Federal GRC Engineering

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Compliance-as-Code

The engineering discipline of expressing compliance controls and evidence in machine-readable artifacts (configuration files, policy code, infrastructure templates, automated tests) that are version-controlled, peer-reviewed, and enforced by the same continuous integration pipeline that ships application code. Open Policy Agent and Rego, HashiCorp Sentinel, AWS Config Rules, and OSCAL-based control catalogs are the visible expressions of this discipline. Federal cATO programs and FedRAMP 20x both depend on compliance-as-code; an authorization that requires manual screenshot collection cannot deliver continuous evidence at the cadence the model demands.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.