Organizations
Policy packs published by standards bodies and industry groups. A pack is a
curated set of policies that govern one domain end to end — the same machine-checkable rules
the gallery lists and ponens trace check evaluates.
CERT (SEI)
SEI CERT Secure Coding Standards (Carnegie Mellon Software Engineering Institute)
The SEI CERT Coding Standards (CERT C and CERT C++) are secure-coding standards from Carnegie Mellon's Software Engineering Institute. Unlike category-based standards, CERT scores every guideline on a risk model — severity, likelihood, and remediation cost — yielding a priority and level (L1/L2/L3) that drive remediation order. That risk model is the basis for the pack below.
CMS
Centers for Medicare & Medicaid Services (Technical Reference Architecture)
CMS — the US agency for Medicare & Medicaid — publishes AI Guidance in its Technical Reference Architecture: concrete business rules (BR-AI-1..6) and operational practices for using AI responsibly with sensitive healthcare data. Where the NIST AI RMF is the generic risk lifecycle, CMS is the operational enforcement layer, and it is the basis for the pack below.
ESMA
European Securities and Markets Authority
ESMA is the EU's securities-markets regulator. Its Public Statement on the use of AI in the provision of retail investment services maps AI use onto firms' existing MiFID II obligations — best interest, suitability, transparency, risk management, and recordkeeping — the basis for the pack below.
FIX Community
FIX Trading Community — AI Working Group
The FIX Trading Community standardises electronic trading. Its AI Working Group is developing runtime-governance standards for agentic AI in capital markets — the basis for the policy pack below.
IOSCO
International Organization of Securities Commissions
IOSCO is the global standard-setter for securities markets. Its FR/02/2026 Supervisory Toolkit for AI Use in Capital Markets sets out the records, audit trail, and disclosures supervisors expect firms to be able to evidence — the basis for the pack below.
JSF (Lockheed Martin)
JSF Air Vehicle C++ Coding Standards — F-35 program (Lockheed Martin)
The JSF Air Vehicle C++ Coding Standards ("JSF++") were developed for the Lockheed Martin F-35 Joint Strike Fighter, with input from Bjarne Stroustrup. Like MISRA they are a safety-critical C++ standard, but with a distinctive three-tier rule scheme (Shall / Will / Should) and a tiered deviation-approval process — the basis for the pack below.
MISRA
The MISRA Consortium
MISRA publishes the most widely used C and C++ coding guidelines for safety- and security-critical software. Its Compliance:2020 document defines how a project demonstrates compliance — enforcement, deviations, re-categorization, and a compliance summary — which is the basis for the packs below.
NIST
National Institute of Standards and Technology
NIST publishes the foundational AI and software-security frameworks used worldwide. Its AI Risk Management Framework (AI RMF 1.0) manages AI risk across the lifecycle (Govern/Map/Measure/Manage), and its Secure Software Development Framework (SSDF, SP 800-218) defines secure-development practices (Prepare / Protect / Produce / Respond). Both are voluntary, and both are the basis for the packs below.
RTCA
RTCA, Inc. / EUROCAE (DO-178C / ED-12C)
RTCA (with EUROCAE) publishes DO-178C, the airborne-software certification standard used worldwide by aviation authorities. Its Annex A objectives — traceability, verification, coverage, configuration management, and certification liaison — are the basis for the pack below.