7 posts
A field-tested primer on human-centered cybersecurity: why twenty-five years of research finally made it into federal mandates in 2026, why the practitioner is the most underdesigned-for user in the system, and what agencies should actually do about it.
On May 4, 2026, FedRAMP launched the public preview of the Consolidated Rules for 2026 (CR26). Plain language requirements, machine-readable structure, a stable two-and-a-half-year content window, and a GitHub-driven feedback model. Here's what's actually in it and what CSPs should be doing right now.
Using Phil Venables' Field CISO framework as a lens to describe what the role actually looks like from inside it at Knox Systems, where the product is a FedRAMP shared boundary.
A breakdown of FedRAMP NTC-0009, the outcome of RFC-0024 on machine-readable authorization packages for Rev5, including what changed, the new timelines, and what it means for CSPs, 3PAOs, and agencies.
A hands-on walkthrough of compliance-trestle and AWS Config rules turning your authorization package into a living, automated artifact, and why FedRAMP 20x is moving toward exactly this model.
FedRAMP 20x is the right vision but the compliance burden didn't disappear, it shifted from analysts to engineers. This post breaks down the integration tax, the GRC engineering skills gap, why 3PAO assessors now need to audit code instead of narratives, and what RFC-0017 actually demands of both sides of the table.
AWS's FedRAMP 20x readiness blog reveals what's really underneath: GRC engineering. Here's why compliance evidence is an engineering byproduct.