Every government system in the United States lives inside a paper trail. Before a federal agency can switch on a database, host a benefits portal, or let a contractor touch sensitive records, it must document hundreds of security controls, map each one to a statutory obligation, and then prove, to inspectors general, to the Office of Management and Budget, to Congress, and to the Government Accountability Office, that the controls actually work. For four decades that proof was assembled by hand, in spreadsheets and binders, on a calendar that always seemed to arrive too soon. The remarkable thing about the present moment is not that the obligations have shrunk. They have not. It is that the machinery for tracking them has finally started to move at the speed of the systems it governs.
Compliance tracking, the discipline of monitoring many regulatory frameworks at once, mapping technical controls to legal obligations, and watching deadlines so that audits pass without heroics, has become one of the most consequential and least visible transformations in public-sector operations. To understand why it matters, it helps to measure the weight of the thing being automated.
Those figures come from the government's own ledgers. The federal information-collection inventory carries an estimated 11.7 billion burden hours and roughly $203.7 billion in annual cost across 10,876 active collections, according to the Office of Information and Regulatory Affairs. In fiscal 2023, federal agencies reported 32,211 cybersecurity incidents to CISA, up nearly ten percent from the prior year. And as of May 2024, the Government Accountability Office counted 567 of its 1,610 cybersecurity recommendations still unimplemented. The obligation is enormous; the historical capacity to track it was not.
The Old Way: Compliance as an Annual Fire Drill
For most of the modern administrative state, compliance was a documentation exercise performed in arrears. The 2002 Federal Information Security Management Act, later strengthened by the 2014 Federal Information Security Modernization Act, required every agency to conduct annual program reviews, submit to an independent evaluation by its inspector general, and report the results upward to OMB and Congress, which in turn compiled an annual summary for the legislature. That cadence, review, evaluate, report, repeat, defined the rhythm of federal accountability.
The trouble was that the underlying evidence lived in static artifacts. System security plans ran to hundreds of pages of prose. Control assessments were transcribed into spreadsheets that aged the moment they were saved. When an auditor asked whether a given control was operating, the honest answer was usually "it was, the last time someone checked." NIST has described the legacy state plainly: a world of manual, paper-based cybersecurity compliance that resisted automation and scale. The Paperwork Reduction Act, designed to cap the burden government imposes on the public, instead generated its own administrative thicket, one legal scholar noted the approval process for a single information collection can stretch from six months to a year before a question is ever asked.
That gap had consequences beyond cybersecurity. Procurement teams tracking obligations under the Federal Acquisition Regulation, records officers managing retention schedules, and program offices reporting on payment integrity all worked from the same playbook, periodic, manual, retrospective. The result was a government that was perpetually documenting yesterday while operating today, and a population of inspectors general who repeatedly rated agency programs ineffective. In one government-wide assessment, no more than eight of 23 major civilian agencies earned an "effective" security rating in any single year between fiscal 2017 and 2022.
The Shift: From Documents to Data
The pivot now underway is conceptual before it is technical. Compliance is being reframed from a set of documents to be produced into a stream of data to be queried. The keystone is a machine-readable standard, developed by the National Institute of Standards and Technology with industry collaborators, that expresses security controls, implementations, and assessment results in open formats a computer can parse. NIST argues that this data-centric approach "dramatically reduces audit durations from months to minutes" by letting tools evaluate conformance continuously rather than transcribing it by hand once a year.
Once controls are data, two things become possible that were not before. First, a single technical control can be mapped to every obligation it satisfies at once, a logging configuration that simultaneously answers a security framework, a privacy requirement, and a records mandate. Second, deadlines stop being calendar entries that someone has to remember and become triggers the system enforces automatically. The market has noticed: analysts project the global governance, risk and compliance platform sector to grow by roughly $44 billion between 2025 and 2029 at a 14.2 percent compound annual rate, with separate estimates putting the trajectory at a 13.2 percent CAGR through 2030.
Federal cyber incidents keep climbing
Incidents reported by federal agencies to CISA, by fiscal year
Source: OMB FY2023 FISMA Annual Report to Congress; figures for FY2022, FY2023 as reported, FY2022 prior-year basis per OMB and Nextgov reporting. whitehouse.gov
The same shift is visible in the way cloud services earn the right to serve government. The Federal Risk and Authorization Management Program, which certifies that commercial cloud offerings meet federal security baselines, historically took more than a year per authorization amid a significant backlog. A 2025 overhaul that leaned heavily on automation and standardized, machine-readable evidence cut that timeline toward roughly five weeks, and the program logged 114 authorizations in fiscal 2025, more than twice the 49 issued in all of fiscal 2024. Faster authorization is, at bottom, faster compliance tracking: the bottleneck was never the cloud, it was the proof.
Automation compresses the authorization clock
Cloud security authorizations completed per fiscal year
Source: U.S. General Services Administration / FedRAMP figures reported by FedScoop, August 2025. fedscoop.com
When controls become data, the audit stops being an event the agency prepares for and becomes a condition the system continuously satisfies.
Progress in detection has been real even as incidents rise. The same FISMA reporting that counted more attacks also recorded sharply better posture: the average cybersecurity maturity score across the 23 large civilian agencies reached 87 out of 100 in fiscal 2023, with 12 agencies scoring above 90, up from just one agency the year before. Continuous monitoring is part of why: when conformance is tracked in real time, agencies see and categorize incidents they once would have missed.
| Attack vector | FY2022 | FY2023 | Change |
|---|---|---|---|
| Improper usage | 10,490 | 12,261 | +16.9% |
| Email / phishing | 3,011 | 6,198 | +105.8% |
| Loss or theft of equipment | 1,832 | 3,135 | +71.1% |
| Web | 3,545 | 3,569 | +0.7% |
| Attrition (brute force) | 197 | 1,147 | +482.2% |
| All vectors (total) | 29,319 | 32,211 | +9.9% |
Source: OMB FY2023 FISMA Annual Report to Congress. whitehouse.gov
What It Looks Like Now: Control-to-Obligation Mapping in Practice
Strip away the vendor language and the present-day workflow is straightforward to describe. An agency defines its obligations once, the security framework, the privacy controls, the records schedule, the acquisition clauses, the reporting deadlines to Congress and oversight bodies, and encodes them in a structured catalog. Each obligation is linked to the specific technical or procedural control that satisfies it. Automated collectors then pull live evidence from the systems themselves: configuration states, access logs, patch levels, training completions, retention timers. The compliance posture is no longer a document an officer writes; it is a dashboard the systems populate.
The practical payoffs cluster in four areas. Mapping eliminates duplicate work, because one control can be proven once and credited against many overlapping mandates. Continuous evidence replaces the annual scramble, because the proof is gathered as it happens. Deadline automation moves reporting from human memory to enforced workflow, so a FISMA submission or a records certification is queued and pre-populated rather than rediscovered. And audit readiness becomes a steady state: when an inspector general or the GAO asks for evidence, it is already assembled and time-stamped.
| Dimension | Legacy / manual | Automated tracking |
|---|---|---|
| Evidence cadence | Point-in-time, annual | Continuous, near real-time |
| Control-to-obligation map | Re-keyed per framework | Map once, reuse across mandates |
| Deadline management | Calendars and memory | System-enforced triggers |
| Audit preparation | Weeks of assembly | Pre-assembled, query on demand |
| Format of record | Prose documents, spreadsheets | Machine-readable control data |
| Authorization time (cloud) | ~12+ months | ~5 weeks |
None of this erases human judgment, and it should not. But it relocates judgment to where it adds value. Instead of spending the bulk of their hours transcribing the state of controls, security and compliance professionals can, as NIST puts it, "focus on real-world threats rather than spending valuable time on extensive documentation." The accountability stakes that make this work urgent are not abstract: the GAO reported an estimated $162 billion in improper payments across 68 federal programs in fiscal 2024, much of it concentrated in programs already on its high-risk list, a reminder that compliance tracking is ultimately about whether public money and public trust are being protected.
Where the unfinished compliance work sits
Share of GAO cybersecurity recommendations still open, May 2024 (1,610 total since 2010)
Source: U.S. Government Accountability Office, reporting via Nextgov/FCW, June 2024. nextgov.com
The Next Few Years: Continuous Assurance, and Its Discontents
The near-term trajectory points toward what NIST and others increasingly call continuous assurance: a state in which compliance is not periodically demonstrated but constantly proven. The draft roadmap for the federal machine-readable controls standard explicitly anticipates integration with emerging technologies such as digital twins and agentic AI for autonomous risk reasoning and continuous assurance. In that future, a system would not wait for an auditor; it would flag its own drift, propose a remediation, and document the fix as it happens.
A market betting on automated compliance
Projected GRC platform market expansion, 2025 to 2029 (incremental USD billions)
Source: Technavio GRC platform market forecast, 2025. Figures are projected incremental growth, not absolute market size. prnewswire.com
That promise carries a serious tension, and it deserves to be stated plainly rather than waved away. Automated compliance tracking can drift toward what skeptics call "compliance theater at machine speed", a green dashboard that satisfies the letter of an obligation while the underlying risk goes unaddressed. If a control is mapped incorrectly, the error propagates across every obligation it touches. If an automated agent quietly closes a finding, the question of who is accountable for that judgment becomes genuinely hard. The faster and more autonomous the system, the more important it becomes to preserve a human chain of accountability and an auditable record of every automated decision.
There are practical headwinds too. The persistence of those 567 open GAO recommendations, and of inspector-general findings that rate agency programs ineffective year after year, shows that buying a tracking platform is not the same as changing institutional behavior. The 11.7 billion-hour paperwork burden will not vanish because it is now machine-readable; legacy systems resist instrumentation, budgets are uneven, and workforce skills lag the technology. Automated tracking is a force multiplier, not a substitute for the slow work of governance.
Conclusion: The Quiet Rewiring
The transformation of government compliance is not a single dramatic event but a steady rewiring of how the public sector knows what it knows about itself. The obligations, FISMA and FedRAMP, procurement and records, the endless reporting to Congress and oversight bodies, are as heavy as ever. What is changing is the latency between obligation and proof. When controls become data, deadlines become triggers, and a single technical fact can satisfy many mandates at once, the audit stops being a periodic ordeal and starts becoming an ambient property of the system. The agencies that handle this shift well will not just pass their audits faster. They will, for the first time, be able to answer the most basic question of public accountability, "are we actually compliant right now?", with something other than a guess.
Sources
- Office of Information and Regulatory Affairs (OMB), Reginfo.gov Current Inventory Report, government-wide totals for active information collections (burden hours, cost, collections).
- Office of Management and Budget, Federal Information Security Modernization Act of 2014, Annual Report to Congress, Fiscal Year 2023.
- Nextgov/FCW, "Decade-old cyber advice from GAO remains unimplemented, watchdog says," June 2024 (GAO recommendation data).
- U.S. Government Accountability Office, GAO-24-107231, federal cybersecurity challenges and recommendation status.
- National Institute of Standards and Technology, Open Security Controls Assessment Language (OSCAL) program overview.
- NIST CSWP 53, "Charting the Course for NIST OSCAL" (Initial Public Draft), December 2025.
- FedScoop, "FedRAMP authorizations in 2025 already more than double fiscal 2024," August 2025.
- Technavio, "Governance, Risk, and Compliance (GRC) Platform Market to Grow by USD 44.22 Billion (2025-2029)," February 2025.
- QKS Group, "GRC Platforms Market Projected to Grow Through 2030 at CAGR 13.22%," April 2025.
- Peter G. Peterson Foundation, analysis of GAO fiscal 2024 improper-payments estimates, June 2026.
- Michigan Journal of Environmental & Administrative Law, "Stop Regulating Government Paperwork With More Government Paperwork."
- GAO improper-payments totals reporting, "$162 billion in fiscal 2024," 2025.
- Oversight.gov, Federal Information Security Modernization Act Audit for Fiscal Year 2024 (agency IG evaluations).