Close

See How IT Leaders Are Tackling AI Challenges and Opportunities

New research from CDW reveals insights from AI experts and IT leaders.

Click Here to Read the Report
Jul 28 2025
Security

Beyond Box Checking: How Compliance as Code Transforms Security and Efficiency

States and cities can use Compliance as Code to codify compliance directly within software and IT systems.
Francisco Ramirez
by

Francisco Ramirez is Chief Architect of State and Local Government for Red Hat.

Manually monitoring, reporting on and maintaining compliance with government cybersecurity mandates is highly inefficient, especially for IT professionals who oversee hundreds or thousands of systems. These practices are even more unsustainable now that many state governments have adopted Department of Government Efficiency-style initiatives — some entailing headcount reductions.

These efforts, combined with an ongoing retirement wave that’s been dubbed the “silver tsunami,” have put pressure on remaining IT professionals. Now more than ever, these individuals must do more with less while navigating the loss of institutional knowledge as mandates become more frequent and security threats more sophisticated.

Compliance as Code offers a more innovative and scalable approach to staying up to date. It is the practice of using machine-readable code to define and automate the security settings and updates that keep systems continually compliant with regulations. For example, agencies can automatically align their security policies with standards established by HIPAA, the National Institute of Standards and Technology, or other state-specific laws.

CaC offers repeatability and consistency, allowing compliance to go from a highly manual “check the box” exercise to a continuous, value-added process.

Click the banner below for in-depth cybersecurity data and insights.

x_security_q325_animated_click_desktop_02 x_security_q325_animated_click_mobile_02

 

A Five-Step Process for CaC

Here’s a five-step process for implementing CaC. Each step leads directly to the next, and each is equally important.

  1. Standardize rules (define “codeable” policies): Clearly define agency policies and regulatory requirements into precise, unambiguous and measurable statements that can be translated into machine-readable instructions. Focus on specific controls (e.g., “all servers must have X security patch”).
  2. Select tools (choose automation platform): Identify and procure appropriate automation and configuration management tools that can codify rules and continuously monitor system configurations against them. This includes Policy as Code engines, Infrastructure as Code platforms and continuous integration/continuous delivery pipelines.
  3. Develop baselines (write the code): Translate the standardized policies into executable “code” — scripts, templates or configurations — that define the desired secure and compliant state for IT systems and infrastructure. Store this code in version control.
  4. Integrate and test (automate enforcement and validation): Integrate the compliance code into the agency's development and operational workflows. Automate testing to validate that new deployments and existing systems adhere to the codified policies before and after going live, identifying deviations.
  5. Monitor and report (continuous compliance and feedback): Implement continuous monitoring to automatically detect and report compliance drift. Establish automated reporting mechanisms to provide real-time visibility into the agency's compliance posture, enabling a rapid response to noncompliance and providing insights for policy refinement.

READ MORE: State governments automate user privileges to assist with identity management and access.

Bring Open-Source Tools Into Your Compliance Efforts

Public agencies deserve tools that are as open and accountable as their missions, and open source delivers just that. Open-source tools provide transparency and auditability, allowing IT teams to inspect the code and logic behind security and compliance checks. Teams can customize their tools to match specific policies and regulatory frameworks.

Open-source software also plays a key role in automation. IT administrators can automate security configurations and remediation steps, ensuring consistent compliance with minimal manual intervention across large and complex IT environments. Open-source projects, such as OpenSCAP, provide a set of tools and a framework for automating security configuration, vulnerability management and policy compliance evaluation of computer systems.

OpenSCAP is not just a tool for compliance; it also embodies the principles of CaC, allowing organizations to define their security posture in code and ensure their systems automatically adhere to it, significantly reducing manual effort and improving accuracy and consistency.

The Transformative Potential of CaC

One U.S. city that I worked with dramatically improved its IT operations by adopting CaC. The city implemented a broad automation strategy, including automated patch management, configuration remediation and deployment orchestration across a fleet of 90 database servers.

Each of these practices would have usually taken hundreds of personnel hours. By automating compliance, the city achieved an 81% reduction in patching time, cutting total patch durations from 180 hours to just 45 minutes for 70% of its servers.

The broader operational impact was just as striking. The city reported a 3,200% improvement in ticket response time, with routine tasks such as DNS record updates and virtual machine creation shrinking from 8 hours to 15 minutes. Even complex database snapshots, which once required weekend shifts and manual intervention from multiple engineers, saw a 98% reduction in processing time, freeing up skilled personnel for more strategic work and reducing burnout from after-hours labor.

This city’s experience underscores the transformative potential of CaC and automation. Beyond efficiency gains, the city reduced the potential for human error, strengthened the security of its systems and ensured ongoing compliance without employees having to work around the clock.

Click the banner below to sign up for the StateTech newsletter for weekly updates.

st_newsletter_animated_q125_signup_desktop st_newsletter_animated_q125_signup_mobile

 

A Solid Foundation for Operational Efficiency and Resilience

CaC is a powerful asset for agencies seeking to improve efficiency and security, but it only works effectively if strong security practices are already in place. Automation cannot fix foundational weaknesses; it can only build on what is already there. Applying automation to misconfigured or unprotected systems will only exacerbate the problem.

That’s why keeping operating systems updated and patched is essential; so are enforcing strong password policies and providing regular security training. These practices form the foundation of strong security and lasting compliance.

Agencies with these core practices are well-positioned to take the next step toward automated CaC. They can transform compliance from a burden into a process that unlocks long-term operational benefits while enhancing resilience.

pixdeluxe/Getty Images

More On

Related Articles