Co-authored by Gavin Littleboy

Challenges in Network Compliance

Government agencies face significant challenges in maintaining network compliance due to the ever-increasing complexity of regulations. From NIST 800-53, cybersecurity vulnerabilities, to other security requirement guides like DISA Security Technical Implementation Guides (STIGs) for Department of Defense, comprehensive measures require configuring and maintaining networks to ensure they stay compliant and are secure against vulnerabilities and threats. Compounding this issue are the limited budgets and resources available within government entities, which can make it difficult to allocate sufficient personnel and tools to manage compliance effectively. Additionally, the need to integrate diverse technologies and legacy systems further complicates compliance efforts. These systems often lack the flexibility needed to adapt quickly to new and evolving threats, making the task of achieving and maintaining continuous compliance an ongoing struggle. Agencies are looking at how automation and orchestration can help with these challenges.

Evolution of NetOps and SecOps Teams

The evolution of NetOps and SecOps teams is transforming how government agencies approach network compliance and security.

NetOps, DevOps, SecOps confused? See details here -What is NetOps?

Traditionally operating in silos, these teams are now increasingly required to collaborate and address shared challenges. NetOps teams are looking to deploy continuous network automation and validation to simplify operations, increase speed and efficiency to deliver services, and improve performance and resiliency of critical network infrastructure. SecOps teams are constantly responding to evolving threats such as vulnerabilities created from configuration mistakes, neglected updates, and not having adequate visibility into security posture, delaying response efforts.

The Need for Automation to Scale

Automation is required to scale these efforts, enabling teams to efficiently manage routine tasks and respond swiftly to threats as network demands grow. Many technical challenges exist in automating network compliance. For example, what are we looking for when it comes to network compliance? For networks, we are validating end-of-life equipment, code versions, CVE/PSIRTs (Common Vulnerabilities and Exposures/Product Security Incident Response Teams), Security Implementation guides such as DoD STIG, and network and organizational standards. As this list of compliance considerations demonstrates, there are many touchpoints that quickly make compliance a challenging task and becomes a "firefight" scenario where all resources are urgently focused to catch up on compliance before the next audit. As it relates to network configurations, there are three patterns in compliance checks.

Patterns Around Network Compliance

A given compliance requirement necessitates the assessment of either a network configuration or network state. These checks generally fall into 3 assessment patterns: match configuration, match variables, or match business logic.

Configuration matcheslook for exact matches in configuration. Examples include disabling or enabling of services such as http or password-encryption.Variable matcheslook for partial or variable substitution matches in configuration. Examples include validating that multiple NTP (Network Time Protocol) servers are configured or that configured BGP (Border Gateway Protocol) neighbors are using authentication.Business logic matcheslook for organizationally defined patterns in configuration. Examples include validating that a boundary access control list is applied to the correct interface and that it blocks organizational defined protocols. This last pattern is the most complex to implement and varies widely between organizations based on the local implementation of the required policy.

Today, SecOps teams use their domain specific auditing tools to audit the network and create reports. These reports are then shared with the NetOps team who must interpret, translate to network domain configurations, and then implement the network change. This lengthy process then repeats.

Automation Enables Continuous Compliance

Imagine a network automation platform where NetOps and SecOps can leverage unified tooling to solve common goals and enable continuous compliance auditing, reporting, and remediation. Security teams typically describe compliance "intent" in the form of rules that validate whether a network configuration satisfies the criteria. Network operators have to satisfy not only these compliance requirements, but network design requirements and other factors when creating a final template to be applied to the network.

Cisco Crosswork Network Services Orchestrator (NSO) provides this capability by enabling network operators to automate and manage complex networks with ease with a built-in compliance engine to validate network compliance. It offers a versatile and powerful solution that supports configuration management, service orchestration, and network-wide policy enforcement. Cisco NSO 6.x comes with significant compliance updates such as compliance templates, an intuitive compliance reporting interface, and continues to introduce features to cover the patterns above. Cisco NSO has modern APIs and a stateful database where continuous compliance can be validated based on real-time network state and reported up to northbound systems. Cisco NSO is also model-driven, meaning data models and their intents can directly be translated to intended implementation state in the network. This enables a new paradigm for SecOps teams to be able to audit and report compliance checks with the same tooling and configuration templates that the NetOps team have defined for the network for remediation. With Cisco NSO, teams can ensure consistent compliance across multi-vendor network elements, streamline operations, and enhance collaboration between different teams within an organization.

To learn more about Cisco Crosswork NSO or to see examples of how to build compliance templates, see below.

Crosswork NSO Solution Overview

Compliance Reporting Examples Repository on NSO Developer GitHub

Closing Thoughts

As the roles within NetOps and SecOps evolve, fostering a culture of learning and adaptability ensures that personnel can effectively manage new technologies and regulatory requirements. By building cross-functional expertise and problem-solving capabilities, agencies can address current compliance needs and anticipate future demands, leading to more resilient and responsive operations. Achieving effective compliance solutions and leveraging automation yields substantial returns on investment (ROI) for government agencies, resulting in notable cost savings and enabling agencies to allocate resources more strategically and focus on their core missions. This not only protects the agency's reputation but also ensures the uninterrupted delivery of essential services.

To dive deeper into network compliance and automation, join us atCisco Live San Diego from June 8-12, 2025for two insightful sessions exploring strategies and solutions to enhance your network operations:

DEVNET-2144 -"Automating Network Compliance: Leveraging Cisco NSO for Compliance Auditing, Reporting, and Remediation"

DEVWKS-2083 -"The Journey of Automating Network Compliance using Cisco NSO"

Register for Cisco Live

If you would like to learn more about how Cisco can help your compliance needs or to get started on your Automation Journey, reach out to your Account Team.

Additional Relevant Links

Read about last year's Cisco CX Customer Hero winning the World Class Cybersecurity award for a Department of Defense Combat Support Agency

Other Automation Blogs

Learn more about other Cisco solutions to help government agencies with compliance

Cisco SaaS Compliant Product Availability