Preventive and Remediative Enforcement

When an evaluation logs a non-compliance finding, the next step is to respond with corrective action. This is often done within the same process that identified the finding, which will then alert, interrupt, or remediate. The latter two are considered enforcement actions, while ongoing activities such as alerting are part of continuous monitoring.

Preventive Enforcement involves any action that interrupts a process to prevent noncompliance. This is primarily in response to malformed intent, such as a bad configuration, but it may also include more complex behavioral evaluation processes that are executed prior to the deployment of the sensitive activity.

In software development lifecycles, this may take the form of a deployment gate — equivalent to a perimeter gate on a physical property which controls admission. This ensures that all actions that are intentionally taken are vetted according to policy.

Remediative Enforcement describes corrective action in response to noncompliance in a deployed activity. This may include isolating, replacing, retraining, or re-deploying the noncompliant resource with a compliant configuration. This typically requires some manner of observability to detect target state, and communication with the latest applicable policies to ensure that any changes to the environment — or policy — result in immediate remediation.

Due to the volatile nature of many remediation activities, and the potential for end-user confusion, proper logging and alerting should always be put in place alongside remediation tools.

Extending the point made in Figure 7.1, enforcement activities may find heightened success when properly mapped to evaluation results. This allows every person or system involved in the change to understand the complete justification, instead of the enforcement being applied arbitrarily.