I came across these first about a year ago, but I have virtually never heard them spoken about here on Hacker News, and I guess I'm just wondering who is actually writing documents in these kinds of standards and why. Is it just a regulatory thing? Are they secret collections of decades of well-integrated best practices, hiding in plain sight? Maybe something in between those two extremes? I'd love to hear more from people who have done these kinds of things before.