Compliance as an
operating system.
Compliance programs fail because they're treated as projects. Simvay treats them as living programs — evidence operations, governance cadence, and continuous improvement, all anchored to NIST CSF 2.0.
Built around the
obligations you actually face.
We work primarily with Ohio public bodies, K-12, law enforcement, healthcare, and SMB. The frameworks below reflect what those clients are accountable for.
Ohio HB96 / ORC 9.64
Cybersecurity program structuring, evidence operations, and reporting for Ohio public bodies subject to HB96 and ORC 9.64 obligations.
- Program scoping against statutory language
- Required policy and procedure design
- Incident notification workflow
- Annual reporting evidence package
NIST CSF 2.0
Govern, Identify, Protect, Detect, Respond, Recover — implemented as an operating system, not a one-time assessment.
- Current and target profile development
- Tier-aligned roadmap with budget impact
- Control mapping to existing tooling
- Continuous improvement cadence
Sector frameworks
Mapping and evidence operations for the frameworks our clients actually face: CJIS, HIPAA, PCI DSS, and state education data privacy.
- Crosswalks against your existing program
- Gap remediation prioritized by risk
- Audit-ready evidence libraries
- Sustained re-evidence operations
The portal where the program lives.
Simvay delivers compliance programs through the Blacksmith InfoSec portal — a single place for policies, evidence, control attestations, and reporting. It replaces the spreadsheet-and-shared-drive sprawl that breaks most programs by year two.
- Policy & procedure repository
- Evidence library & versioning
- Control attestation workflow
- Audit reporting export
- HB96 / ORC 9.64 packaging
- NIST CSF 2.0 alignment
Facing HB96 obligations
or an audit on the calendar?
We'll scope a program that holds up well past the first deadline — and the audit after that.