Are you required to follow a cybersecurity framework?
Most small and mid-sized businesses don't know — until a customer, regulator, or insurer asks. Focus helps you find out for free, then helps you get there.
You might already be on the hook.
Plenty of small businesses assume cybersecurity rules are only for banks and hospitals. They aren't. Run through this list — if even one line sounds like you, a framework already applies to your business.
- You take credit-card payments. The PCI DSS applies to you, even if Stripe or Square handles the card data.
- You handle patient health information. The HIPAA Security Rule applies — directly if you're a covered entity, indirectly as a business associate.
- You sell to (or want to sell to) enterprise customers. A SOC 2 report is the de-facto entry ticket. No report, no procurement.
- You hold personal info on residents of California, New York, Texas, or most other US states. State breach-notification and "reasonable security" laws apply, even if you don't sell direct-to-consumer.
- You sell to, or subcontract for, the US Department of Defense. NIST 800-171 is the floor; CMMC is the enforced version.
- You are a financial institution under the FTC's broad definition. That includes CPAs, tax preparers, mortgage brokers, and auto dealers extending credit. The GLBA Safeguards Rule applies.
If even one of these sounds like you, this page is for you.
What's a cybersecurity framework, really?
A cybersecurity framework is a published list of controls — things you have to do, configure, or document — that prove your business is managing cyber risk responsibly. Examples of controls: "require multi-factor authentication on email," "keep system logs for at least 90 days," "have a written incident response plan." A framework is just a curated, vetted set of those controls, organized around a particular use case.
Frameworks exist because customers, regulators, and insurers needed a common yardstick. Picking the right one is half the battle. The wrong framework wastes months of effort on controls that don't apply to your business. The right one focuses your effort on what actually matters for your industry, your data, and your customers.
The frameworks SMBs run into most.
A quick tour. Each card tells you when it applies and why it matters. Focus does the matching for you — this list is just so the names stop feeling like alphabet soup.
NIST CSF 2.0
Use it if: you want a general-purpose, voluntary framework for managing cyber risk across the business.
Why it matters: Maintained by the US government, recognized by insurers and customers worldwide. A safe default when nothing else is mandated.
SOC 2
Use it if: you sell software, data, or services to enterprise customers.
Why it matters: A SOC 2 report is what your enterprise prospects ask for during procurement. Without one, deals stall.
HIPAA Security Rule
Use it if: you create, receive, store, or transmit protected health information (PHI).
Why it matters: Federal law. Applies to healthcare providers, health plans, and any business associate that touches PHI.
PCI DSS
Use it if: you accept, process, store, or transmit credit-card data — even through a third party.
Why it matters: Mandated by the card brands (Visa, Mastercard, etc.). Non-compliance fines and processor termination are real.
GLBA Safeguards Rule
Use it if: you are a financial institution under the FTC's broad definition (includes CPAs, tax prep, mortgage brokers, auto dealers extending credit).
Why it matters: FTC enforces it. Updated in 2023 with concrete technical requirements.
CMMC / NIST 800-171
Use it if: you sell to, or subcontract for, the US Department of Defense.
Why it matters: CMMC certification is becoming a contract requirement. NIST 800-171 is the underlying control set.
Focus tells you which one applies — then walks you through it.
The hard part isn't doing the work. The hard part is figuring out which framework actually applies to your business — and then translating its dense, lawyer-written controls into things you can actually do. Most SMBs guess, then drown in spreadsheets, vendor questionnaires, and conflicting advice from three different consultants.
Focus asks you a handful of plain-English questions about your business — your industry, your customers, your data, where you operate — and recommends the right framework or frameworks, with citations to the actual regulation or standard. From there, Focus walks you through a control-by-control assessment in plain language, surfaces your gaps, and tracks your remediation over time.
It's the AI-powered security-program assistant we wish every SMB had.
Three steps from "no clue" to "we're on top of it."
Answer a few questions.
Focus asks about your industry, customers, data, and geography. It then recommends the right framework — or frameworks — with citations to the actual rule that applies. Free, no card required.
Walk the assessment.
Per-control questions in plain language — no jargon, no auditor-speak. You get a posture grade and a prioritized list of gaps to close, organized by what moves the needle most.
Track remediation over time.
Mark fixes as you make them. Re-assess whenever something changes. Focus keeps a running history of your posture, so when a customer or insurer asks, you have proof you can hand them.
Common questions.
Do I really need a framework?
If you have customers, employees, or data, you almost certainly have at least one regulator, contract, or insurer asking. "We don't follow a framework" is what businesses say right before they fail a security questionnaire or renew their cyber insurance at twice the premium. Focus tells you which framework you're already on the hook for.
Will Focus replace my auditor?
No. Focus prepares you for an audit and tracks your work, but an external auditor still does the attestation (the SOC 2 report, the HIPAA risk analysis, etc.). What Focus does is shorten the path to "audit-ready" — so when the auditor shows up, you aren't scrambling.
What if I'm not in a regulated industry?
You probably still are, just indirectly. Cyber insurance underwriters, enterprise customer due-diligence questionnaires, and your bank's vendor management process all reference frameworks. The cost of not having one usually shows up at insurance renewal or when a big customer wants a SOC 2 report.
What does the free tier include?
Unlimited framework recommendations, a full control assessment, and a posture grade with a category radar and your top risks — enough to know where you stand and what to fix first. No credit card, no sales call. Create an account and start in minutes.
Find out where you stand. It only takes a few questions.
Free to start. No card. No sales call required.