-
Notifications
You must be signed in to change notification settings - Fork 167
GovOps: MVP OSCAL Compass key resources
Michael Schwartz edited this page Dec 3, 2025
·
5 revisions
- https://pages.nist.gov/OSCAL/about/
- https://pages.nist.gov/OSCAL/learn/concepts/terminology/
- https://pages.nist.gov/OSCAL/learn/concepts/layer/
- https://pages.nist.gov/OSCAL/learn/tutorials/
- [Awesome!] Introduction to oscal and compass: https://www.youtube.com/watch?v=wC9QEUoCcuol
- KubeCon '25: OSCAL in Action
- Trestle: Compliance-as-Code Orchestrator and Automation Workflows: https://csrc.nist.gov/csrc/media/Presentations/2022/oscal-mini-workshop-2-ibm-s-trestle/IBM_Trestle.pdf
- Compass end-to-end demo (silent): https://www.youtube.com/watch?v=zCPwhTKDs6Q
With compliance-trestle and compliance-trestle-agile-authoring, the following OSCAL MVP requirements can be covered:
- REQ-COMP-001: Component Definition Builder
- REQ-COMP-002: Agile Authoring Integration
- REQ-COMP-003: Profile and Catalog Management
- REQ-COMP-005: GitHub Integration for OSCAL Artifacts
compliance-to-policy can help to aggregate the results from PVPs (Policy Validation Points) and also produce compliance assessment results. Note C2P is not used in this case to generate policies - these originate from Agama Lab Cedar Policy Store authoring tool. However, maybe automatic policy generation (Cedar) can fit into the MVP.
compliance-to-policy can help cover:
- REQ-COMP-004: Evidence Export
- Feature 4 (Continuous Compliance)/User Story 5 from global MVP