Continuous Compliance.
Continuous Assurance.
What CI/CD did for software quality, applied to regulatory compliance. An open methodology and machine-readable standard — owned by no one, available to everyone.
Compliance operates on a fundamentally broken cadence.
Organizations spend months preparing for point-in-time audits, only to receive a snapshot verdict that begins decaying the moment it is issued.
Point-in-time snapshots create a dangerous illusion of control.
Between audits, compliance posture drifts undetected. Controls degrade. Configurations change. Personnel rotate. The certificate on the wall says compliant; the live environment says otherwise. Organizations assemble evidence manually, coordinate across teams for months, and receive a verdict that is already stale.
Every change is a commit. Every commit is validated.
In a CC/CA architecture, every change to an organization's security environment — an IAM policy update, a vendor onboarding, a firewall rule modification — triggers automated control validations, cross-framework reconciliation, and evidence generation. The result is a continuously updated, audit-ready state.
The CI/CD mapping is precise.
Every concept in CI/CD has a direct analog in continuous compliance. The engineering discipline exists — we just need to apply it.
What Open CCCA stands for.
These principles guide the development of the open standard. They are not owned by any company. They belong to the community.
Compliance as Code
Policies expressed as executable, version-controlled, peer-reviewable rules — not static PDFs. Testable, auditable, and machine-enforceable.
Drift Detection Over Snapshots
Instead of proving compliance at a fixed point, surface the precise moment compliance is lost and identify the causal change.
Evidence as Exhaust
Audit evidence generated automatically as a byproduct of validation — timestamped, immutable, and tied to the specific control check.
Merge Conflict Resolution
When independent changes individually pass but collectively create a compliance gap, the system detects the conflict — just like version control.
Open by Default
The methodology is open, vendor-neutral, and community-governed. No single company controls the specification. Radical transparency in all governance.
Methodology ≠ Implementation
Open CCCA defines the method. Implementers build on it. Like CI/CD is a practice and there are many platforms — one concept, many implementations.
Where this idea came from.
Open CCCA originated from a conversation between two compliance practitioners. They are sharing it openly because the idea is bigger than any one company.
Radical Transparency Notice
Open CCCA is committed to full disclosure of all affiliations, potential conflicts, and governance decisions from day one. The originators' professional affiliations are disclosed below. This initiative is not owned, controlled, or funded by any commercial entity.
Dennis Dayman
Concept Originator30+ year cybersecurity and privacy veteran. Co-founder and former Vice-Chair of the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG). Dennis originated the core insight: compliance verification is the same class of problem that CI/CD solved for software delivery two decades ago.
Chairman of the Advisory Board at Stones AI, a compliance automation startup. Currently Resident CISO at Proofpoint. Dennis's involvement in Open CCCA is as an individual contributor, not as a representative of any commercial entity. As the initiative takes shape, his role will be defined openly and with full disclosure of his ongoing commercial affiliations.
Ryan Strong
Whitepaper Co-AuthorFounder and CEO of Stones AI. Ryan co-authored the founding whitepaper, mapping CI/CD concepts to compliance operations in collaboration with Dennis.
Co-Founder and CEO of Stones AI. Ryan holds no governance role in Open CCCA and will not speak publicly on behalf of the initiative. If and when Open CCCA evolves toward any form of membership or formal participation, Stones AI will take part on the same terms as any other organization, subject to additional self-imposed constraints documented at stones.ai.
This standard needs the industry to build it.
Open CCCA is looking for practitioners, auditors, vendors, regulators, and anyone who believes compliance should work better than it does today.
Read the whitepaper.
Start with the founding whitepaper. If it resonates, share it with your network.
- Read the founding whitepaper
- Join the mailing list for updates
- Share with CISOs and compliance teams
- Provide feedback on the concepts
Help shape the standard.
All development will happen in the open, with public working groups and public review.
- Join working groups (coming soon)
- Review draft specifications
- Propose extensions and mappings
- Build reference implementations
Join the early conversation.
The methodology will be shaped by the people who care enough to help refine it. Early contributors set the direction.
- Join the early conversations
- Share the whitepaper with practitioners in your network
- Propose refinements to the methodology
- Consider hosting a working discussion
Help shape the methodology.
Open CCCA is a working idea, not yet a formal body. Early contributors help refine the principles, shape the methodology, and translate it into real-world implementations.
Shape the Methodology
Early contributors help refine the principles, the CI/CD mapping, and the vocabulary of the standard as it develops.
Share Your Experience
Practitioners bring real-world compliance pain into the conversation. Your input shapes what the methodology actually solves.
Build Reference Implementations
Translate the methodology into code, into audit workflows, into framework mappings. The standard lives in its implementations.