I work at the intersection of compliance engineering and public safety technology. My background spans Identity Governance and Administration (privileged access monitoring, user access reviews, RBAC analysis) in regulated financial environments and compliance-focused technical support in a FedRAMP High environment serving federal and state/local law enforcement agencies.

I build tools that automate audit evidence collection, continuous monitoring, and compliance-as-code workflows in AWS, replacing manual checkbox processes with repeatable, scriptable, auditor-ready outputs.

Open to: GRC Engineer | Compliance Engineer | Security Analyst roles specializing in public safety technology

Frameworks: CJIS Security Policy v6.0 | FedRAMP High | NIST 800-53 Rev 5 | NIST CSF 2.0

Certifications: SSCP | CySA+ | PenTest+ | Security+

These repos form a compliance lifecycle: each tool handles a stage of the continuous monitoring and audit evidence pipeline.

Audit tools detect -> Config monitor watches -> Remediation fixes
    -> Evidence logger collects -> Compliance report visualizes
    -> OSCAL pipeline produces machine-readable SAR evidence

• GRC Engineering: automating audit evidence collection and compliance-as-code workflows, mapping tools to CJIS Security Policy, FedRAMP, and NIST 800-53 controls
• Identity Engineering (IAM/IGA): streamlining access reviews and provisioning pipelines, applying AC-family control requirements to real infrastructure
• Cloud Security: building AWS security tooling aligned to compliance baselines with CI/CD integration

• OSCAL Evidence Pipeline: Transforms compliance findings from existing audit tools into OSCAL Assessment Results (SAR) JSON — the machine-readable evidence format required by FedRAMP 20x and expected by federal assessors. Built on IBM Compliance Trestle and oscal-pydantic. v1.0 in flight.
• AWS GRC Terraform Modules: Reusable Terraform modules for FedRAMP High and CJIS v6.0 baselines on AWS, with OPA/Rego policy tests and tfsec/checkov CI gates. Each module ships with a compliance_attestation output that downstream OSCAL evidence pipelines cite as proof. Companion to the AWS Fundamentals Labs Curriculum on luigicarpio.dev/blog.

• NIST 800-53 Rev 5 to AWS Mapping: Maps NIST 800-53 Rev 5 controls to AWS services, stored as an OSCAL Component Definition. Generator renders markdown with FedRAMP High baseline filtering and a CJIS v6.0 delta section identifying where CJIS exceeds FedRAMP.
• CJIS-FedRAMP Gap Analysis: Compares CJIS Security Policy v6.0 and FedRAMP High baselines (both aligned to NIST 800-53 Rev 5). Identifies 13 implementation-level deltas and 15 control-level gaps (CJIS-only controls), encoded as an OSCAL overlay.

• AWS Compliance as Code: CloudFormation templates and Service Control Policies enforcing security baselines across CJIS, FedRAMP High, and NIST 800-53. Five-layer baseline (CloudTrail + S3 Object Lock + VPC Flow Logs, IAM, KMS CMK, AWS Config, GuardDuty + Security Hub) plus org-level SCPs.
• AWS Config Compliance Monitor: Event-driven compliance monitoring and auto-remediation for CJIS and FedRAMP High environments using AWS Config, Lambda, and SSM.

• IAM Audit: Audits AWS IAM users for MFA compliance, access key rotation, and credential hygiene.
• S3 Audit: Audits S3 buckets for encryption, public access, and versioning.
• Security Group Audit: Audits security groups for overly permissive inbound rules.
• CloudTrail Audit: Audits CloudTrail logs for root account usage, failed API calls, and sensitive IAM / SG / Trail / S3 changes.
• Evidence Logger: Generates timestamped, auditor-ready evidence files from compliance checks.
• Compliance Report: Aggregates compliance data into structured reports with pass/fail summaries.

• Policy Checker: Scans AWS IAM policies for overly permissive configurations and CJIS v6.0 violations. 27 unit tests, GitHub Actions CI/CD.
• Secret Scanner: Scans files and repos for exposed credentials, secrets, and CJI identifiers (ORI, NCIC, FBI numbers, State IDs) with CI/CD gating via non-zero exit codes. Used as the first adapter in OSCAL Evidence Pipeline.

Each tool includes control mappings to NIST 800-53 Rev 5, FedRAMP High, and CJIS Security Policy v6.0 requirements.

• CGE-P (Certified GRC Engineer – Practitioner) exam prep — targeting August 2026 window
• Terraform module patterns for FedRAMP High and CJIS v6.0 baselines (per-module OPA/Rego policy bundles, compliance attestation outputs, plan-time validation)
• OPA / Rego policy-as-code testing patterns (conftest, plan-time policy gates)
• CJIS Security Policy v6.0 deltas from FedRAMP High (FIPS 140-2/3, agency-managed keys, CJI-specific access controls)

Portfolio | LinkedIn | Medium | HackTheBox