-
Notifications
You must be signed in to change notification settings - Fork 531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSCAL Norms for Multi-Project Collaboration #1277
Comments
So would this ask all CNCF projects to produce OSCAL components + an SSP (+ maybe CIS/CRM?) |
No, at least that has not been in my mind. |
Hey @brian-comply0, would love if you could join us on this project! |
Discussion captured at todays STAG Meeting: Broad Objective - “This is how we should be able to exchange information in OSCAL” Q: “How can we address the ambiguity within the scope of the deliverables?” “The OSCAL norms seeks to provide clarity through opinionated standard use of OSCAL“ Q: What is the alternative? What Problem can we point to for the specific pain points? Q: How do we get there? Q: What is the intended deliverable medium? (WP, diagram, artifact?) Q: What level of sponsorship is the project requesting? STAG Sponsorship - Eddie Knight Project Lead (Jay Flowers) accepts the initial step in the process for group formalization . Feel free to comment if I missed anything or we want to clarify any points. |
I concur with the general approach being taken with metadata. If I can be
of assistance with this facet of the issue, let me know.
*-Chair, IEEE P2957 Big Data Interoperability and Metadata Management*
…On Thu, Jun 13, 2024 at 11:01 AM Jay Flowers ***@***.***> wrote:
Problem: Today, open source projects do not have a consistent mechanism to
publish compliance and regulatory details about what the project does in a
machine readable format and to enable assessment activities to occur in an
automated manner. Adopters do not have a way to understand what
capabilities and controls projects have in place and what their
responsibilities as consumers are as defined by the leveraged project.
Adopters today have to manually review a given software project,
understand based on existing documentation if it can meet a compliance or
regulatory requirement, and then determine if it does it already or if it's
configurable by the adopter. They have to do this with every release. If 1
project decides to express this in one manner, another may choose a very
different one and the adopter now has two ways in which they can’t reason
about the compliance properties of both projects. We need a specification
and guidance to allow projects to consistently and uniformly express their
compliance capabilities and posture for adopters to act on.
Other areas:
- Project to project dependencies for compliance requirements
- Consumption of compliance metadata/information
- Standardization on language for expression (OSCAL recommended)
- Has the needed evidence and the reporting for what auditors need
alongside evidence
- Tie in with policy engines in a consistent way to avoid vendor
lock-in
Impact:
Depending on the shape and nature of this project, the desired experience
by adopters of cloud native projects is that when they deploy a given
project the project contains sufficient metadata that in combination with a
policy engine allows for decisions on whether a piece of software is
permitted to be deployed in the target environment.
Such metadata shows how the project can achieve compliance (with
configurations) and how it HAS achieved compliance (based on its design and
operation in a given deployment environment). The evidence can also be
turned over to auditors in an automated fashion to enable reasoning about
system properties and conformance with regulatory requirements on a
continual and ongoing basis driven by deployment frequency thereby reducing
the manual audit (internal and external) activities performed by covering
the technical control elements (roughly 30% of a given framework like NIST))
A lot of organizations just use hundreds of spreadsheets with 1 compliance
engineer to automate. Spot checking is not good enough here.
Scope: How much effort will this take? ok to provide a range of options if
or
"not yet determined" for initial proposals. Feel free to include proposed
tasks
below or link a Google doc
Intent to lead:
-
*I volunteer to be a project lead on this proposal if the community is
interested in pursing this work.* This statement of intent does not
preclude
others from co-leading or becoming lead in my stead.
Proposal to Project:
- Added to the planned meeting template for *mm dd*
- Raised in a Security TAG meeting to determine interest - *mm dd*
- Collaborators comment on issue for determine interest and nominate
project
lead
- Scope determined via meeting *mm dd* and/or shared document *add
link*
with call for participation in #tag-security slack channel thread *add
link*
and mailing list email *add link*
- Scope presented to Security TAG leadership and Sponsor is assigned
TO DO
- Security TAG Leadership Representative:
- Project leader(s):
- Issue is assigned to project leaders and Security TAG Leadership
Representative
- Project Members:
-
*Fill in addition TODO items here so the project team and community can
see progress!*
- Scope
- Deliverable(s)
- Project Schedule
- Slack Channel (as needed)
- Meeting Time & Day:
- Meeting Notes (link)
- Meeting Details (zoom or hangouts link)
- Retrospective
GDoc Draft
<https://docs.google.com/document/d/1uZ1qSVAGoRL117JDdTO4KSQWwNsHUnjxwTfg1N7HaW4/edit>
—
Reply to this email directly, view it on GitHub
<#1277>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABG5HAL3UIPRARR7TJWOW4DZHGX4LAVCNFSM6AAAAABJIS6BYGVHI2DSMVQWIX3LMV43ASLTON2WKOZSGM2TCMZYGI4DOMA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
Mark Underwood
Linkedin <https://linkedin.com/in/knowlengr>
|
@jflowers will be opening a PR with a project charter, and I will submit a request for a community calendar entry so that calls are hosted and recorded via LFX. Per today's project call, the next project meeting will be focused on ways of working with a focus on research / experimentation. |
Problem
Today, open source projects do not have a consistent mechanism to publish compliance and regulatory details about what the project does in a machine readable format and to enable assessment activities to occur in an automated manner. Adopters do not have a way to understand what capabilities and controls projects have in place and what their responsibilities as consumers are as defined by the leveraged project.
Adopters today have to manually review a given software project, understand based on existing documentation if it can meet a compliance or regulatory requirement, and then determine if it does it already or if it's configurable by the adopter. They have to do this with every release. If 1 project decides to express this in one manner, another may choose a very different one and the adopter now has two ways in which they can’t reason about the compliance properties of both projects. We need a specification and guidance to allow projects to consistently and uniformly express their compliance capabilities and posture for adopters to act on.
Other areas
Impact
Depending on the shape and nature of this project, the desired experience by adopters of cloud native projects is that when they deploy a given project the project contains sufficient metadata that in combination with a policy engine allows for decisions on whether a piece of software is permitted to be deployed in the target environment.
Such metadata shows how the project can achieve compliance (with configurations) and how it HAS achieved compliance (based on its design and operation in a given deployment environment). The evidence can also be turned over to auditors in an automated fashion to enable reasoning about system properties and conformance with regulatory requirements on a continual and ongoing basis driven by deployment frequency thereby reducing the manual audit (internal and external) activities performed by covering the technical control elements (roughly 30% of a given framework like NIST))
A lot of organizations just use hundreds of spreadsheets with 1 compliance engineer to automate. Spot checking is not good enough here.
Deliverables
The project will deliver the following artifacts:
Scope
The project encompasses the following activities:
By delivering these artifacts, the project aims to establish a robust foundation for standardized communication and automation of compliance and regulatory processes within the cloud-native ecosystem, with explicit support for the flexible and granular exchange of compliance information through OSCAL fragments.
Intent to lead:
interested in pursing this work. This statement of intent does not preclude
others from co-leading or becoming lead in my stead.
Proposal to Project:
lead: @jflowers
and mailing list email
TO DO
Representative: @eddie-knight
see progress!
Google Meet joining info
Video call link: https://meet.google.com/dxu-aatw-tgs
Or dial: (US) +1 574-797-9102 PIN: 246 353 156#
More phone numbers: https://tel.meet/dxu-aatw-tgs?pin=2749962402682
Or join via SIP: sip:[email protected]
If you prefer to access the existing Miro diagram anonymously use this link.
GDoc Draft
The text was updated successfully, but these errors were encountered: