Skip to main content


A YAML-Powered Antidote To Bureaucracy

It’s a powerfully simple idea.

To improve the quality of our software development, we use continuous integration. To improve the reliability of our deployment, we use continuous delivery. To improve the security of our systems, we can use continuous authorization.

Simply put, the tools that we use to develop and operate software, should also be used to generate and validate assessment and authorization packages.

Every commit runs the tests. Every passing build, updates the system security plan. Every deployment includes updates to continuous monitoring.

Software as Code.

Tests as Code.

Infrastructure as Code.

Compliance as Code.

It’s a schema.

By adopting a standard approach to documenting “controls” (whether Technical, Operational, or Management) we can rapidly build a community of vendors and operators. You can see the current (and evolving) OpenControl schema here.

It’s a set of tools and best practices.

Right now we’re excited about:


It’s a community.

This community includes vendors that provide documentation of controls in a standard schema, government agencies and other regulators that document certifications in another schema, and operators who use the OpenControl process to authorize their systems.

Invite yourself to OpenControl slack or join our announcements mailing list.

You can see the full list of current members here.