• Author and Company: Ian Miell, author of "Docker in Practice" and Consultant Partner at Container Solutions, delivered a talk at QCon London 2025.
• Compliance Problem: The way compliance is managed is wrong as there is a disconnect between modern DevOps practices and traditional manual, ad-hoc, and inefficient audit and compliance procedures.
• Continuous Compliance Framework (CCF): Developed by Miell's team to solve compliance problems. It emerged from customer frustrations.
• Problems with Current Compliance: Predominantly manual processes with audits driven by Wiki pages, spreadsheets, and ad-hoc screenshots. Audits are periodic, focus on documentation rather than working practices, and are bespoke and non-repeatable.
• Perception and Cost: Audit and compliance are seen as a side activity and are costly and unscalable. 10% of banking operational costs is spent on compliance, and regulatory interest is increasing.
• CCF Features: Can take data from multiple cloud environments and generate real-time compliance data streams. Real-time capabilities, use of open standards, and developer-first approach set it apart from competitors.
• Core Technology: Based on OSCAL (Open Security Controls Assessment Language) written by NIST. Team is working with NIST on improvements.
• Architecture: Agent-based with Golang and MongoDB backend, using REGO as the policy configuration language.
• Roadmap: Aim to become a standard for centralised control management. Plans include more integrations with security tools and a plugin marketplace. The goal is to help CISOs with continuous monitoring and auditing.
• Availability: CCF is available on GitHub now.