Ian Miell, author of many books, including “Docker in Practice,” and Consultant Partner at Container Solutions, delivered a talk at QCon London 2025 on a modernised approach to compliance, announcing an open-source project that aims to solve many of the problems seen in the audit and compliance process.
“The way we manage compliance is wrong, but it is changing,” Miell stated, highlighting that there’s a disconnect between modern DevOps practices of automation and repeatability and traditional audit and compliance procedures which tend to be manual, ad-hoc and inefficient.
Miell’s team has developed the Continuous Compliance Framework (CCF), a project that emerged from real-world frustrations voiced by their customers about their own auditing and compliance processes. Miell went through the current state of compliance management, explaining how it suffers from four critical problems from the point of view of operations teams.
Firstly, Miell has found predominantly manual processes, with audits and compliance largely driven by Wiki pages, spreadsheets and ad-hoc screenshots to track compliance status. Next, the audits happen periodically (perhaps every 6 months), which means that a company may be non-compliant outside audit periods. Next, Miell has found that audits tend to focus on documentation rather than actual working practices, and he analogised this to being the exact opposite of the first element of the Manifesto for Agile Development. Finally, compliance processes tend to be bespoke and non-repeatable depending on who is doing the auditing and for whom, with little possibility of interoperability between them.
Audit and compliance are seen as a side activity and therefore are treated like a tax. It’s something we have to do, but we don’t want to talk to these people really.
Miell explained that this perception problem combined with the manual toil outlined above makes audit and compliance costly and unscalable. He cited research indicating that 10% of overall banking operational costs (not just on technology) is spent on compliance, and that regulatory interest is also increasing, for example with the EU’s Digital Operational Resilience Act (DORA) coming into effect this year.
During his presentation, Miell demonstrated the Continuous Compliance Framework (CCF). He showed how the tool can take data from multiple cloud environments, showing a system monitoring AWS VPCs, Azure subscriptions, and on-premise applications represented by Docker containers. He showed how the system generates real-time compliance data streams that users can filter and analyse into dashboards. According to Miell, CCF’s real-time capabilities, use of open standards, and developer-first approach set it apart from competitors, which tend to be closed-source and expensive. “Competitors come from the compliance side, whereas this comes from the development angle,” he explained.
At the core of the Continuous Compliance Framework is OSCAL (Open Security Controls Assessment Language), a standard written by the US National Institute of Standards and Technology (NIST), which defines machine-readable documents that compatible tools can interpret. “We decided to go all-in on OSCAL,” Miell explained, citing how it is well thought-out and covers the topic thoroughly. He did acknowledge that it can be “quite opaque to understand” however. Miell noted that his team is working with NIST on potential improvements to OSCAL, particularly around adding streaming concepts alongside the existing point-in-time focus.
The architecture behind CCF is agent-based, with small, lightweight agents that can run anywhere. It’s written in Golang and has a MongoDB backend (chosen because OSCAL is JSON-based), with REGO as the policy configuration language.
Looking to the project’s roadmap, Miell hopes that CCF will become a standard for centralised control management. Future plans include more integrations with security tools such as Black Duck, Snyk and meld.io, and perhaps a plugin marketplace. Referring back to his conversations with CISOs, Miell closed his talk by stating a main goal for CCF of helping them to sleep at night, knowing that their systems are being continuously monitored and audited for compliance issues. Miell hopes the system becomes defacto for “gathering evidence from stream data, and being able to slice and dice depending on who is looking at it”.
CCF is available on GitHub now.
