Can DevOps Simplify the Operational Risk of Compliance?
Agencies and contractors need to consider disruptive improvements.
Today, government agency leaders have been tasked to identify and follow multiple modernization initiatives with the possibility of driving private-sector customizations and delivery practices and the associated business efficiencies into the public sector. The impetus is coming from a variety of directions, including the Office of American Innovation;, the adoption of development operations (DevOps) and development security operations (DevSecOps) as a cyber protection strategy;, the emphasis by the Federal Trade Commission on unfair or deceptive practices;, and a focus on automated tools, which include multiple aspects of artificial intelligence for internal processes as well as consumer marketing and customization of a digital marketplace.
In order to meet this pace of both internal and external digital business transformation, many agencies and federal contractors will need to consider disruptive improvements in their technology optimization efforts. This may include automated streamlining of processes and acceleration of both adoption and adaptation of new trends. Simultaneously, public and private leaders must address the advancing requirements of regulatory compliance to involving cybersecurity, data privacy and protection related to Internet of Things, artificial intelligence, virtual reality and consumer protections.
Applying the DevOps mindset and processes to digital planning to address cybersecurity and regulatory compliance as well as public requirements, such as controlled, unclassified information (CUI) and controlled technical information (CTI), is becoming essential for demonstrating both relevance to the digital economy and due diligence prudence. DevOps/DevSecOps provides a great opportunity for cross-learnings from culture to methodology and rapid response as a foundation for future efforts.
Today’s digital ecosystem and the DevOps philosophy seek to operate and contribute value with less friction and faster iterative results. These practices can be incredibly valuable in achieving pending deadlines such as the Federal Acquisition Regulation and Defense Federal Acquisition Regulation CUI clauses. The frequently updated code and deployment strategies also provide unique security protections wherein known or potentially known weaknesses are updated more quickly. Understanding and applying DevOps/DevSecOps methodologies assist the capability of staying ahead of the security curve as real and potential threats and regulatory requirements continue to be unveiled.
Cyber defense has decisively moved away from being perimeter-focused to an endpoint protection. Continuous monitoring is increasingly targeting the prevention, detection, and response capabilities related to attacks and data loss in real-time. The continuous DevOps performance establishes within the organization collaborative challenges to plan, code, build, test, deploy, operate and monitor the technical aspects of a product, but the DevOps mentality and continuity of development drives marketing, compliance, and executive oversight in that the periods of change and adaptation are smaller as newer iterations come to life. The continuous improvement practice is well suited to solve new-age cybersecurity and regulatory challenges that are asymmetric.
From a better understanding of application controls to adapting security software to be more agile, DevOps processes can offer new success points to organizations. The benefits of platform compliance through automation are becoming present in a number of new tools. Automation and surely, artificial intelligence developed and deployed in the DevOps manner, will assist more companies to remain on par with emerging standards and compliance requirements.
DevOps methodologies can help federal agencies and commercial organizations develop significant capabilities to offset risks without compromising their mission. In addition, DevOps/DevSecOps can help establish automated strategies for simplifying operational risks related to implementing new technologies and documenting regulatory compliance.
The impact of integrating the old and newer practices may actually be on the IT and security professionals making the DevOps challenge more of a leadership and change management reality as organizations speed toward the digital economy. For executives, DevOps is both a solution and a challenge as they face ongoing threats to their attack surfaces and the expanded liability fronts of CUI, Defense Federal Acquisition Regulation Supplement, European Union-General Data Protection Regulation and other regulations related to protecting information and data.
Maria Horton is the CEO of EmeSec and the former CIO of the National Naval Medical Center.