How we verify every claim.

Every regulatory statement on this site is traced to a primary source before it publishes. Here is the standard, what we commit to, and the proof you can check yourself.

The standard. This library makes claims about controlling rules: NIST publications, the AICPA Trust Services Criteria, 45 CFR Part 164, the EU AI Act, FedRAMP RFCs and Notices, DFARS clauses, state privacy statutes. A claim about a rule is only as reliable as the source behind it. So every regulatory claim here is anchored to the primary source: the rule itself, not a summary of it, not a vendor’s characterization of it, not a remembered version of it. When a secondary account and the primary source disagree, the primary source governs. We read the rule first, and we cite the rule, not the retelling.

What we commit to

Four standards every claim meets.

The source is named correctly. The report or rule we cite matches its actual published title. A report that does not exist cannot support a sentence that does.

The statistic is traceable. Every figure points to a specific place in the cited document. If we cannot show where the number lives in the source, the number does not run.

The framing matches the source. The claim says what the source says, in the sense the source meant it, not a more convenient version of it.

An unverifiable citation comes out. A defensible claim with no citation beats a claim propped up by a source that does not support it. Credibility compounds, and one bad citation discounts every good one beside it.

The proof

Standards are easy to claim. So we publish the evidence.

Corrections, in full. When a re-read finds a claim that no longer holds, we correct it and publish the change with the citation that drove it. Every entry pairs the old wording with the new. See the Corrections log.

A verification date on the work. As articles clear a primary-source re-read, they carry the date they were verified, so you are not trusting a claim of rigor, you are seeing when the work was last checked.

The questions we have not resolved. Where the rule is silent and credible practitioners diverge, we publish the question, our reading, and the dissent, instead of manufacturing certainty. On the highest-stakes ones, we file the guidance request with the authority, the same discipline public accounting firms use when they ask a regulator for an interpretation in writing. See Open Questions.

Why we publish this. Most sites ask you to trust the author. We would rather show you the standard and let you check the work. It is also how a careful reader can tell verified analysis from confident-sounding filler.

If you find a claim on this site that does not trace to its source, tell us. Use the Ask Us form, or write to info@josefkamara.com.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.