Issue 01 · Apr 2026: published / Nexurion Field Notes: quarterly · senior practitioner / Field Notes: six working memos · CMMC · HIPAA · GLBA · SOX · SOC 2 II · ISO 27001 · Privacy Written by named author · Retracted when wrong
Nexurion · EditorialFive volumes · May 2026

Nexurion Field Notes.

Working memos from a senior practitioner: written on the engagement that prompted them, signed by name, retracted in print when we get them wrong. Read by the people who have to sign the audit response, not the ones who have to patch the finding.

Cadence
As ready
Not on a marketing schedule
Latest, Vol. V
4 May 2026
HIPAA training as evidence
Author of record
Jack Giordano
Founder · Marine · Firefighter
Volumes shipped
5 / live
More in draft
§ I · Latest · Vol. V
Vol. V · HIPAA · Workforce · 7 pages

Your annual training certificate is a receipt. OCR wants a sanctions program.

Most HIPAA workforce-training programs end the day the certificate prints. OCR’s 2024–2025 enforcement actions name the programs that didn’t: the ones with no sanctions trail, no role-based reinforcement, no evidence the training changed behavior. A field reading on what BA-led organizations need to package instead.

\"A training certificate is evidence that the workforce received training. It is not evidence that the workforce operates under training. OCR, in 2025, started writing settlements that turn on the second sentence.\" Vol. V · The Misread
In this volume7 pp · ~11 min
  1. What OCR actually asks for in a training file.01
  2. The four documents that turn a certificate into a sanctions program.02
  3. Three 2024–2025 settlements where training was the finding.04
  4. A 90-day rebuild for BA-led HIPAA programs.06
Read Vol. V All five volumes
JG
By Jack Giordano, founder, Marine · Firefighter · Security & Compliance.
Published 4 May 2026 · No marketing review · Named author
§ II · The five volumes
Five published · more in draft · no marketing schedule

Five volumes, in order of arrival.

We publish a Field Note when a position is ready, not when a calendar says it is. Each volume is tied to an engagement we ran or a regulation we read in the wild. If a memo misses its window, it stays in drafts until the window comes back around.
Vol. I Published
Apr 2026 · Agentic security

When the attacker is no longer human.

Agentic AI pentesting reached production in 2025. Seven additions your risk register needs before your next HIPAA, GLBA, Mass 201, or GDPR audit.

4 pp · ~9 min
Vol. II Published
Apr 2026 · SOC 2

Skip Type 1. Go straight to a six-month Type 2.

A senior practitioner’s case for replacing the Type 1 attestation with a 14-week readiness sprint: and the ~$30k clients save by doing it.

6 pp · ~10 min
Vol. III Published
Apr 2026 · SOC 2 · ISO 27001

What auditors are testing in 2026 that they weren’t in 2024.

CC9 vendor scrutiny, AI risk under CC3, ConMon-as-evidence, A.5.7 threat intel, A.5.30 ICT readiness. What changed since 2024: and what it costs to ignore it.

8 pp · ~13 min
Vol. IV Published
May 2026 · CMMC · DoD

The senior-official affirmation, decoded.

Every CCFI settlement to date traces to one signature. How to package an affirmation your senior official can sign without personal False Claims Act exposure.

9 pp · ~14 min
Vol. V Latest
May 2026 · HIPAA · Workforce

Why your annual HIPAA training certificate isn’t evidence.

A training certificate is a receipt. OCR, in 2025, started writing settlements that turn on the sanctions program behind it.

7 pp · ~11 min
In drafting: SOC 2 + ISO 27001 in one period · The SoA as strategy document · The 60-day breach clock, by the hour.
Subscribe for the next volume
§ IV · Subscribe
One email · five issues a year · unsubscribe in one click

Get the next Field Note in your inbox the morning it ships.

No nurture sequence. No partner-of-the-week intro call. No "you might also like" cross-sell to a webinar. One email when a Field Note ships: and nothing else from us, unless you reply.

~6 volumes / yr · Tied to real engagements · No tracking pixels · One-click unsubscribe
Subscribers
2,140
As of 23 Apr 2026
Open rate
71%
Vol. I, 14 days
Reply rate
9.4%
Vs. 0.4% industry avg
Marketing edits
0
All issues, all years