Cybersecurity, Compliance & Managed IT — Built for Industry

TRNSFRM is a US-based cybersecurity, governance, and managed IT firm headquartered in Cleveland and Columbus, Ohio, serving manufacturers, construction firms, automotive dealerships, and healthcare organizations nationwide. Founded in 2008 by Jeff Dennis, we hold 176+ five-star Google reviews from clients who rely on us for compliance, uptime, and protection.

What we do

Industries we serve

Manufacturing (CMMC, ITAR, NIST), Construction (jobsite connectivity, bid protection), Automotive Dealers (FTC Safeguards, DMS security), and Healthcare (HIPAA, PHI protection).

The IT Resilience Framework™

Our proprietary 3-step process — Assess, Build, Transform — moves clients from reactive IT to a measurable, audit-ready security posture.

Locations

Offices in Cleveland, Ohio and Columbus, Ohio; clients across the United States.

Get started

Book a 30-minute discovery call, take our 47-point cyber assessment, or contact us at info@trnsfrm.tech.

    Free · 10 minutes · Instant results

    The 47-Point Compliance Readiness Checklist

    The same diagnostic our team runs in the first 30 minutes of every engagement. Score yourself across CMMC, NIST 800-171, FTC Safeguards, ISO 27001, and HIPAA — and see exactly where you stand before your next audit or contract bid.

    0 of 47 answered
    Running score: 0 / 47 (0%)
    01

    Governance & Ownership

    Governance failures cascade. If no one owns cybersecurity and policies aren't documented, every other control is unreliable.

    1/6

    We have a written Information Security Policy reviewed and approved within the last 12 months.

    Who approved it? Is it version-controlled? Date visible?

    All Frameworks
    2/6

    A named individual owns cybersecurity — vCISO, CISO, or designated officer — with documented authority.

    Is this in writing? Do they have budget authority and board access?

    NISTCMMC
    3/6

    Leadership reviews cyber risk at least quarterly — with documented meeting minutes or a risk register update.

    Are these minutes archived? Does the agenda include security metrics?

    ISO 27001
    4/6

    We maintain a current asset inventory of all hardware, software, and cloud services — updated within 90 days.

    Does it include end-of-life status, data classification, and owner?

    NISTCMMC
    5/6

    We have a documented data classification scheme — at minimum Public / Internal / CUI / PII — applied consistently.

    Do employees know where CUI lives? Is it labeled in SharePoint and email?

    CMMCHIPAA
    6/6

    Third-party and vendor risk is formally assessed before granting system access — with a risk rating and approval on file.

    Do you have a vendor questionnaire? Who approves exceptions?

    ISO 27001NIST
    02

    Identity & Access

    Over 80% of breaches involve compromised credentials. Identity is the new perimeter — the first thing a CMMC or cyber insurance assessor probes.

    A 'No' on MFA may void your cyber insurance coverage for credential-based attacks. Most policies now require MFA as a minimum condition.
    1/6

    MFA is enforced on email, VPN, and all administrator accounts — no exceptions for seniority.

    Is it enforced via Conditional Access or policy — not just enabled?

    All Frameworks
    2/6

    Privileged accounts are separate from daily-use accounts — admins use a dedicated account for elevated tasks.

    Is IT browsing the web or reading email as a Domain Admin?

    NISTCMMC
    3/6

    Access rights are reviewed and recertified at least every 90 days — with approvals documented.

    Do departed employees' accounts still exist? Do users have excess permissions?

    NISTISO 27001
    4/6

    Offboarding revokes all access within 24 hours of termination — including M365, VPN, SaaS apps, and shared accounts.

    Is there a documented offboarding checklist with sign-off?

    NISTCMMC
    5/6

    Service accounts have rotating credentials stored in a privileged access vault — not in spreadsheets or shared notes.

    When did you last rotate the service account for your backup software?

    NISTCMMC
    6/6

    Password policy meets NIST 800-63B — minimum 12 characters, no forced rotation, breached-password screening active.

    Are you still forcing 90-day rotations? That's outdated and creates risk.

    NIST 800-63B
    03

    Endpoint, Network & Data Protection

    Ransomware actors don't break in — they walk in through unpatched endpoints and misconfigured networks. Every 'No' here is an open door.

    1/7

    Every endpoint runs an EDR/MDR agent with active threat hunting — not legacy antivirus.

    Does it cover servers, not just desktops? Are alerts being actioned?

    CMMCNIST
    2/7

    Disk encryption is enforced on all laptops and mobile devices — with keys managed and escrowed.

    Is BitLocker/FileVault enforced via policy or just enabled on one device?

    HIPAAFTCCMMC
    3/7

    Firewalls and switches have non-default credentials, and all configuration changes are logged and reviewed.

    When did you last audit firewall rules? Any 'permit any/any' rules?

    NISTCMMC
    4/7

    Guest Wi-Fi is fully segregated from corporate and OT networks — confirmed by technical segmentation, not just SSID separation.

    Can a guest device reach any internal resource? Can OT devices reach the internet?

    NISTCMMC
    5/7

    Backups follow 3-2-1 — at least one immutable or air-gapped copy — and are stored off-site or in a separate cloud tenant.

    Can ransomware on your network reach and encrypt your backup system?

    All Frameworks
    6/7

    Backups are test-restored at least quarterly — with a documented restoration log, not just a completion notification.

    When did you last actually restore a file or server from backup?

    ISO 27001NIST
    7/7

    Email has DMARC enforced at p=quarantine or p=reject — plus DKIM signing and an SPF record with a hard fail.

    Run your domain through dmarcian.com or MXToolbox — surprises are common.

    FTCCMMC
    04

    Detection, Response & Continuity

    It's not if — it's when. Organizations with documented, tested response plans recover 3× faster and face 40% lower breach costs.

    1/6

    Security logs from endpoints, identity providers, and network devices are centralized and retained for 90+ days.

    Can you query who logged in from where last Tuesday at 2am?

    CMMCNIST
    2/6

    We have 24/7 SOC monitoring — in-house or via a managed detection and response (MDR) provider with documented SLAs.

    What is the SLA for alert triage? Who gets paged at 2am on a Sunday?

    CMMCISO 27001
    3/6

    An Incident Response Plan exists — in writing — and was tabletop-tested with results documented in the last 12 months.

    Does your IR plan include ransomware and business email compromise scenarios?

    All Frameworks
    4/6

    Roles, escalation paths, and breach notification timelines are explicitly documented and current.

    Does your team know the notification deadline for your state and HIPAA/FTC?

    HIPAAFTCNIST
    5/6

    A Business Continuity / Disaster Recovery plan defines RTO and RPO for each critical system — and has been tested.

    What's your RTO for your ERP? For email? Do leaders know these numbers?

    ISO 27001NIST
    6/6

    Cyber insurance is active and we've verified what it actually covers — including ransomware, BEC, and social engineering.

    Read the exclusions. Many policies exclude nation-state attacks and 'inadequate controls.'

    Risk Mgmt
    05

    Compliance Framework Alignment

    Doing the work isn't enough if you can't prove it. Formal frameworks require documented evidence — not just controls in place.

    CMMC 2.0 enforcement is live. DoD contracts require certification — not self-attestation — for any work involving CUI. Companies that self-attested incorrectly face False Claims Act liability.
    1/7

    We know exactly which compliance framework(s) our contracts and regulators require — documented in writing.

    Have you read the actual contract clauses? DFARS 252.204-7012 is the trigger for CMMC.

    All Frameworks
    2/7

    (CMMC) We have a current SPRS score submitted and a System Security Plan (SSP) covering all systems that touch CUI.

    Is your SPRS score realistic? Inflated scores attract DoD scrutiny and FCA exposure.

    CMMC 2.0
    3/7

    (NIST 800-171) A Plan of Action & Milestones (POA&M) tracks every unmet control with an owner, milestone, and target date.

    Is the POA&M a living document — or a spreadsheet from two years ago?

    NIST 800-171
    4/7

    (FTC Safeguards) A Qualified Individual is named, and a written information security program is in place and documented.

    Applies to auto dealers, mortgage companies, financial advisors with 5,000+ customer records.

    FTC Safeguards
    5/7

    (HIPAA) Business Associate Agreements (BAAs) are in place with every vendor that creates, receives, or transmits PHI.

    Does your IT provider, MSP, or cloud storage vendor have a signed BAA on file?

    HIPAA
    6/7

    (ISO 27001) A Statement of Applicability (SoA) is current, approved by management, and reflects the implemented controls.

    Was the SoA updated after the last risk assessment?

    ISO 27001
    7/7

    We perform an annual third-party security assessment — not a self-attestation — with findings documented and remediated.

    Penetration test, vulnerability assessment, or C3PAO assessment for CMMC L2.

    All Frameworks
    06

    People & Culture

    Your weakest security control is the human one. Phishing is the #1 initial attack vector. Regulators don't accept 'the employee didn't know' as a defense.

    1/5

    All staff complete annual security awareness training with simulated phishing — with completion rates tracked and reported.

    Do you have completion certificates? What's your click rate on phishing simulations?

    All Frameworks
    2/5

    Developers and engineers receive role-based training — secure coding, OT/ICS security, or relevant technical training annually.

    Generic awareness training is not sufficient for technical staff under CMMC.

    CMMCNIST
    3/5

    New hires complete security onboarding before system access is granted — not during their first week, before.

    Is security awareness part of the hire packet or a 60-day afterthought?

    NISTISO 27001
    4/5

    Acceptable Use and Remote Work policies are signed by all employees annually — with signed copies on file.

    Do contractors sign these too? Is the remote work policy post-COVID updated?

    ISO 27001FTC
    5/5

    A clear, no-blame channel exists for reporting suspicious activity — and employees actually use it.

    Has anyone used it in the past 6 months? Silence isn't safety — it's fear of blame.

    ISO 27001NIST
    07

    Cloud, SaaS & AI

    Most organizations have 10× the cloud footprint they think they do. Shadow IT and unmanaged AI tools are the fastest-growing attack surface.

    New in 2025: CMMC Level 2 assessors are now asking whether CUI could be exposed through AI tools like Copilot or ChatGPT. Absence of an AI Acceptable Use Policy is treated as a control gap.
    1/6

    M365 or Google Workspace tenant has a hardened baseline — CIS Benchmark or equivalent — with settings validated, not assumed.

    Run Microsoft Secure Score or a Maester audit. Default M365 settings are not secure.

    CMMCNIST
    2/6

    Conditional Access or risk-based policies block legacy authentication protocols and flag risky sign-ins automatically.

    Is legacy auth blocked? Basic Auth was the source of 99% of password spray attacks.

    CMMCNIST
    3/6

    Shadow-IT SaaS apps are actively discovered and inventoried at least quarterly — with unapproved apps blocked or documented.

    Do you know about every app your employees have OAuth'd into with their corporate account?

    ISO 27001NIST
    4/6

    Customer and regulated data in cloud applications is covered by active DLP rules — with alerts reviewed and actioned.

    Can an employee email a spreadsheet of SSNs to a personal Gmail without any alert?

    HIPAAFTCNIST
    5/6

    An AI Acceptable Use Policy governs the use of ChatGPT, Copilot, Gemini, and similar tools — employees have signed it.

    Do employees know they cannot paste CUI or customer data into any public LLM?

    CMMCEmerging
    6/6

    Sensitive and regulated data is technically masked or blocked from reaching public AI models — not just governed by policy.

    Policy is necessary but not sufficient. Technical controls must enforce the policy.

    CMMCHIPAA
    08

    Physical & Supply Chain

    Physical breaches and supply chain compromises are underreported and underestimated — especially in manufacturing, construction, and healthcare.

    1/4

    Physical access to server rooms, network closets, and workstations is restricted, logged, and reviewed.

    Is the server room locked? Who has a key? When was the key list last audited?

    CMMCISO 27001
    2/4

    Hardware and software sourced from vendors is screened for supply chain risk — with preferred vendor lists documented.

    Do you have Huawei or ZTE equipment on government-connected networks?

    CMMCNIST
    3/4

    Removable media (USB drives, external HDDs) is controlled — either blocked by policy and technical controls or tracked and approved.

    Can an employee plug in any USB drive on a computer that handles CUI?

    CMMCNIST
    4/4

    Media containing sensitive data is sanitized or destroyed per NIST 800-88 before disposal, reuse, or decommission.

    Do you have a certificate of destruction from your hardware recycler?

    CMMCHIPAA

    We'll jump you to the next unanswered question.

    Call Now