Public Sector

The compliance posture nobody tells you to write down

Editorial Team July 16, 2025 · 1 min read

Compliance documentation almost always lists what an organization is compliant with. The list of what an organization is intentionally not compliant with is more useful and almost never written down.

Why the negative list matters

Auditors ask. New hires ask. Successors ask. The answer "we considered FedRAMP and chose not to pursue authorization because none of our workloads handle the data types it covers" is a defensible position. The same situation undocumented looks like an oversight.

What to write down

  • Frameworks you considered and why you do not pursue them.
  • Controls you have decided to accept the risk on, with the rationale and the approver.
  • Optional implementations you have chosen not to add, with their cost and why the cost outweighs the benefit.
  • Future state: what would change if circumstances changed.

The format does not matter much

A spreadsheet, a wiki page, a section of your security policy. What matters is that someone two years from now can read it and understand what was decided, when, and by whom.

Tagged Government IT Compliance Best Practices
— Keep reading

Related posts.

Public Sector
March 13, 2026 · 1 min read

Working with local government IT: lessons from five states

Things we have learned supporting city, town, and county IT shops across Colorado, Wyoming, New Mexico, Utah, and Arizona.

Editorial Team
Public Sector
February 11, 2026 · 1 min read

CMMC for the contractor who just won their first DoD subcontract

You won the contract. Now you need to be CMMC compliant. Here is what that actually means, scoped for a small contractor.

Alebrije Admin
Public Sector
October 30, 2025 · 1 min read

IT for cities under 10,000 residents: doing more with less

Small-town government IT departments often run on a single person, no budget, and infrastructure older than the smartphone. Here is what works.

Editorial Team