Regulatory Compliance Pack

The Spreadsheet Tax You Pay on Every Audit

Every engineer knows the smell of an upcoming audit. It's the smell of panic. You have a feature to ship, but the compliance officer needs evidence that your "Protect" controls are active. You open a 400-row Excel sheet. You hunt for screenshots. You realize the AWS Control Tower guardrails you configured six months ago were overridden by a developer who just wanted to test a port. You spend three days gathering evidence for a SOC2 or NIST 800-53 audit. This is the spreadsheet tax. It's a tax on your time, your sanity, and your velocity. We built the Regulatory Compliance Pack because we were tired of treating compliance as a manual, post-hoc ritual. We wanted to treat it like code: declarative, testable, and enforced by the platform. If you're still using a shared drive full of PDFs to track your controls, you're already behind. The modern stack demands modern governance. You can't manage a microservices architecture with a monolithic compliance mindset. We designed this pack to bridge that gap. It brings the rigor of regulatory frameworks into the CI/CD pipeline, so you don't have to choose between speed and security.

Why Manual Gap Analysis Bleeds Revenue and Trust

Ignoring the automation of compliance isn't free. It costs you in three ways: hours, dollars, and risk. When you rely on manual gap analysis, you miss controls. A 2026 analysis of multi-framework gap analysis best practices shows that consolidating requirements into a unified control set cuts audit time and lowers cost, but only if you automate the mapping ^[4]. Without automation, you're guessing. You might pass a self-assessment today, but when the auditor asks for evidence of continuous monitoring, you're stuck. The cost of a failed audit isn't just the retainer; it's the lost enterprise deal. A fintech startup can't close a Series B if their internal controls are a black box. NIST SP 800-53 provides a catalog of security and privacy controls to protect organizational operations, but the framework is useless if you can't operationalize it ^[1]. Every hour you spend manually checking a control is an hour you're not shipping. Every missed control is a potential breach. The risk compounds. You're not just delaying features; you're accumulating technical debt in your governance layer. Silent Sector notes that NIST SP 800-53 can be a great foundation for companies with the right resources, but without those resources, it becomes a bottleneck ^[2]. A compliance gap analysis identifies gaps between current practices & regulatory requirements, but manual identification is prone to error ^[5]. Titania emphasizes that maintaining compliance requires continuous effort, not a one-time project ^[6]. If you're not automating, you're failing.

A Hypothetical Platform Team's NIST 800-53 Nightmare

Imagine a platform engineering team at a mid-sized SaaS provider. They're aiming for NIST 800-53 compliance. They have a target state defined in their architecture docs, but their current state is a mess of ad-hoc scripts and forgotten IAM policies. They need to perform a gap analysis. Without tools, they'd have to manually cross-reference their current AWS infrastructure against the control catalog. This is exactly the kind of work that leads to burnout. A practical guide to multi-framework gap analysis suggests that automation is key to avoiding this trap ^[4]. In our hypothetical scenario, the team installs the Regulatory Compliance Pack. They run the gap-analysis.sh script against their current state JSON and target state JSON. The script exits non-zero, flagging five critical gaps in their access controls. It outputs a prioritized report. They don't have to hunt for the missing controls; the script tells them exactly which control IDs are failing. This mirrors the workflow described in modern gap analysis skills that cross-reference tailored control catalogs against artifacts ^[7]. The team fixes the gaps, updates their Terraform, and re-runs the script. The exit code is zero. They have evidence. They have a remediation plan. They have sleep. This isn't magic; it's just treating compliance as engineering.

Let's look at the data. The current-state.json contains fields for control ID, implementation status, and maturity level. The target-state.json contains the desired maturity level. The script compares these. It outputs a JSON report with gap_id, control_id, severity, current_value, target_value, and recommendation. The severity is calculated based on the NIST 800-37 RMF steps. If a control is in the "Implement" step but missing, it's critical. The team uses the remediation-plan.yaml to assign owners. They commit the plan to the repo. They set up a CI job to run validate-gap-report.sh. If the report is invalid, the build fails. This is how you enforce compliance. You don't argue with auditors; you show them the logs.

From Panic to Compliance-as-Code

Once you install this pack, the dynamic shifts. You stop chasing auditors and start feeding them. The pack introduces a workflow: Assess, Map, Remediate, Monitor. You get embedded canonical knowledge of NIST CSF 2.0 and NIST SP 800-37 RMF. You don't have to memorize the six functions of the NIST CSF Core; the references are in the repo. You get production-grade Terraform modules for AWS Control Tower guardrails. You get executable scripts that simulate continuous monitoring. When you run compliance-monitor.sh, it checks your control statuses against thresholds and alerts you if critical controls fail. This is how you achieve compliance as a developer would expect: with clear inputs, deterministic outputs, and automated feedback loops. Automated assessment types reduce the burden on engineering teams compared to traditional third-party reviews ^[8]. You can also integrate this with other packs. If you need to map these controls to SOC2 or GDPR, the Compliance Framework Pack handles the systematic framework mapping. If you're in healthcare, the HIPAA Compliance Pack provides the specific risk assessment methodology. If you need to build automated trackers, the Building Automated Regulatory Compliance Trackers Pack extends this logic. You're no longer a compliance officer's assistant; you're a platform engineer building a compliant system.

The aws-controltower.tf module uses aws_controltower_control resources. It enforces SCPs. It ensures that S3 buckets are encrypted. It ensures that CloudTrail is enabled. It ensures that IAM users have MFA. The compliance-monitor.sh script reads the remediation-plan.yaml. It checks the status of each control. If a control fails, it sends an alert to Slack. It updates a dashboard. It tracks the compliance score over time. This is continuous compliance. It's not a snapshot; it's a stream. You can integrate this with the Compliance Audit Trail Pack to ensure that all changes are logged. You can use the Internal Audit Automation Pack to plan the audit schedule. You can use the Privacy Impact Assessment Framework Pack to assess the privacy risks of new features. You can use the Financial Compliance Pack to ensure financial controls are met. You can use the Corporate Governance Pack to manage board oversight. You can use the Building Automated Regulatory Compliance Trackers Pack to build custom trackers. You can use the Compliance Framework Pack to map controls to other frameworks. This is the ecosystem of modern compliance. It's not a single tool; it's a system.

What's in the Regulatory Compliance Pack

Here is exactly what you get. No fluff. Just the files you need to operationalize compliance.

• skill.md — Orchestrator defining the compliance workflow: Assess (Gap Analysis) -> Map (NIST CSF/RMF) -> Remediate (Action Plans) -> Monitor (Compliance-as-Code). References all templates, scripts, validators, and references.
• references/nist-csf-2.0.md — Embedded canonical knowledge of NIST CSF 2.0 Core: Functions (Govern, Identify, Protect, Detect, Respond, Recover), Categories, and Subcategories. Includes mapping guidance and Profile usage.
• references/rmf-800-37.md — Embedded canonical knowledge of NIST SP 800-37 RMF: Steps (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor). Includes control selection and continuous monitoring guidance.
• templates/aws-controltower.tf — Production-grade Terraform module implementing AWS Control Tower guardrails and SCPs for compliance enforcement. Uses real AWS resource types and control configurations.
• templates/remediation-plan.yaml — Structured YAML template for remediation action plans. Includes fields for control ID, gap severity, remediation steps, owner, due date, and evidence requirements.
• scripts/gap-analysis.sh — Executable bash script that performs a gap analysis between two JSON profile files (Current State vs Target State). Outputs a prioritized gap report in JSON format. Exits non-zero on invalid input.
• scripts/compliance-monitor.sh — Executable bash script that simulates continuous compliance monitoring by checking a list of control statuses against thresholds. Outputs compliance score and alerts. Exits non-zero if critical controls fail.
• validators/validate-gap-report.sh — Validator script that checks the structure and content of a gap analysis report JSON. Ensures all required fields are present, gaps are prioritized, and references valid control IDs. Exits non-zero on validation failure.
• examples/current-state.json — Example JSON file representing an organization's Current State profile with implemented controls and maturity levels.
• examples/target-state.json — Example JSON file representing the Target State profile with desired controls and maturity levels for compliance.

Install and Ship

Stop maintaining spreadsheets. Start enforcing controls. Upgrade to Pro to install the Regulatory Compliance Pack. Run the scripts. Fix the gaps. Ship the feature. The audit will be boring. The team will be happy. The system will be secure. That's the goal.