Firethorne Tech

FAQs

Straight answers to common questions

How we work, what compliance actually requires, and the honest limits of what any provider can promise.

Working with Firethorne

What makes Firethorne different from other IT providers?

A security-first, compliance-driven mindset and US-based accountability on everything we do. We built our practice in regulated industries — defense, healthcare, finance — where the standards are highest, and we bring that discipline to every client, regulated or not.

Do we have to buy everything, or can we pick services?

Services are modular. Some clients want fully managed IT; others engage us for a single assessment, a compliance program, or a co-managed arrangement alongside their internal team. You select only what you need.

Is any of your support handled overseas?

Our managed IT and compliance services are delivered entirely by our in-house, US-based team — every call, ticket, assessment, and monitoring task, with no offshore. For federal and defense clients that's a supply-chain requirement; for everyone else it's a quality guarantee. Our Application Management Services are US-led — a named onshore lead on every engagement, with nearshore capacity working in US time zones.

Can you work alongside our internal IT team?

Yes — co-managed partnerships are one of our most common arrangements. Your team keeps day-to-day operations while we handle security, compliance, or specialized projects. We define the split clearly so nothing falls between chairs.

How fast do you respond to issues?

Most tickets are acknowledged within minutes, and critical issues are escalated immediately. Response targets are SLA-driven and defined in your agreement — not a marketing claim.

Compliance & CMMC

What's the difference between CMMC and NIST 800-171?

NIST 800-171 defines the security controls for protecting CUI. CMMC adds a certification program on top — organizations must demonstrate compliance through third-party or government-led assessments rather than self-attestation alone.

Who needs CMMC certification?

Any defense industrial base contractor or subcontractor that handles Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). CMMC requirements are appearing in DoD solicitations now.

How long does compliance readiness take?

It varies with your starting point: some organizations are ready in a few months, others need 12–18 months to close gaps, upgrade infrastructure, and complete documentation. An assessment gives you the real number.

What's the difference between a framework and a regulation?

Frameworks (NIST 800-171, ISO 27001, CIS Controls) are structured sets of best practices. Regulations (HIPAA, GLBA, DFARS) are legal requirements — which often reference frameworks. We help you figure out which of each actually applies to you.

What documentation do audits require?

Typically a System Security Plan (SSP), Plans of Action & Milestones (POA&Ms), written security policies, and technical evidence that controls are implemented — screenshots, logs, configurations available on demand.

Managed IT & Helpdesk

How does your helpdesk pricing work?

Unlimited support at flat per-device rates — every user and endpoint covered, no per-ticket charges. See our support packages page for published pricing.

Do you provide 24/7 coverage?

Yes — around-the-clock monitoring with US-based support and immediate escalation for critical issues.

Do you support our business applications?

Yes. Beyond Microsoft 365 and Teams, our technicians train on your environment during onboarding — ERP, CRM, and industry-specific applications included — and we build a custom knowledge base for your business.

Will we get reports on our environment?

Yes — periodic system health, performance, and security status reports. For compliance-driven clients, tickets and monitoring records are documented in a form you can hand to an auditor.

Microsoft 365

Does Microsoft 365 make us compliant automatically?

No. M365 includes powerful security tools, but they must be configured and managed correctly. Out of the box, most tenants don't come close to CMMC, HIPAA, or NIST expectations.

Does Microsoft back up our data?

Not in the way most people assume. Microsoft provides resiliency, not backup — deleted items are recoverable only for a limited time. Independent backup of Exchange, OneDrive, SharePoint, and Teams is a requirement we implement for nearly every client.

Which Microsoft licenses do we need for advanced security?

Features like Defender for Office 365, conditional access, and data loss prevention require Business Premium, E3/E5, or equivalent licensing. We review your licensing to make sure you're paying for what you need — and using what you pay for.

Security & Monitoring

How is endpoint monitoring different from antivirus?

Antivirus blocks known malware. Endpoint monitoring adds continuous visibility, behavioral detection, and compliance reporting through EDR — so threats that don't match a signature still get caught.

What's the difference between EDR and MDR?

EDR automatically detects and contains threats on devices. MDR adds a human layer — our US-based SOC analysts investigate alerts, validate real threats, and take action. Software plus judgment.

Can you protect us completely from ransomware?

No one can, and you should be skeptical of anyone who claims otherwise. What we provide is resilience: early detection, device isolation, immutable backups, and documented recovery processes that minimize impact and prove due diligence.

Backup & Recovery

What does a sound backup strategy look like?

Layered: 3-2-1 architecture plus immutability — an off-site copy that can't be altered or deleted during its retention period, even by ransomware or a compromised admin account.

How often should backups be tested?

Quarterly test restores at minimum, with documented disaster-recovery runbooks. An untested backup is a hope, not a plan.

Can you manage the backup tools we already own?

Yes — we're tool-agnostic. We can manage and improve your existing backup systems, add immutable off-site copies, and layer on compliance reporting without forcing a rip-and-replace.

Have a question we didn't answer?

Ask us directly — a real person on our US-based team will get back to you.

Contact Us