4 posts
A field-tested primer on human-centered cybersecurity: why twenty-five years of research finally made it into federal mandates in 2026, why the practitioner is the most underdesigned-for user in the system, and what agencies should actually do about it.
FedRAMP 20x is the right vision but the compliance burden didn't disappear, it shifted from analysts to engineers. This post breaks down the integration tax, the GRC engineering skills gap, why 3PAO assessors now need to audit code instead of narratives, and what RFC-0017 actually demands of both sides of the table.
AWS's 7-layer defense-in-depth architecture is functionally a blueprint for continuous Authority to Operate. GRC engineering and security engineering are converging, and AI is the accelerant.
The Department of War is moving away from static RMF assessments toward a continuous, code-driven risk practice. Here is what mission owners need to know about CSRMC.