Did you know that if you read all the Department of Defense’s policies, it would be the equivalent of reading through “War and Peace” more than 100 times?

To give you a better idea of the complexity faced by IT operations alone, check out the document that the Department of Defense (DoD) Deputy CIO for Cybersecurity has published regarding how to Build and Operate a Trusted DoDIN (DoD Information Network), shared below. As stated by the DoD, “the goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.”

As you can see in the above framework, there are numerous steps with multiple layers of complexity and an overwhelming amount of information. While intended to organize the information, it illustrates just how complicated governance and policy enforcement can be at the federal level. Not only that, but this list continues to grow with new policies being implemented every year. Sometimes, the policies even conflict with one another, making compliance an incredibly challenging task. 

With such a broad set of policies, how do federal IT shops ultimately implement, govern, and enforce them?

The Toil of Manual Policy Enforcement

Much of the implementation, governance, and enforcement of IT policies is done manually with teams of expensive IT Specialists. The onboarding for these roles is a massive investment as well. A public sector IT specialist not only needs to have expertise in the systems implemented by the organization, but they will be expected to retain all of the relevant policy information.

Since these IT specialists are ultimately responsible for compliance, these operations typically converge into one of two methods for execution:

1. Everything is locked down. DevOps staff have to painstakingly plan, request, and attain manual approval for all of the necessary resources, identify and access management (IAM) permissions, and dependencies required to implement a pipeline. If a new requirement is introduced, this process starts all over again.
2. Everything is open and staff are held personally accountable. Careful DevOps staff need to constantly recreate their pipelines and manually reference and apply long compliance checklist documents. When errors do occur, tedious discovery and post-mortem exercises must be conducted to attribute which actions and which personnel were responsible.

As the number of IT policies grows, so too does the mental load a specialist takes on, leading to burnout and potential loss of knowledge if they leave. A departure means that onboarding and training starts all over again, which carries significant financial costs.

While federal agencies could hire more personnel, operational needs are quickly outpacing hiring for these roles due to demands for an accelerating “speed of mission.” All of this leads to a large backlog of policy reviews and system assessments. Ultimately, these delays halt technology adoption and innovation.

Steps Toward Progress

Some efforts are underway to reduce the toil around policy management. Tools like Gamechanger are in development to utilize AI to organize and sift through the mountain of policy information. While these efforts are important, at their core, they still rely on a massive amount of manual tasks, supplemented with an optimized information retrieval system.

Other vendors work with government partners and consultants to assess and certify their products through compliance frameworks like the Federal Risk and Authorization Management Program (FedRAMP), which provides an authorized stamp of approval for many bundles of IT policies. That said, these compliance frameworks still have infamously long time horizons, and they require a massive upfront investment that is prohibitive to small businesses and startups. These frameworks are also not broadly accepted across all federal agencies. 

Agencies demonstrate maturity in their IT operations through automated policy compliance, such as scripted checks and tests. While this is a trend in the right direction, this approach is often abandoned as these practices still require manual toil because compliance tests have to be recreated for every pipeline by hand. Furthermore, they must be manually re-assessed and re-approved every time additional stages and steps are added.

Policy-as-Code

While we can’t reduce the number of policies or eliminate the conflicts among them, many federal organizations are implementing policy-as-code into their IT policies. Policy-as-code allows DevSecOps staff to retain development and deployment flexibility without making trade-offs in security and compliance. 

Policy-as-code accomplishes this by allowing teams to write policies that define what operations the organization cannot have, as well as what they must have and in what order. Agencies can then implement these policies in either an advisory mode that informs users what policies they are not in compliance with or an enforcing mode that actively prohibits operations.

Examples include:

• CD pipelines must include a Snyk container scan before allowing a push to production
• Container images must originate from an approved list of registries
• Production pipelines cannot include security vulnerabilities at the “Critical” level

This is not an entirely new idea, as it was popularized by the CNCF’s Open Policy Agent (OPA) project. Agencies can ease the process with tools that automate the processes. The Harness platform incorporates Policy-as-Code — based on OPA — as a centralized policy management and rules service that helps organizations create and enforce policies on deployments, infrastructure, and more, providing developer velocity without sacrificing compliance and standards.

Policy-as-code addresses the pain of toil directly:

• IT specialists no longer need to manually assess every new software adoption or deployment. Instead, they can write a policy once and enforce its implementation on the front end of development.
• When an IT specialist is offboarded from a project or organization, their expertise is captured and reused in the policy agents, effectively codifying that tribal knowledge and allowing for seamless continuation of policy compliance operations.
• Developers have guardrails giving them the flexibility to implement and utilize software and infrastructure assets available to them safely by ensuring policy compliance.

Automated Change Management

As much as policy-as-code can reduce the toil of managing and implementing IT policy, there are still instances that will require recorded verification and authorization from a trusted audit official or change advisory board. In addition, “human-in-the-loop” methods — incorporating manual checkpoints within automated processes — can be an easy stand-in for more complex policy compliance assessments.

While we can’t automate humans, we can remove much of the toil involved with reliably performing change management within your organization. Many change management processes used today require persistent, manual processes that don’t add value. One example is when the status of operations has to be manually updated in various systems of record, and when approvals are often followed by manual continuation of operations along their development lifecycle.

Many solutions offer pipeline integrations into popular change management tools like Jira and ServiceNow, as well as built-in manual approval functionality for companies that don’t currently rely on vendor systems. Harness, for example, programmatically adds full context updates to Jira and ServicNow tickets, such as links to results from Security Test Orchestration and Continuous Verification, and notifies change management personnel when approval gates require their attention. If a change is approved by an authorized party, Harness records this approval and can automatically proceed with the next stage of a pipeline. If a change is not approved, Harness can pause or stop a pipeline and initiate any automated rollbacks if required.

Start Your DevSecOps Journey with Harness

Harness is the fastest and easiest way to onboard your personnel and IT operations into modern DevSecOps methodologies that exceed public sector governance and compliance requirements without compromising on delivery. 

Harness offers key benefits for federal IT teams, including:

• Reliably managing the implementation of policy agents, so your team isn’t required to deploy and maintain OPA servers.
• Templatizing, collecting, and applying policies broadly across all of your IT operations, from CI/CD to Cloud resources.
• Role-based access control (RBAC) with your SSO and LDAP providers, allowing you to granularly apply and control policy enforcement across organizations and individual users.

Learn more about how we’re implementing policy-as-code, automated change management, and more to help federal agencies adopt DevSecOps at scale on our governance page, and request a personalized demo to see these features in action.