Preventive and Remediative Enforcement

When an Evaluation logs a non-compliance finding, the next step is to respond with corrective action. This is often done within the same tool or process that identified the Evaluation Finding, which will then alert, interrupt, or remediate. The latter two are considered Enforcement actions, while ongoing activities such as alerting are part of Continuous Monitoring.

While this activity is often viewed as purely objective, we highlight this as a continuation of Risk Assessment because the enforcement layer involves forming an Opinion on the best course of action to take in the event of non-compliance findings. Choosing to prevent or remediate, as well as when and how to do each, requires an understanding of the Risk associated with each possible course of action.

Preventive Enforcement involves any action that interrupts a process to prevent non-compliance. This is primarily in response to malformed intent, such as a bad configuration, but it may also include more complex behavioral Evaluation processes that are executed prior to the deployment of the sensitive activity.

In software development lifecycles, this may take the form of a deployment gate, equivalent to a perimeter gate on a physical property that controls admission. This ensures that all actions that are intentionally taken are vetted according to Policy.

Remediative Enforcement describes corrective action in response to non-compliance in a deployed activity. This may include isolating, replacing, retraining, or re-deploying the noncompliant resource with a compliant configuration. This typically requires some manner of observability to detect target state, and communication with the latest applicable Policies to ensure that any changes to the environment — or Policy — result in Policy-aligned remediation guided by defined operational thresholds.

Due to the volatile nature of many remediation activities, and the potential for end-user confusion, proper logging and alerting should always be put in place alongside remediation tools.

Extending the point made in Figure 7.1, Enforcement activities may find heightened success when properly mapped to Evaluation results. This allows every person or system involved in the change to understand the complete justification, instead of the Enforcement being applied arbitrarily.