
Compliance as code
SSPs are generated from the same source as the Terraform — no parallel documentation universe.
Control implementations live in compliance-trestle. OSCAL component definitions per system, diff-able in git. Inheritance from CSP / shared-service profiles (FedRAMP, CMS, DoD). Assessment results land back as OSCAL and the SAR auto-builds. POA&Ms are generated from failed controls — not authored by hand.




