four Frameworks |
Managed Security Operations Center (SOC) | 24/7 monitoring, log aggregation, and incident response for HIPAA, PCI, FERPA, and CMMC environments. |
Secure Cloud Migration | Moves email, file storage, and backup to Proton‑encrypted services, automatically generating BAAs for HIPAA and PCI. |
Network Segmentation & Firewall Management | Designs VLANs that isolate PHI, CUI, and cardholder data, satisfying both PCI scope reduction and CMMC segmentation requirements. |
Patch‑Management & Vulnerability Scanning | Automated OS/application patching and quarterly external scans—critical for PCI‑DSS and CMMC Level 2+. |
Policy & Training Suite | Customizable HIPAA, FERPA, PCI, and CMMC policy templates plus quarterly staff training modules. |
Compliance Audits & Documentation | Generates audit‑ready reports (risk assessments, log retention, BAA inventories) that you can hand to regulators or auditors. |
CMMC Readiness Program | Provides pre‑assessment, gap remediation, and connects you with a vetted C3PAO for final certification. |
Result: You focus on growing your business while TodoSecure keeps your technology compliant, secure, and audit‑ready.
7. Quick‑Start Checklist for Texas Small Businesses
Identify which regulations apply (HIPAA, FERPA, PCI, CMMC).
Inventory all devices, apps, and data flows.
Enable MFA everywhere (email, VPN, cloud apps).
Encrypt data at rest and in transit.
Sign BAAs / PCI contracts / CMMC clauses with every vendor.
Deploy a firewall and segment networks by data type.
Schedule quarterly vulnerability scans and monthly patch cycles.
Document policies and run staff training within 30 days.
Set up automated backups and test restores quarterly.
Partner with an MSP (like TodoSecure) for continuous monitoring and compliance reporting.
Closing Thought
Compliance isn’t a one‑time project; it’s an ongoing discipline that protects your reputation, your customers, and your bottom line. By mastering the technology fundamentals—encryption, access control, monitoring, and documentation—you’ll meet HIPAA, FERPA, PCI‑DSS, and CMMC requirements without sacrificing agility.
Need a hand getting started? Contact TodoSecure today for a free compliance health check and let us turn your tech stack into a certified, secure foundation for growth.
Comments