Compliance is a snake eating it's tail, and that's a good thing

Across multiple different cultures spanning as far back as ancient Egypt, the concept of the "ouroboros" has remained a stable symbol of the cycle of life, death, and the pattern of rebirth. The earliest known example comes up around 1600 BCE in the Enigmatic Book of the Netherworld found in Tutankhamun’s tomb.

It represented Ra and Osiris encircling the world, symbolizing the unity of life and death and the cyclical nature of existence.

From there we see multiple references spanning from:

• ✡️: Hermetic and Gnostic texts as a cosmic boundary — the serpent encircling the world or divine totality. With the ouroboros representing self-sufficiency, God’s eternity, or the pleroma (fullness of divine reality).
• 🕉️: India and Hindu-Buddhist Symbolism - Similar motifs appear as the Nāga biting its tail or as Ananta Śeṣa, the infinite serpent on which Vishnu rests. Symbolizes cosmic cycles (yugas), endless creation and dissolution.
• ☯️: Chinese analogues like the dragon biting its tail - Seen in Daoist art and alchemy. Often linked with yin-yang balance, cyclical harmony, and the idea that the end is contained in the beginning.

The word ouroboros (οὐροβόρος) itself is Greek, from oura (“tail”) + bóros (“eating”). Greek philosophers (notably in Stoicism and alchemy) used it to symbolize eternal return and the unity of opposites — creation and destruction as one process. It was later adopted in Hellenistic alchemical manuscripts, where it carried the caption “Hen to pan” (“One is All”).

"Ok bro, but what does this have to do with GRC?"

If you’re unhinged enough like I am to draw parallels between esoteric lore and compliance topics, you can see how the cycles and seasons that frameworks such as FedRamp Rev5 and CMMC go through can humorously allow the GRC world to be called a snake eating it’s own tail. And that’s the beauty of the industry. The constant change, adaptation, and death of failing standards is exactly the type of patterns of death and rebirth a healthy industry should have, and if I’m being honest, healthy industries should seek to be an ouroboros if it’s an industry that reliance on constant improvement and adaptation.

This cycle of rebirth and adaptation we see in standards and frameworks connects to an important truth: security and compliance are not static states but dynamic processes. Just as the ouroboros represents infinity and wholeness through constant renewal, effective GRC programs must continuously evolve - consuming their past iterations to create more mature and effective versions of themselves. The standards we follow today will inevitably transform as threats evolve and technologies advance.

The FedRamp 20x program is a great example of rebirth

Let's consider the Federal Risk and Authorization Management Program (FedRAMP) 20x initiative. This effort represents a perfect example of the ouroboros principle in action within GRC. By aiming to reduce authorization time via machine readable assessments, the program isn't merely improving efficiency—it's completely reimagining the compliance process while maintaining the same fundamental security objectives. The initiative acknowledges that previous iterations had become too cumbersome, and like the serpent consuming its tail, it's using the lessons from past frameworks to birth a more streamlined, effective approach.

Pete Waterman has done a fantastic job of dynamically making this process effective, and I've watched over time as cumbersome ideas and processes have been shed for more effective methods. This approach mirrors the ouroboros metaphor perfectly - the program continuously sheds its old skin while maintaining its essential purpose. What we're witnessing is not just reform but regeneration, a necessary cycle that keeps compliance frameworks relevant in an ever-changing threat landscape.

It’s yet to be seen how it’ll play out long term, but I’m excited about the potential for machine readable assessments and faster FedRamp onboarding.

The metaphor can even be applied to ConMon

If we really want to drag it, then the metaphor can even be applied to the updated ConMon requirements for FedRamp 20x, where not only has the program shed innefecitve processed, but rebirthed new processes that allow for more effective continuous monitoring.

And ConMon as a concept on it's own can be tied to the cyclical nature of the ouroboros considering that it is a neverending requirement.

Conclusion

The metaphor itself is just my own fun way of weaving in a topic I enjoy, but the point is that the culture of continuous improvement in the GRC world (In certain areas), and the cycles of death a rebirth make me think quite a bit of the ouroboros, and that’s a pretty positive thing.