Aug 21 2020

DevOps and Audits Are Natural Partners for Government

DevOps can actually help government agencies maintain compliance and make audits smoother.

Anyone who’s worked in a development environment has probably heard a colleague mutter the following phrase: “Better not tell the auditors about that.”

Exchanges like this depict the tension between DevOps and compliance auditors in an organization. One side wants to move fast, experiment with new processes and get builds into production. The other side lays down strict rules and prefers to slow things down. Developers are wary of disclosing their secrets to auditors. Auditors want everything to be out in the open.

The two sides made peace a couple of years ago, and that’s good news for heavily regulated sectors like government, defense and financial services. A group of DevOps leaders developed a list of audit-friendly best practices and published what they called their “love letter to auditors” in 2018.

When it comes down to it, DevOps and those involved in compliance share a lot of common ground. An auditor wants software delivery teams at agencies to document the steps they take and be able to prove they did what they say they did. It fundamentally comes down to crafting a traceable and verifiable explanation of how software ends up in production, what’s in it, how it’s built, who touched it, how it was tested and what processes are in place to ensure that it works the way it should.

Federal agencies have to adhere to strict compliance requirements. DevOps helps them set up practices to follow the rules.

Setting Up the DevOps-Audit Cycle

Organizations that adopt DevOps have an easier time with audits. It works in a cycle: If you get audited regularly, you pay attention to details. Being detail oriented helps you get better at certain tasks because you understand them more deeply.

DevOps promotes delivery in small batch sizes, releasing early and releasing often. These practices force you to improve your mechanics, and that’s what auditors are interested in — how you’re doing what you’re doing. They don’t care if you’re using Java or Python; they do care that you test software regularly, that you document how and why you make changes, and that you track how those changes get done.

Organizations that tend to do well in their DevOps deployments are the kind of organizations that pass audits. They tend to be open and transparent. The ones that fail or stall out are the ones that are closed off, siloed and not able or willing to break down barriers and cultural silos.

Auditing and compliance have actually emerged as a prime motivation for doing DevOps. A large financial services company we’ve worked with had a process where the software team went through 65 steps before it could send a single file into production. Sifting through details relating to each of those steps when the auditors asked for information was a drawn-out process.

If you announce a vulnerability, auditors will want to know what you’ve done about it. If you don’t have a bill of materials for your application, if you don’t understand what versions of your applications are running, then you can’t easily answer the question of where the vulnerability was deployed. Adopting a DevOps practice, the institution now collects information in minutes, rather than days or weeks.

A big defense contractor went through a similar evolution in its DevOps adoption. The contactor used to follow a scrum process, where at the end of each iteration it spent two weeks compiling paperwork on what teams had done. This process helped with mandatory audits, but it was woefully inefficient. Instituting a continuous integration/continuous delivery workflow, the organization was able to reduce the reporting down to hours. Instead of having to go to 15 different systems and talk to a bunch of people, teams did the work as they went along, collecting the bulk of the information they had and putting it into a consumable format at the end.

MORE FROM FEDTECH: Find out how to effectively implement DevOps at your agency.

How to Streamline Your Agency’s Audits

If you’re in a highly regulated industry such as government, there are some ways you can configure your DevOps processes to help streamline your audits. Here are a few tips.

  • Watch closely for vulnerabilities: You can scan manually or automate the function, but scanning everything is important to ensure you’re spotting bugs early in the process. A lot of organizations will wait to do all the scanning before they put software into production. But a lot of vulnerabilities aren’t uncovered until years and years after they’ve been put into place.
  • Understand everything you have in production: Keep an electronic bill of materials about what’s running where — all versions, third-party libraries and open-source components. Know what you’re running, so when it’s time to jump you have the answer the auditors are looking for.
  • Value stream mapping: Use it as a framework to understand what your process is. If you don’t collectively have a detailed understanding of the path your code takes, from the time you have the idea to the time it gets produced, you couldn’t explain to an auditor how things are progressing. This is valuable for organizations starting the process: Anything that helps you automate and orchestrate also helps you audit and be compliant.
  • Adopt a holistic approach to software delivery: To conduct an efficient, accurate audit, you need to have information and visibility across your organization. One way to do that is to adopt a software delivery management mindset, which connects all facets of your organization’s software delivery function, from ideation to release to sales and back again, through feedback loops. SDM commits organizations to unfettered information sharing, streamlined communications and a common system of record.
  • Don’t ignore culture: You don’t want to be in the kind of organization where a vulnerability gets discovered and you don’t feel comfortable telling a CISO about it. If you don’t have an understanding of how this stuff works, you can’t get through an audit. Culture and communication are all very important if you operate in a highly auditable organization. Somebody’s going to turn that rock over; it’s better if it’s you who raises a problem rather than the auditor.
  • Get stakeholders involved: Make sure you get all the right people in the room to set up practices to pull information out for timely audits.
  • But don’t try to boil the ocean: If you have 500 products, don’t try to get 500 teams in the room to serve each one. Don’t try to get all stakeholders in one room. Work with a representative sampling of the technologies, platforms and types of products you’re working with. Work with teams that are early adopters and some that aren’t. Don’t try to fix everything at once.

There’s no reason DevOps and audits can’t be best friends. The initial tensions have subsided, and delivery processes have become more predictable, safer, more secure and more efficient. They’re becoming easier to manage from a compliance standpoint. If you’re in a highly regulated industry, DevOps is one of best tools you can add to your toolbox.

alvarex/Getty Images