Practitioner-depth analysis across federal and private compliance: FISMA and NIST RMF, FedRAMP, CMMC, federal AI governance, SOC 2, AI governance, cybersecurity, and GRC engineering. Written by a CPA, CISSP, CISA with Big 4 audit experience.
FedRAMP Moderate has 324 controls. FedRAMP High has 411. The delta is 87 controls and control enhancements spanning 15 of 20 control families. That number, 87, is the headline every comparison article cites. The number...
Read the Guide
FedRAMP 20x Phase 2 concluded in late March 2026 after two pilot cohorts. The Program Management Office's review window ran through March 31. Phase 3, the wide-adoption phase that opens 20x to general submission, is...
Read the Guide
On January 23, 2026, the Office of Management and Budget published Memorandum M-26-05 and rescinded the Common Form attestation requirement that had anchored federal software supply chain compliance for three years. Memoranda M-22-18 and M-23-16...
Read the Guide
The carve-out vs inclusive method choice is not a contest between competing audit methods. It is a choice between two cost models. Carve-out keeps your audit scope narrow and treats the subservice organization through vendor-risk-management...
Read the Guide
A SOC 2 bridge letter is signed by management, never the auditor. The bridge covers the gap between your last Type II report and the customer's current date, and never more than three months. Every...
Read the Guide
Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 imposes a certification requirement on every prime contractor: certify, on the basis of a reasonable inquiry, that the entity does...
Read the Guide
Department of Defense Impact Level 5 is FedRAMP High plus 170 to 175 additional controls, depending on how you count the Committee on National Security Systems Instruction 1253 National Security System overlays. The control count...
Read the Guide
AI red teaming is now governed by three canonical sources: OWASP Top 10 for Agentic Applications, NIST AI 600-1 plus the Risk Management Framework Playbook, and MITRE ATLAS. None of them, on their own, gives...
Read the Guide
Ninety-one percent of organizations now run AI agents in production. Twenty-three percent have a formal enterprise-wide ownership strategy for those agents [ConductorOne 2026 Future of Identity Report]. Ninety-five percent run agents that autonomously perform IT...
Read the Guide
Most Controlled Unclassified Information marking guidance tells you to add the banner and portion marks. The marking that fails contractors is the over-marking, specifically a portion mark on the Designation Indicator block, which DoD Instruction...
Read the Guide
The Cybersecurity and Infrastructure Security Agency released the first half of its microsegmentation guidance on July 29, 2025: Microsegmentation in Zero Trust, Part One. Part One covers the concepts, the challenges, and the benefits. It...
Read the Guide
Cybersecurity Maturity Model Certification (CMMC) Phase 2 begins November 10, 2026, per 32 CFR §170.3(e). On that date, mandatory third-party assessment by a Certified Third-Party Assessor Organization (C3PAO) becomes the default for Level 2 contracts,...
Read the GuideOne compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.