Engineering Audit-Ready CI/CD Pipelines for Federally Regulated Scientific Computing
DOI:
https://doi.org/10.15662/IJEETR.2022.0405005Keywords:
Audit-Ready Systems, CI/CD Pipelines, Federal Compliance, DevSecOps, Build Provenance, Artifact Integrity, Immutable Audit Trails, Secure Software Supply ChainAbstract
When the federal regulator controls the scientific computing platforms they must strike a balance between speedy delivery of software and high-quality audit requirements that mandate the presence of evidence that can be replicated, controlled change, and evidence of tampering records. The paper proposes an engineering strategy of constructing audit ready CI/CD pipelines that generate provisable provenance, traceable change histories and cryptographically verifiable artifacts as an objective and not an ex post facto account of such. The managed DevSecOps controls of the strategy are provided across the delivery lifecycle, including policy-as-code compliance gates, automated security and quality assurance, immutable audit trail production, and secure software supply chain to sign and verify artifacts.
The research also illustrates the capability of pipeline instrumentation to offer an end to end lineage between the source commit, through build and test and package and deployment at the same time without violating separation of duties and approval traceability as is required in the IT environment of the public sector based on regulated biomedical scientific computing systems as reference implementations. Evidence is produced continuously in a machine-verifiable format, which is structured, and on which auditors and other authorizing figures can re-assemble what and why was changed, who had authorization, what controls were executed, and what exactly was placed in each environment.
Comparison of release cycles indicates that the standardized evidence package leads to an increase in audit preparedness, the reduction of the hectic authorization schedules by the avoidance of rework and avoidance of records omissions, and transparency of release governance and software assurance stakeholders. The findings show that making auditability a first-class engineering requirement can be used to improve the integrity and reproducibility without totally degrading the delivery cadence. The methodology has been extended to investigate computing infrastructure communities which must match federal specifications such as NIST control families and FISMA-based regulation and provides a plausible path forward to functioning towards operationalizing compliant continuous delivery inside regulated scientific computing setting.
