Consider using OSCAL or OpenCRE to advertise control/requirements mapping #114
Comments
SecurityCRob
added
enhancement
|
Hello, founding member of the OSCAL Club, a.k.a Self-Appointed Treehouse Manager. 👋 I am happy to advise or pitch in on the OSCAL front. Let me know how I can be of service. |
|
Also happy to contribute here - I'm focused on automating compliance/assurance and have been working on similar things in the CNCF for the past few years |
|
What would be a good next step to producing the OSCAL catalog? Is there any way we could automate the conversion from |
|
Do you want the YAML to be canonical? Ironically OSCAL supports a data format for encoding. So you could have both or even just one. I think what's important to hammer out first is how a catalog gets used (in the OSCAL sense): will people use controls and write against them in a description of "a system" in a system security plan (what that is can be many things; I'll leave that own for now)? To assess a project teams and code to report how they did? Both? I only ask because reviewing the controls and repo it isn't 100% clear yet. |
|
the group discussed today and agreed to explore OSCAL and OpenCRE after we finish merging this recent batch of PRs to firm up missing criteria. |
|
Also interested in getting involved here. Given the current golang utilization I can assist in proposing what some of this work with OSCAL could look like from a functional perspective. |
|
Thanks @brandtkeller! I'd be happy to review or help with that proposal. |
There are a few groups seeking to express security requirements/controls/criteria in a machine-readable format. At some point we should talk about possibly using:
OSCAL
OpenCRE
The text was updated successfully, but these errors were encountered: