Luigi Carpio

GRC Engineer

CJIS v6.0 · FedRAMP High · NIST 800-53 · Public Safety Technology

Building open-source compliance automation tools and machine-readable evidence pipelines for public safety technology. Specializing in the intersection of CJIS, FedRAMP, NIST, and OSCAL for federal and state/local government cloud environments.

About

I spent years in law enforcement using public safety technology in the field. Now I build the compliance tools that keep those systems secure and audit-ready.

GRC Engineer specializing in compliance automation for public safety technology. I build open-source Python and AWS tools that automate audit evidence collection, continuous monitoring, policy-as-code scanning, and compliance-as-code infrastructure, mapped to CJIS v6.0, FedRAMP High, and NIST 800-53 Rev 5.

From Identity Governance at a financial services company (privileged access monitoring, user access reviews, RBAC analysis) to product support at a FedRAMP High public safety software company, I've worked hands-on with the controls most GRC programs only audit from a distance.

Projects

Compliance automation tools, framework documentation, and policy-as-code projects for public safety technology. Together, they form a compliance lifecycle: detect, monitor, remediate, collect evidence, and report. Each card links to the GitHub repo where the README, code, and detailed documentation live.

Built

Projects shipped or actively in development. Each card links to the GitHub repo, README, and code.

Compliance Automation

Continuous Monitoring Dashboard

Event-driven compliance monitoring with AWS Config rules, Lambda auto-remediation, and SSM automation. Provides the foundation for FedRAMP 20x Key Security Indicator tracking and continuous compliance assurance.

CJIS v6.0 FedRAMP 20x FedRAMP High

AWS Config EventBridge Lambda Python SSM

View on GitHub →

Framework Documentation

AWS Security Baseline (Compliance-as-Code)

CloudFormation templates and Service Control Policies for FedRAMP High compliant resource deployment. Implements preventive compliance guardrails as infrastructure-as-code with CJIS v6.0 boundary protection controls.

CJIS v6.0 FedRAMP High NIST 800-53 Rev 5

AWS CloudFormation SCPs Terraform

View on GitHub →

Framework Documentation

NIST 800-53 Rev 5 to AWS Service Mapping

Maps NIST 800-53 Rev 5 control families to AWS services with implementation guidance. Produces OSCAL Component Definition JSON and human-readable markdown for FedRAMP 20x machine-readable evidence requirements. Covers AC, IA, SC, AU, and CM control families.

FedRAMP High NIST 800-53 Rev 5

AWS OSCAL Python

View on GitHub →

Policy-as-Code

Policy-as-Code Scanner

Python CLI that validates AWS IAM policies against NIST 800-53 and CJIS v6.0. Includes checks for MFA on CJI resources, cross-account access restrictions, and inverse IAM fields. Produces audit-ready JSON evidence with framework mappings and control IDs.

CJIS v6.0 FedRAMP High NIST 800-53 Rev 5

GitHub Actions Python

View on GitHub →

Policy-as-Code

Secret Scanner

Recursive directory and repository scanner for exposed credentials and secrets with CI/CD gating via non-zero exit codes. Integrates into GitHub Actions pipelines for automated security scanning, mapped to NIST 800-53 IA-5(7), SC-12, and SC-28 controls.

NIST 800-53 Rev 5

Python GitHub Actions

View on GitHub →

Roadmap

What's next. Planned projects that round out the compliance lifecycle.

Compliance Automation

CJIS Encryption Validator

Validates FIPS 140-2/3 encryption and agency-managed key controls for Criminal Justice Information at rest and in transit. Checks KMS key configuration, key rotation policies, and CJI-specific encryption requirements that go beyond standard FedRAMP High controls.

CJIS v6.0 FedRAMP High NIST 800-53 Rev 5

AWS KMS Python

Planned

Compliance Automation

IAM Access Review

Automated IAM access review tool with CJIS v6.0 identity control validation and AAL2 MFA verification. Built from IGA experience with privileged access monitoring and RBAC analysis in regulated financial services.

CJIS v6.0 FedRAMP High NIST 800-53 Rev 5

AWS IAM Python

Planned

Compliance Automation

Unified Evidence Collector

Suite of Python audit tools for automated compliance evidence collection across IAM, S3 encryption, security groups, and CloudTrail. Consolidates five individual audit repositories into a unified evidence collection pipeline with OSCAL-formatted output.

CJIS v6.0 FedRAMP High NIST 800-53 Rev 5

AWS Python

Planned

Framework Documentation

CJIS v6.0 to FedRAMP High Gap Analysis

Analyzes the compliance delta between CJIS v6.0 and FedRAMP High baselines, both now aligned to NIST 800-53 Rev 5. Identifies where CJIS requirements exceed FedRAMP High controls, focusing on encryption, identity, and audit logging deltas.

CJIS v6.0 FedRAMP High NIST 800-53 Rev 5

Python OSCAL

Planned

Framework Documentation

OSCAL Evidence Pipeline

Transforms audit tool outputs into OSCAL Assessment Results JSON for FedRAMP 20x machine-readable evidence submission. Uses IBM Compliance Trestle for OSCAL model manipulation and generates valid artifacts that could be submitted directly to the FedRAMP PMO.

FedRAMP 20x NIST 800-53 Rev 5

AWS IBM Compliance Trestle OSCAL Python

Planned

Framework Documentation

Public Safety Reference Architecture (Capstone)

Reference architecture for a public safety cloud environment meeting FedRAMP High, CJIS v6.0, and GovRAMP requirements simultaneously. Demonstrates multi-framework compliance design thinking for AWS GovCloud with CJI enclave segmentation.

CJIS v6.0 FedRAMP High GovRAMP NIST 800-53 Rev 5

AWS GovCloud Documentation

Planned

Policy-as-Code

AI Risk Assessment Template

AI risk assessment template for public safety technology mapped to NIST AI RMF and ISO 42001 Annex A. Includes risk classification for facial recognition, predictive policing, and AI-assisted dispatch — all high-risk AI use cases under the EU AI Act.

ISO 42001 NIST AI RMF

Documentation Markdown

Planned