Luigi Carpio
GRC Engineer
CJIS v6.0 · FedRAMP High · NIST 800-53 · Public Safety Technology
Building open-source compliance automation tools and machine-readable evidence pipelines for public safety technology. Specializing in the intersection of CJIS, FedRAMP, NIST, and OSCAL for federal and state/local government cloud environments.
About
I spent years in law enforcement using public safety technology in the field. Now I build the compliance tools that keep those systems secure and audit-ready.
GRC Engineer specializing in compliance automation for public safety technology. I build open-source Python and AWS tools that automate audit evidence collection, continuous monitoring, policy-as-code scanning, and compliance-as-code infrastructure, mapped to CJIS v6.0, FedRAMP High, and NIST 800-53 Rev 5.
From Identity Governance at a financial services company (privileged access monitoring, user access reviews, RBAC analysis) to product support at a FedRAMP High public safety software company, I've worked hands-on with the controls most GRC programs only audit from a distance.
Projects
Compliance automation tools, framework documentation, and policy-as-code projects for public safety technology. Together, they form a compliance lifecycle: detect, monitor, remediate, collect evidence, and report. Each card links to the GitHub repo where the README, code, and detailed documentation live.
Built
Projects shipped or actively in development. Each card links to the GitHub repo, README, and code.
AWS Compliance as Code
Preventive AWS compliance guardrails using Service Control Policies and a five-layer CloudFormation baseline covering CloudTrail logging, IAM, KMS encryption, AWS Config rules, and GuardDuty + Security Hub. SCPs block non-compliant actions org-wide while CloudFormation provisions resources that satisfy CJIS v6.0, FedRAMP High, and NIST 800-53 Rev 5 controls by default.
AWS Config Compliance Monitor
Event-driven compliance monitoring with AWS Config rules, Lambda auto-remediation, and SSM automation. Provides the foundation for FedRAMP 20x Key Security Indicator tracking and continuous compliance assurance.
CJIS v6.0 to FedRAMP High Gap Analysis
Identifies where CJIS Security Policy v6.0 exceeds FedRAMP High requirements, distinguishing implementation-level deltas (stricter parameters like AAL2 MFA and agency-managed CMKs) from control-level gaps (CJIS-only privacy controls absent from FedRAMP High). Encoded as a machine-readable OSCAL overlay so the deltas can drive FedRAMP 20x compliance-as-code pipelines instead of spreadsheet audits.
NIST 800-53 Rev 5 to AWS Service Mapping
Maps 31 NIST 800-53 Rev 5 controls (AC, AU, CM, IA, IR, SC, SI families) to AWS services as an OSCAL Component Definition JSON, with a Python generator that renders FedRAMP High filtered output. Includes a CJIS v6.0 delta section identifying the 5 controls where law enforcement deployments must exceed FedRAMP High.
OSCAL Evidence Pipeline
Transforms audit tool outputs into OSCAL Assessment Results JSON for FedRAMP 20x machine-readable evidence submission. Uses IBM Compliance Trestle for OSCAL model manipulation and generates valid artifacts that could be submitted directly to the FedRAMP PMO.
Policy-as-Code Scanner
Python CLI that scans AWS IAM policy JSON for overly permissive statements — wildcard actions/resources, service-level wildcards — and CJI-specific risks like missing MFA conditions and unrestricted cross-account access. Produces audit-ready JSON evidence mapped to NIST 800-53, FedRAMP, and CJIS v6.0 controls, integrated into CI via GitHub Actions.
Secret Scanner
Python CLI that recursively scans directories and repos for exposed AWS credentials, API keys, JWTs, connection strings, and CJI identifiers (ORI numbers, NCIC codes, FBI Numbers, State IDs) — patterns specific to law enforcement systems. Returns non-zero exit codes for CI/CD gating via GitHub Actions, with findings mapped to NIST 800-53, FedRAMP High, and CJIS v6.0 controls (IA-5(7), SC-12, SC-13, SC-28).
Roadmap
What's next. Planned projects that round out the compliance lifecycle.
CJIS Encryption Validator
Validates FIPS 140-2/3 encryption and agency-managed key controls for Criminal Justice Information at rest and in transit. Checks KMS key configuration, key rotation policies, and CJI-specific encryption requirements that go beyond standard FedRAMP High controls.
IAM Access Review
Automated IAM access review tool with CJIS v6.0 identity control validation and AAL2 MFA verification. Built from IGA experience with privileged access monitoring and RBAC analysis in regulated financial services.
Unified Evidence Collector
Suite of Python audit tools for automated compliance evidence collection across IAM, S3 encryption, security groups, and CloudTrail. Consolidates five individual audit repositories into a unified evidence collection pipeline with OSCAL-formatted output.
Public Safety Reference Architecture (Capstone)
Reference architecture for a public safety cloud environment meeting FedRAMP High, CJIS v6.0, and GovRAMP requirements simultaneously. Demonstrates multi-framework compliance design thinking for AWS GovCloud with CJI enclave segmentation.
AI Risk Assessment Template
AI risk assessment template for public safety technology mapped to NIST AI RMF and ISO 42001 Annex A. Includes risk classification for facial recognition, predictive policing, and AI-assisted dispatch — all high-risk AI use cases under the EU AI Act.
Skills & Expertise
Compliance Frameworks
Technical Skills
GRC Tooling
Observability
Concepts
Certifications
SSCP
(ISC)²
CySA+
CompTIA
PenTest+
CompTIA
Security+
CompTIA
Network+
CompTIA
A+
CompTIA
Project+
CompTIA
ITIL 4
PeopleCert / Axelos
LPI LE
Linux Professional Institute