Compliance
Britannica
The Compliance Command Center — official resources, documentation, and field manuals for every major federal and commercial compliance framework.
The RampReady Library
Practitioner-grade references for the frameworks that matter. Every book is written from the field — built for ISSOs, assessors, implementers, and pentesters doing the real work.
ⓘ Book links are Amazon affiliate links (rampready-20). Purchases support this resource hub at no extra cost to you.
Thirty years in the field.
All of it in the work.
Richard Reddington began his compliance career over 30 years ago working directly within the Department of Defense during the era of the Rainbow Series — the foundational NCSC security evaluation criteria that predated modern risk management frameworks. He oversaw framework transitions on major Category I programs, navigating the full arc from DITSCAP through DIACAP to the current DoD RMF.
Before leaving federal service, Richard served as director of a DoD-certified NSA Red Team — one of the most operationally demanding roles in government cybersecurity assessment. That background in adversarial testing and control assessment informs every page of the RampReady catalog.
Today he performs gap assessments and audits across all major commercial compliance frameworks, including CMMC, FedRAMP, SOC 2, PCI DSS, and DoD RMF. The RampReady field manuals are the reference materials he always wished existed — written for practitioners who need to do the work, not just understand the theory.
Published under the pen name Ramp Ready to maintain professional independence from employers and client relationships.
Framework Quick Reference
Official resources and field manuals for every major federal and commercial compliance framework.
The US government standard for cloud service providers seeking to sell to federal agencies. Covers Low, Moderate, and High impact levels plus the new FedRAMP 20x pathway.
DoD framework requiring defense contractors to demonstrate cybersecurity maturity across three levels. Mandatory for all DoD contracts involving Controlled Unclassified Information.
State and local government cloud security authorization program, rebranded from StateRAMP. Helps government entities verify cloud vendors meet security standards.
The six-step NIST Risk Management Framework as implemented by the Department of Defense. Required for all DoD information systems before achieving an Authority to Operate.
AICPA framework for service organizations covering security, availability, processing integrity, confidentiality, and privacy. Type II reports cover a period of time and are most commonly required.
Global standard for organizations that handle cardholder data. Version 4.0.1 is the current standard with new requirements phasing in through 2025 and beyond.
Globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Used for threat modeling, red teaming, and detection engineering.