Private Cloud for Regulated Business: CMMC, HIPAA, and the Compliance Trap of Commodity Cloud
Posted: December 31, 1969 to Compliance.
Private Cloud for Regulated Business: CMMC, HIPAA, and the Compliance Trap of Commodity Cloud
Most regulated businesses we meet believe they already solved the hard part of compliance. They signed up for AWS GovCloud, or Microsoft 365 GCC High, or a HIPAA "capable" SaaS, and they assume the cloud provider handles the rules. They are halfway right, which is the most dangerous place to be in a compliance audit.
Petronella Technology Group has spent more than two decades helping regulated businesses in Raleigh, across North Carolina, and nationally pass real audits instead of checkbox audits. Our team carries CMMC-AB Registered Provider Organization status, RPO #1449, verifiable directly on the CyberAB member registry at https://cyberab.org/Member/RPO-1449-Petronella-Cybersecurity-And-Digital-Forensics. Our practitioners hold the CMMC-Registered Practitioner credential. Our founder Craig Petronella holds Digital Forensics Examiner #604180, along with CCNA and CWNE networking certifications earned over his career.
The purpose of this guide is narrow and practical. We want to answer one question for compliance officers, CIOs, and practice managers at mid-market regulated firms. When does a big-tech cloud actually meet your compliance obligations, and when is a private cloud, built on owned or colocated infrastructure and operated by your staff or a partner, the simpler, cheaper, and more defensible choice?
If you want to talk through your specific situation with our team, call (919) 348-4912 or reach us through /contact-us/. Otherwise, keep reading.
The Compliance Trap of Commodity Cloud
Compliance failures at regulated firms rarely come from a clever zero-day attack. They come from misunderstanding the shared responsibility model of the commodity cloud.
Here is the pattern we see on almost every assessment.
A defense contractor, a medical practice, a registered investment advisor, or a law firm signs a contract with a large cloud provider. The sales deck says FedRAMP Moderate. It says HIPAA eligible. It says SOC 2 Type 2. The customer signs a business associate agreement or a CUI addendum, drops their data in, and feels protected.
Six months later the auditor shows up and asks four questions.
Where exactly is your regulated data. Who exactly has access to it, including cloud-provider staff. How do you prove that the cloud controls you rely on are actually operating the way the attestation claims. And where, in writing, is the division of responsibility between you and the cloud provider for every control you claim compliance against.
The answers are almost never clean. FedRAMP Moderate includes approximately 325 controls that the cloud provider is responsible for, but there are dozens more controls the customer has to implement inside the tenant. Per FedRAMP, subscribing to an authorized service does not make the customer compliant. The customer still owns identity, endpoint, configuration, logging, and incident response inside their own tenant. That is the shared responsibility model, and it is where most audit findings live.
Even temporarily storing a CUI document in a commercial cloud service creates a compliance violation. Standard Microsoft 365 Commercial, standard Google Workspace, and standard Dropbox cannot be used for CUI processing, storage, or transmission under current Department of Defense guidance on CMMC. Many firms do not know this, and many more firms have CUI in those services today because someone emailed an attachment last Tuesday.
The compliance trap is not that commodity cloud is insecure. Large cloud providers employ some of the best security engineers in the world. The trap is that buying the service does not buy the compliance, and closing the gap inside the tenant is harder, more expensive, and less auditable than most leadership teams expect.
What the Rules Actually Say
Before we talk about private cloud design, we need to anchor on what the regulations actually require. We will stay strictly inside the published government documents and avoid the marketing version of the rules.
CMMC Level 2 and Level 3, Rooted in NIST
The Cybersecurity Maturity Model Certification program applies to defense contractors and subcontractors that handle federal contract information and controlled unclassified information. Per the Department of Defense CMMC Program Rule, Phase 2 enforcement begins November 10, 2026, and many Department of Defense contracts after that date will require a valid CMMC certification before award.
CMMC Level 2 is built on NIST Special Publication 800-171 Revision 3, published by the National Institute of Standards and Technology in May 2024. The publication is available at https://csrc.nist.gov/pubs/sp/800/171/r3/final. It defines 17 control families that a nonfederal organization must implement in order to protect controlled unclassified information. The families are Access Control, Awareness and Training, Audit and Accountability, Assessment Authorization and Monitoring, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Planning, Personnel Security, Risk Assessment, System and Services Acquisition, System and Communications Protection, System and Information Integrity, and Supply Chain Risk Management.
CMMC Level 3 layers on top of Level 2. It pulls in a selected subset of the enhanced security requirements from NIST SP 800-172, which is available at https://csrc.nist.gov/pubs/sp/800/172/final. SP 800-172 is explicitly targeted at advanced persistent threat actors associated with nation-state adversaries. The controls at Level 3 assume your environment is already worth the effort of a patient, funded intruder. Level 3 requires a certification assessment by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center.
Where does cloud fit inside this. Under the Department of Defense December 2023 memo on FedRAMP equivalency, any cloud service provider that processes, stores, or transmits CUI for a defense contractor must meet FedRAMP Moderate or a demonstrated equivalent. The C3PAO assessor performing your Level 2 assessment will either confirm the provider is listed as FedRAMP Moderate authorized on the FedRAMP Marketplace at https://marketplace.fedramp.gov/, or they will review a third-party assessment body body-of-evidence demonstrating 100 percent compliance with FedRAMP Moderate controls and zero control-related plans of action and milestones. There is no partial credit.
HIPAA Security Rule and ePHI Hosting
Any organization that creates, receives, maintains, or transmits electronic protected health information is subject to the HIPAA Security Rule. The rule lives at 45 CFR Part 164 Subpart C, and the technical safeguards section is 45 CFR 164.312, available at https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312.
The Security Rule splits safeguards into three buckets. Administrative safeguards at 45 CFR 164.308 cover the security management process, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, and periodic evaluation. Physical safeguards at 45 CFR 164.310 cover facility access, workstation use, and device and media controls. Technical safeguards at 45 CFR 164.312 cover access control, audit controls, integrity, person or entity authentication, and transmission security.
The term most firms get wrong is HIPAA eligible. No cloud provider can sell a compliant HIPAA deployment out of the box. A covered entity or business associate must configure the environment, manage workforce access, sign a business associate agreement with the provider under 45 CFR 164.314, and still prove through a documented risk analysis, under 45 CFR 164.308(a)(1)(ii)(A), that the controls are actually sufficient for their specific ePHI workload. The Office for Civil Rights publishes settlement actions at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html, and many of them involve a cloud deployment that the covered entity believed was compliant.
Addressable does not mean optional. Encryption of ePHI at rest and in transit is marked addressable in the regulation, but the covered entity must either implement it or document in writing why an equivalent measure meets the standard. Auditors rarely accept why we did not encrypt as a serious answer in 2026.
Financial Services, Books and Records
Broker-dealers, registered investment advisors, and related financial services firms fall under SEC Rule 17a-4, FINRA Rule 4511, and related CFTC 1.31 rules. These are the books-and-records rules.
The current SEC Rule 17a-4 permits two electronic recordkeeping approaches. The original approach, still in force, requires records to be preserved in a non-rewriteable, non-erasable format, known as WORM, or write-once-read-many. The 2022 amendments added an audit-trail alternative that permits records to be stored in a system that maintains a complete audit trail sufficient to recreate any original record if it is modified or deleted. Either approach is acceptable, but the firm must choose and document one. The rule is at https://www.sec.gov/rules-regulations/staff-guidance/trading-markets-frequently-asked-questions/rule-amendments-broker.
FINRA Rule 4511 sits on top of SEC 17a-4 and applies to FINRA member firms. It requires records be preserved in a format and media that complies with Exchange Act Rule 17a-4 and imposes a minimum six-year retention for records that have no other specified retention period. The rule text is at https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511.
Storage immutability sounds like a solved problem in commodity cloud. Object-lock and policy-lock features exist on the major providers. What is not solved is the governance around who can turn those locks off, under what legal process, and whether your specific deployment configuration actually satisfies the rule. Firms fail 17a-4 audits on configuration and oversight, not on hardware.
Law Firms, Client Confidentiality
Law firms practicing in North Carolina operate under Rule 1.6 of the North Carolina Rules of Professional Conduct, published by the North Carolina State Bar at https://www.ncbar.gov/for-lawyers/ethics/rules-of-professional-conduct/rule-16-confidentiality-of-information/. Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
The State Bar's 2011 Formal Ethics Opinion 6, at https://www.ncbar.gov/for-lawyers/ethics/adopted-opinions/2011-formal-ethics-opinion-6/, makes clear that a North Carolina lawyer may use software-as-a-service and cloud providers for client data, provided the lawyer uses reasonable care to safeguard confidential client information. The opinion lists specific diligence expectations including evaluating the vendor's firewalls, encryption, access controls, and intrusion detection. It is not enough to trust the brand.
The American Bar Association Model Rule 1.6(c), at https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information/, aligns with this and is adopted in most jurisdictions. Comment 18 to Model Rule 1.6 explicitly references unauthorized access by hackers and the lawyer's ethical duty to take reasonable precautions, including evaluating the sensitivity of the information and the cost of additional safeguards.
Translation for managing partners. If you store client files in a commodity cloud and the provider is breached, your defense that the provider had a nice certification badge will not satisfy the State Bar.
Where Commodity Cloud Actually Works
We want to be fair before we talk about private cloud. There are absolutely workloads where a major cloud provider in its regulated enclave is the right answer.
AWS GovCloud US, Microsoft Azure Government and Microsoft 365 GCC High, and Google Cloud for Government are engineered specifically for federal and regulated workloads. AWS GovCloud US is FedRAMP High authorized, operated from United States soil by United States citizen personnel, and supports Department of Defense Impact Level 5 workloads. GCC High is isolated from commercial Microsoft 365 and is the practical choice for defense contractors needing CMMC Level 2 alignment at enterprise scale.
Good candidates for regulated commodity cloud include the following.
Large defense contractors with existing enterprise Microsoft agreements, dedicated compliance staff, and hundreds of seats to license. The per-seat price of GCC High becomes tolerable at scale, and the compliance team has the bandwidth to run configuration baselines, manage privileged access, handle incident response, and produce evidence.
Organizations with elastic compute needs, where the ability to spin up and spin down capacity matters financially more than predictable infrastructure cost.
Organizations with national or multi-region data residency needs, where the cost of replicating a private cloud across three or four geographies would exceed the cloud price.
Organizations with deep DevOps maturity that can actually take advantage of infrastructure-as-code, automated policy enforcement, and continuous compliance scanning that a managed cloud exposes as APIs.
If that is you, commodity regulated cloud is a reasonable architecture, and we will help you get it configured correctly. We have no ideological objection to it.
Where Private Cloud Wins
The pattern we see in the regulated Raleigh and Research Triangle market, and broadly in the mid-market nationally, looks different. Our typical client has between 20 and 300 employees. They hold CUI under one or two defense contracts, or they hold ePHI as a specialty medical practice, or they manage client funds as a small RIA, or they are a law firm with a handful of high-sensitivity practice areas. They do not have a dedicated compliance team of ten people. They have a director of IT or an outsourced MSP, a controller, and a senior attorney or physician who cares about getting it right.
For this profile, a private cloud, designed and operated with the compliance framework baked in, is frequently the cheaper, simpler, and more defensible answer. Here is why.
Cost at Mid-Market Scale
GCC High list pricing commonly runs two to three times the per-user cost of commercial Microsoft 365. AWS GovCloud services carry a meaningful premium over commercial AWS. For a 50-user firm holding CUI, the incremental cost over five years is substantial. A colocated private cloud with a three-year capital refresh on enterprise server hardware, an NVMe flash SAN, redundant firewalls, and a managed backup target often comes in lower over that same window, even after counting operations staff time.
The important caveat. Cost only wins if you do not under-build. A private cloud that cuts corners on encryption key management, access logging, or physical security is not cheaper. It is a future enforcement settlement waiting to happen.
Control and Auditability
When an auditor asks where the data is, a private cloud lets you point to a specific rack, in a specific cage, at a specific colocation facility, with a specific set of named people who have badge access. The chain from a regulatory control to a physical reality is short enough to walk. On a commodity cloud the auditor has to trust a chain of attestations and shared responsibility matrices, and you have to trust that those attestations accurately describe the configuration you actually use.
The difference matters most when things go wrong. After an incident, forensics on owned infrastructure is straightforward for a trained examiner. We do this work at Petronella Technology Group every week. Forensics across a multi-tenant cloud where your logs are intermingled with tens of thousands of other customers is harder, slower, and occasionally impossible.
Simplicity of the Compliance Story
The regulatory side of a private cloud is often simpler to narrate to an assessor than a cloud deployment. The control ownership is unambiguous. If the hardware is yours and the software is configured by your team, every control in NIST SP 800-171 is implemented by you. There is no shared responsibility matrix to misinterpret. The system security plan describes one system.
This matters in practice. CMMC assessors, HIPAA auditors, and FINRA examiners are not adversaries. They are looking for a clear, documented, implemented story. Clean stories close faster and cheaper than complicated ones.
Data Sovereignty and Legal Process
A private cloud on infrastructure you own, located inside the United States, gives you control over legal process exposure. Commodity cloud providers receive subpoenas and national security letters and must respond under their own policies. With a private cloud, any legal process comes to your front door, your general counsel, and your own document-hold procedures. For law firms with privileged communications, this is often a decisive factor.
How Petronella Technology Group Designs Private Cloud for Regulated Clients
We will be specific about what we actually build, because vague architectural descriptions are not useful when you are making a real decision.
Our reference private cloud design for a regulated mid-market client typically includes the following components, each mapped to specific NIST SP 800-171 Revision 3 control families.
Two redundant hypervisor hosts at the primary colocation site, running a hardened type-1 hypervisor with host-based encryption for virtual machine storage volumes. This maps to the System and Communications Protection family for boundary enforcement and cryptographic protection.
A redundant firewall cluster with application-layer inspection, documented rulesets managed as code, and denied-by-default egress. This maps to Access Control for information flow enforcement and to System and Communications Protection for boundary protection.
A central identity platform with phishing-resistant multifactor authentication bound to hardware security keys for all privileged accounts. This maps to Identification and Authentication. Phishing-resistant MFA for privileged accounts is now an explicit requirement in NIST SP 800-171 Revision 3.
A centralized log pipeline aggregating operating system events, application events, firewall events, and privileged session recording, stored on write-protected immutable storage for at least the retention period the applicable regulation requires. This maps to Audit and Accountability. For financial services clients we extend this to an audit-trail architecture compliant with SEC Rule 17a-4 or a WORM storage target.
Endpoint detection and response on every endpoint and every server, with telemetry shipped to a 24-by-7 security operations team. This maps to System and Information Integrity and to Incident Response.
Documented data classification, with CUI and ePHI stored only inside marked enclaves, and strict technical controls preventing export to unmarked systems. This maps to Media Protection, Access Control, and Configuration Management.
A tested backup architecture with encrypted, immutable, off-site copies at a second colocation facility or hardened secondary site, with documented restore-time objectives and periodic live restore tests. This maps to System and Information Integrity and to the Contingency Planning expectations echoed across HIPAA and NIST.
Physical security at the colocation provider including badge access, video recording, mantrap entry, locked cabinets, and named-escort policies for vendor maintenance. This maps to Physical and Environmental Protection.
Supply chain diligence on every hardware and software component, with a software bill of materials for critical systems, aligned to the Supply Chain Risk Management family newly formalized in Revision 3.
An annual third-party penetration test and a continuous vulnerability management program. These map to Risk Assessment and System and Information Integrity.
For CMMC Level 3 clients, we layer on the NIST SP 800-172 enhanced requirements that apply to the in-scope enclave. These include advanced identity verification, deception technology, threat hunting, and segmentation at a granularity that commodity cloud rarely supports by default.
Mapping Table: NIST SP 800-171 Revision 3 Families to Private Cloud Implementation
The following table maps each of the 17 control families in NIST SP 800-171 Revision 3 to a concrete implementation pattern in a Petronella Technology Group private cloud design. Control family identifiers follow the exact designations in the published NIST document.
| Family | Identifier | Private Cloud Implementation |
|---|---|---|
| Access Control | AC | Role-based access, least-privilege groups, privileged access workstations, phishing-resistant MFA for all admin roles, documented data-flow rules on the firewall cluster with deny-by-default egress. |
| Awareness and Training | AT | Annual role-specific security training for all workforce members, targeted CUI or ePHI handling training for staff inside the regulated enclave, documented attestations. |
| Audit and Accountability | AU | Centralized log collection, tamper-evident storage, defined event catalog, time synchronization to an authoritative source, log review schedule, retention aligned to the applicable regulation. |
| Assessment, Authorization, and Monitoring | CA | System security plan, plan of action and milestones, annual third-party assessment, continuous monitoring program, documented authorization to operate from leadership. |
| Configuration Management | CM | Hardened baselines on every host, configuration as code, change control board, automated drift detection, documented allow-listing for software in the enclave. |
| Identification and Authentication | IA | Central identity platform, hardware-backed MFA for privileged accounts, phishing-resistant MFA under Revision 3 guidance, no shared accounts, session recording on privileged access. |
| Incident Response | IR | Written incident response plan, 24-by-7 monitoring, tabletop exercises, defined reporting obligations under DFARS 7012 and HIPAA Breach Notification as applicable, retained forensic capability. |
| Maintenance | MA | Controlled maintenance procedures, escorted vendor access at the colocation facility, sanitization of media before disposal, remote maintenance over monitored sessions only. |
| Media Protection | MP | Encrypted storage, marked media for CUI or ePHI, controlled transport, documented disposal using NIST SP 800-88 compliant sanitization. |
| Physical and Environmental Protection | PE | Colocation facility with SOC 2 or equivalent attestation, badge access with video, locked cabinets, environmental controls, visitor logs. |
| Planning | PL | Written system security plan, written privacy plan where applicable, annual review, documented rules of behavior acknowledged by all users. |
| Personnel Security | PS | Defined screening for positions with CUI or ePHI access, documented termination and transfer procedures, separation of duties for sensitive roles. |
| Risk Assessment | RA | Annual risk assessment, continuous vulnerability management, documented risk register, periodic third-party penetration testing. |
| System and Services Acquisition | SA | Security requirements built into vendor contracts, documented diligence on third parties, software bill of materials for critical systems, defined secure software development practices. |
| System and Communications Protection | SC | Boundary protection with redundant firewalls, segmentation of the regulated enclave, cryptographic protection in transit and at rest, deny-by-default, protection of key management material. |
| System and Information Integrity | SI | Endpoint detection and response, patch management with defined service-level objectives, malware protection, tested backup and recovery, integrity monitoring on critical files. |
| Supply Chain Risk Management | SCRM | Supplier risk tiering, documented diligence on critical suppliers, incident notification clauses in supplier contracts, monitoring of published vulnerabilities in the supply chain. |
Control family identifiers and scope are drawn from NIST SP 800-171 Revision 3, published May 2024. The full publication is at https://csrc.nist.gov/pubs/sp/800/171/r3/final.
For CMMC Level 3 engagements, we additionally implement the relevant subset of enhanced requirements from NIST SP 800-172, including penetration-resistant architecture elements, advanced threat hunting, and deception. The publication is at https://csrc.nist.gov/pubs/sp/800/172/final.
Decision Framework: Private Cloud or Commodity Cloud
To make this concrete, here is the decision framework we walk through with prospective clients in a first assessment call.
Ask yourself these questions honestly.
How many users touch regulated data. If it is more than a few hundred, the per-seat economics often favor enterprise commodity cloud. If it is fewer than a hundred, private cloud is frequently cheaper over a five-year window.
Do you have dedicated compliance staff, or an MSP partner with dedicated regulated practice. If you do not, the configuration and evidence workload of a commodity regulated cloud will likely fall on people who also have day jobs, and things will slip.
How elastic is your compute workload. If it scales up and down wildly, commodity cloud is genuinely useful. If it is steady-state, the elasticity premium is pure cost.
How willing are you to sign a business associate agreement or CUI addendum and live under the cloud provider's shared responsibility matrix as written. Many of these agreements push more responsibility to the customer than the customer expects.
How sensitive is the worst document in your environment. If the answer involves national security, attorney-client privilege in high-stakes litigation, or trade secrets whose loss would end the business, the data sovereignty argument for private cloud gets stronger.
What does your cyber liability insurance carrier ask about your architecture. Some carriers now offer meaningful premium reductions for documented private-cloud deployments with tested controls, versus higher exposure ratings for commodity cloud configurations they cannot audit.
If you walk through those honestly and the answers lean toward small team, steady workload, high sensitivity, and appetite for clean ownership, a private cloud is very likely the right answer. If they lean toward large team, elastic workload, and deep internal DevOps, keep going with commodity.
What We Actually Do For You
Petronella Technology Group builds and operates private clouds for regulated clients under a few different engagement models depending on what the client needs.
A full design-and-build engagement. We assess your regulatory footprint, design the architecture to the applicable frameworks, procure the hardware, install it at the colocation facility of your choice or one of our partner facilities, migrate the regulated workloads, document the system security plan, and run the initial third-party assessment readiness check.
An operate engagement on existing hardware. If you already have owned infrastructure, we can take over operations, bring the controls up to NIST SP 800-171 Revision 3 alignment, produce and maintain the system security plan, and run the 24-by-7 monitoring and incident response.
A co-pilot engagement. For clients with a capable internal IT team, we partner as the specialist on the compliance side. We handle the control design, evidence collection, assessment preparation, and continuous improvement. Your team handles day-to-day operations. We are the registered provider organization that backstops your assessment.
For CMMC engagements specifically, our CMMC-AB Registered Provider Organization status, RPO #1449, gives us standing with the CyberAB ecosystem. Our practitioners hold CMMC-Registered Practitioner credentials. We do not sell C3PAO assessments, which by design are independent of preparation work, and we do not pretend to be something we are not. We prepare you for the assessment, and we stay with you after certification to keep controls current as NIST releases updates and the Department of Defense evolves the program.
For HIPAA engagements we function as a business associate under a signed BAA, and our operational practices inside the enclave reflect that posture.
Closing Thoughts and Next Step
The compliance world in 2026 is simpler than it sounds and harder than most firms treat it. The simple part is that the rules are public and they are not moving targets by the day. NIST SP 800-171 Revision 3 is finalized. The HIPAA Security Rule has been stable at the technical-safeguard level for years, with a rulemaking update underway that tightens encryption and MFA expectations. SEC Rule 17a-4 and FINRA Rule 4511 are decades mature. The Rules of Professional Conduct for lawyers pre-date the internet and have aged well.
The hard part is that implementation is not glamorous. It is control design, evidence, documentation, drills, and a culture that treats compliance as part of the business rather than a project that ends. Technology companies that promise to make this magically simple by selling you a badge are not your friends in an audit.
If you are a regulated mid-market firm in North Carolina, South Carolina, Virginia, or anywhere in the continental United States, and you want an honest conversation about whether your current cloud posture meets the actual rules, or whether a private cloud would be simpler and cheaper at your scale, we would like to talk.
Call Petronella Technology Group at (919) 348-4912, or reach us through /contact-us/. We do not run a pressure sales process. We run a short conversation, a written summary of what we heard, and a proposal only if there is a fit.
For deeper reading on related topics, we recommend our pillar pages on /compliance/cmmc-compliance/ for Department of Defense contractors, /solutions/private-ai-cluster/ for regulated firms evaluating on-premises artificial intelligence workloads alongside compliance workloads, and /cyber-security/ for a broader tour of how we think about defense in depth.
The cloud is not the enemy. Confusing a cloud contract for a compliance program is. Build the program first, and the infrastructure follows.
Sources referenced in this article include the National Institute of Standards and Technology SP 800-171 Revision 3 (https://csrc.nist.gov/pubs/sp/800/171/r3/final), NIST SP 800-172 (https://csrc.nist.gov/pubs/sp/800/172/final), the Electronic Code of Federal Regulations Title 45 Part 164 (https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164), SEC staff guidance on Rule 17a-4 (https://www.sec.gov/rules-regulations/staff-guidance/trading-markets-frequently-asked-questions/rule-amendments-broker), FINRA Rule 4511 (https://www.finra.org/rules-guidance/rulebooks/finra-rules/4511), the North Carolina State Bar's Rules of Professional Conduct and 2011 Formal Ethics Opinion 6 (https://www.ncbar.gov/for-lawyers/ethics/adopted-opinions/2011-formal-ethics-opinion-6/), the American Bar Association Model Rule 1.6 (https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information/), the CyberAB Registered Provider Organization registry (https://cyberab.org/Member/RPO-1449-Petronella-Cybersecurity-And-Digital-Forensics), and the FedRAMP Marketplace (https://marketplace.fedramp.gov/). Regulatory guidance changes; the publications listed above are the authoritative sources.
