8 posts
On May 4, 2026, FedRAMP launched the public preview of the Consolidated Rules for 2026 (CR26). Plain language requirements, machine-readable structure, a stable two-and-a-half-year content window, and a GitHub-driven feedback model. Here's what's actually in it and what CSPs should be doing right now.
Using Phil Venables' Field CISO framework as a lens to describe what the role actually looks like from inside it at Knox Systems, where the product is a FedRAMP shared boundary.
A breakdown of FedRAMP NTC-0009, the outcome of RFC-0024 on machine-readable authorization packages for Rev5, including what changed, the new timelines, and what it means for CSPs, 3PAOs, and agencies.
A hands-on walkthrough of compliance-trestle and AWS Config rules turning your authorization package into a living, automated artifact, and why FedRAMP 20x is moving toward exactly this model.
FedRAMP 20x is the right vision but the compliance burden didn't disappear, it shifted from analysts to engineers. This post breaks down the integration tax, the GRC engineering skills gap, why 3PAO assessors now need to audit code instead of narratives, and what RFC-0017 actually demands of both sides of the table.
AWS's FedRAMP 20x readiness blog reveals what's really underneath: GRC engineering. Here's why compliance evidence is an engineering byproduct.
AWS's 7-layer defense-in-depth architecture is functionally a blueprint for continuous Authority to Operate. GRC engineering and security engineering are converging, and AI is the accelerant.
The Department of War is moving away from static RMF assessments toward a continuous, code-driven risk practice. Here is what mission owners need to know about CSRMC.