What the Field CISO Role Looks Like in Practice
Using Phil Venables' Field CISO framework as a lens to describe what the role actually looks like from inside it at Knox Systems, where the product is a FedRAMP shared boundary.
#GRC-engineering
7 posts
-
-
NTC-0009: FedRAMP's Machine-Readable Future Just Got Real (and More Reasonable)
A breakdown of FedRAMP NTC-0009, the outcome of RFC-0024 on machine-readable authorization packages for Rev5, including what changed, the new timelines, and what it means for CSPs, 3PAOs, and agencies.
-
From Word Docs to Git: Building a Living SSP with compliance-trestle and AWS Config
A hands-on walkthrough of compliance-trestle and AWS Config rules turning your authorization package into a living, automated artifact, and why FedRAMP 20x is moving toward exactly this model.
-
FedRAMP 20x Doesn't Kill the Compliance Burden. It Reassigned It
FedRAMP 20x is the right vision but the compliance burden didn't disappear, it shifted from analysts to engineers. This post breaks down the integration tax, the GRC engineering skills gap, why 3PAO assessors now need to audit code instead of narratives, and what RFC-0017 actually demands of both sides of the table.
-
Pulling Back the Curtain on FedRAMP 20x
AWS's FedRAMP 20x readiness blog reveals what's really underneath: GRC engineering. Here's why compliance evidence is an engineering byproduct.
-
Defense-in-Depth Meets cATO: How AI-Powered Security Architecture Enables Continuous Authorization
AWS's 7-layer defense-in-depth architecture is functionally a blueprint for continuous Authority to Operate. GRC engineering and security engineering are converging, and AI is the accelerant.
-
An Overview of the Department of War's New Cybersecurity Risk Management Construct (CSRMC)
The Department of War is moving away from static RMF assessments toward a continuous, code-driven risk practice. Here is what mission owners need to know about CSRMC.