Company Information

Click to jump to the following sections:

Key Staff
Company FAQ
Contact Us

ACR 2 Solutions - Automated Compliance Reporting Solutions

ACR 2 Solutions, Inc. (pronounced "A-C-R two solutions") is the first truly automated compliance reporting system. This system automates the risk assessment process required for financial institutions regulated under the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm Leach Bliley Act (GLBA).

Existing compliance reporting systems are mostly security reporting systems and they have serious limitations in providing compliance reporting. They can, however, be used for an aid. For a true compliance reporting system to exist, there must be a compliance program for the security devices to interact with. Manual programs have been developed for this purpose, but they are labor intensive and therefore costly. For example, Secure Pipe provides this service, at significant cost.

In order to apply automation to compliance reporting, a standardized compliance program is necessary. The National Institute of Standards and Technology (NIST) has issued standards and protocols for GLBA and HIPAA compliance programs that can be applied to regulated companies. Compliance with these protocols allows a standardized compliance program to be created that can interact with security devices, particularly unified threat management (UTM) systems, and provide a true automated compliance system, as opposed to a mere automated security system.

The NIST approach has some challenges. The applicable NIST protocols (over 25 for HIPAA) total thousands of pages of material. In general these protocols are too technical for the majority of small medical practices, community banks and vehicle dealers.

Over the past five years, the founders of ACR 2 Solutions, Inc. have developed and demonstrated a "Turbo-tax" style software package that can be used by regulated firms to generate NIST compliant information security programs. Once the standardized program is in place for each regulated firm, automation can be used to generate monthly and annual compliance reports as required by regulatory agencies.

The NIST protocols are continually being updated and modified. For that reason, ACR 2 Solution Inc. is currently updating the software every month to meet the continually evolving standards for compliance. This regular updating is required by Federal regulations and reflects the reality that information security is a moving target.

ACR 2 is available for Managed Security Service Providers (MSSPs) and end-users that have Unified Threat Management (UTM) devices or some other combination of firewall/anti-virus and intrusion detection/prevention protection. Companies are now using ACR 2 with SonicWALL, Juniper and Fortinet UTM products. ACR 2 can also seamlessly interoperate with other UTM products.

Key Staff

Jack Kolk - President and CEO

Mr. Kolk is a co-founder of ACR2. Jack has several decades of technical sales and marketing experience in IT, network and security industry experience and is former VP of global distributor Merisel. He has worked in billion dollar companies and several startups in both Silicon Valley and Atlanta. He holds CISSP and CSSLP certifications.

Robert Peterson, PE - CTO

Robert Peterson, PE is a degreed engineer from the University of Illinois with a long history of success at the interface between technology and regulatory compliance. Mr. Peterson holds 3 US patents and one national engineering award. Another patent, co-authored with Jack Kolk, is pending on technology involving the Risk Reporter process.

Along with patents and awards, Mr. Peterson has been a regulatory pioneer. He was awarded the first TSCA R&D permit awarded in EPA Region I, along with successful permitting efforts at a variety of Superfund sites. Moving in the '90s from environmental risk to information security compliance has involved a number of successful regulatory audits of clients ranging from $30 million to $1.6 billion in size.

Company FAQs

Frequently Asked Questions (FAQ) for potential investors


  1.  What is the Business of ACR 2 Solutions?

ACR 2 Solutions Inc. is in the business of liability reduction by risk management.

ACR reduces the legal and financial liability of organizations that handle sensitive data such as social security numbers and credit card information by providing tools and services that allow organizations to comply with the recognized standard of care for handling sensitive data in their industry.  Liability costs for a security breach can be substantial.  For example, under the Gramm Leach Bliley Act, banks can be fined up to $11,000 per day of non-compliance.   Penalties under the PCI Data Security Standard can exceed $500,000. 

Complying with a recognized standard of care can provide an organization significant defences against claims of negligence, even in the event of a breach of information security.  None of the information security regulations require perfect security.  They only require organizations to meet the standard of care.


  1.  What Products does ACR produce?

ACR currently has four families of products. They are ACR2Basic, ACR2 for PCI, ACR2Enterprise and Risk Reporter.  Each product has minor variations, and products may be combined in a wide variety of ways to meet customer needs.

ACR2Basic consists of a list of questions that are answered online.  It then creates a standardized NIST compliant risk assessment.

ACR2 for PCI consists of a list of questions that are answered online including all of the questions from the PCI DSS. It then creates a standardized NIST compliant risk assessment.

ACR2Enterprise combines up to 256 ACR2Basic and/or ACR2 for PCI installations on a single screen, allowing risk management of multiple sites. 

Risk Reporter combines ACR2Basic with automatic network scanning and automatic uploading of antivirus and intrusion detection data to provide “near real-time” reporting of risk as called for in NIST 800-39.  The scanning uses one of several scanners validated under the NIST Security Content Automation Program (SCAP), which allows simultaneous compliance with 800-39 and the FDCC.  Risk Reporter can use several types of Unified Threat Management (UTM) system, but only the Fortinet UTMs have the necessary certifications for Federal use.. 

For More Investor FAQ, you may download the following PDF. In order to open the PDF, please contact for the password.

Investor FAQ

Home  |  Products  |  Privacy  |  Terms of Use  |  Partners  |  News & Events  |  About
Copyright © 2006-2021 ACR 2 Solutions. All rights reserved.