Navigating the various policies utilized within the United States federal government, defense agencies, and intelligence community is a complex and lengthy process. As the Defense Intelligence Agency (DIA) states:
Did you know that if you read all the Department of Defense’s policies, it would be the equivalent of reading through “War and Peace” more than 100 times?
To give you a better idea of the complexity faced by IT operations alone, check out the document that the Department of Defense (DoD) Deputy CIO for Cybersecurity has published regarding how to Build and Operate a Trusted DoDIN (DoD Information Network), shared below. As stated by the DoD, “the goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.”
As you can see in the above framework, there are numerous steps with multiple layers of complexity and an overwhelming amount of information. While intended to organize the information, it illustrates just how complicated governance and policy enforcement can be at the federal level. Not only that, but this list continues to grow with new policies being implemented every year. Sometimes, the policies even conflict with one another, making compliance an incredibly challenging task.
With such a broad set of policies, how do federal IT shops ultimately implement, govern, and enforce them?
Much of the implementation, governance, and enforcement of IT policies is done manually with teams of expensive IT Specialists. The onboarding for these roles is a massive investment as well. A public sector IT specialist not only needs to have expertise in the systems implemented by the organization, but they will be expected to retain all of the relevant policy information.
Since these IT specialists are ultimately responsible for compliance, these operations typically converge into one of two methods for execution:
As the number of IT policies grows, so too does the mental load a specialist takes on, leading to burnout and potential loss of knowledge if they leave. A departure means that onboarding and training starts all over again, which carries significant financial costs.
While federal agencies could hire more personnel, operational needs are quickly outpacing hiring for these roles due to demands for an accelerating “speed of mission.” All of this leads to a large backlog of policy reviews and system assessments. Ultimately, these delays halt technology adoption and innovation.
Some efforts are underway to reduce the toil around policy management. Tools like Gamechanger are in development to utilize AI to organize and sift through the mountain of policy information. While these efforts are important, at their core, they still rely on a massive amount of manual tasks, supplemented with an optimized information retrieval system.
Other vendors work with government partners and consultants to assess and certify their products through compliance frameworks like the Federal Risk and Authorization Management Program (FedRAMP), which provides an authorized stamp of approval for many bundles of IT policies. That said, these compliance frameworks still have infamously long time horizons, and they require a massive upfront investment that is prohibitive to small businesses and startups. These frameworks are also not broadly accepted across all federal agencies.
Agencies demonstrate maturity in their IT operations through automated policy compliance, such as scripted checks and tests. While this is a trend in the right direction, this approach is often abandoned as these practices still require manual toil because compliance tests have to be recreated for every pipeline by hand. Furthermore, they must be manually re-assessed and re-approved every time additional stages and steps are added.
While we can’t reduce the number of policies or eliminate the conflicts among them, many federal organizations are implementing policy-as-code into their IT policies. Policy-as-code allows DevSecOps staff to retain development and deployment flexibility without making trade-offs in security and compliance.
Policy-as-code accomplishes this by allowing teams to write policies that define what operations the organization cannot have, as well as what they must have and in what order. Agencies can then implement these policies in either an advisory mode that informs users what policies they are not in compliance with or an enforcing mode that actively prohibits operations.
This is not an entirely new idea, as it was popularized by the CNCF’s Open Policy Agent (OPA) project. Agencies can ease the process with tools that automate the processes. The Harness platform incorporates Policy-as-Code — based on OPA — as a centralized policy management and rules service that helps organizations create and enforce policies on deployments, infrastructure, and more, providing developer velocity without sacrificing compliance and standards.
Policy-as-code addresses the pain of toil directly:
As much as policy-as-code can reduce the toil of managing and implementing IT policy, there are still instances that will require recorded verification and authorization from a trusted audit official or change advisory board. In addition, “human-in-the-loop” methods — incorporating manual checkpoints within automated processes — can be an easy stand-in for more complex policy compliance assessments.
While we can’t automate humans, we can remove much of the toil involved with reliably performing change management within your organization. Many change management processes used today require persistent, manual processes that don’t add value. One example is when the status of operations has to be manually updated in various systems of record, and when approvals are often followed by manual continuation of operations along their development lifecycle.
Many solutions offer pipeline integrations into popular change management tools like Jira and ServiceNow, as well as built-in manual approval functionality for companies that don’t currently rely on vendor systems. Harness, for example, programmatically adds full context updates to Jira and ServicNow tickets, such as links to results from Security Test Orchestration and Continuous Verification, and notifies change management personnel when approval gates require their attention. If a change is approved by an authorized party, Harness records this approval and can automatically proceed with the next stage of a pipeline. If a change is not approved, Harness can pause or stop a pipeline and initiate any automated rollbacks if required.
Harness is the fastest and easiest way to onboard your personnel and IT operations into modern DevSecOps methodologies that exceed public sector governance and compliance requirements without compromising on delivery.
Harness offers key benefits for federal IT teams, including:
Learn more about how we’re implementing policy-as-code, automated change management, and more to help federal agencies adopt DevSecOps at scale on our governance page, and request a personalized demo to see these features in action.
Enjoyed reading this blog post or have questions or feedback?
Share your thoughts by creating a new topic in the Harness community forum.