Closed vikas-agarwal76 closed 2 months ago
@amye Please provide any updates based on the review that happened on 23 Jan. What are the next steps for us?
This project was not reviewed. It may be reviewed in the April 9th session, but it's not guaranteed.
@amye Hi, HNY :) I guess in the interest of our collaborators and users we should start the Office Hours - we reached 7k downloads per months and are interested to link to the community asap, rather than wait for months. What do you suggest?
@amye is there any way/condition to accelerate the process? also, was there any specific reason it was not reviewed (I assumed workload, but just to validate) Thank you!
This project was not reviewed. It may be reviewed in the April 9th session, but it's not guaranteed.
This is the next scheduled review session.
@amye Thank you for your reply , I understand we moved to April. Can you pls help with the clarification question : did you guys run out of time OR was anything about our submission? Thanks so much for shading some light here!
For instance, the org has 3 projects that work together , do we submit a joined sandbox request (as the one submitted above) OR we should submit a request for each project. Thanks!
It wasn't discussed, the TOC has not yet provided input on this.
@amye Hi! What was the outcome for this project in the last CNCF Sandbox review? Thanks!
This project was not reviewed. Projects in the 'upcoming' queue are reviewed by the TOC in a meeting.
TAG-CS review, this project has:
@jberkus Thanks for your review. We have added the governance structure at the oscal-compass organization level. It is available here - https://github.com/oscal-compass/community/blob/main/GOVERNANCE.md
@vikas-agarwal76 what's the relationship between oscal-compass and the rest of the project?
@jberkus oscal-compass is the github organization which has compliance-trestle as the main (or anchor project) and few other projects such as agile-authoring and compliance-to-policy which work together with the compliance-trestle project. The link to each of the project is included in the submission.
Follow-up from today's sandbox review, TrestleGRC will be moved to a vote 👍 /vote
@mrbobbytables has called for a vote on [Sandbox] TrestleGRC
(#78).
The members of the following teams have binding votes: | Team |
---|---|
@cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
You can cast your vote by reacting to this
comment. The following reactions are supported:
In favor | Against | Abstain |
---|---|---|
👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s
. It will pass if at least 66%
of the users with binding votes vote In favor 👍
. Once it's closed, results will be published here as a new comment.
I will be abstaining due to a conflict of interest.
@jberkus in yesterday's meeting IIUC I wanted to clarify that this project does not develop compliance standards.
From our community README: The OSCAL Compass project is a set of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL (Open Security Controls Assessment Language) as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.
Does this clear up the confusion?
/check-vote
So far 0.00%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
0 | 0 | 0 | 11 |
User | Vote | Timestamp |
---|---|---|
@dims | Pending | |
@rochaporto | Pending | |
@angellk | Pending | |
@mauilion | Pending | |
@linsun | Pending | |
@dzolotusky | Pending | |
@kevin-wangzefeng | Pending | |
@cathyhongzhang | Pending | |
@nikhita | Pending | |
@TheFoxAtWork | Pending | |
@kgamanji | Pending |
/check-vote
Votes can only be checked once a day.
/check-vote
So far 54.55%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
6 | 0 | 1 | 4 |
User | Vote | Timestamp |
---|---|---|
kgamanji | In favor | 2024-06-18 6:39:03.0 +00:00:00 |
rochaporto | In favor | 2024-06-18 7:59:23.0 +00:00:00 |
dzolotusky | In favor | 2024-06-18 5:13:18.0 +00:00:00 |
linsun | In favor | 2024-06-18 14:27:18.0 +00:00:00 |
TheFoxAtWork | Abstain | 2024-06-18 17:35:53.0 +00:00:00 |
nikhita | In favor | 2024-06-18 4:33:26.0 +00:00:00 |
dims | In favor | 2024-06-18 13:55:18.0 +00:00:00 |
@angellk | Pending | |
@mauilion | Pending | |
@kevin-wangzefeng | Pending | |
@cathyhongzhang | Pending |
/check-vote
So far 63.64%
of the users with binding vote are in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
7 | 0 | 1 | 3 |
User | Vote | Timestamp |
---|---|---|
TheFoxAtWork | Abstain | 2024-06-18 17:35:53.0 +00:00:00 |
dims | In favor | 2024-06-18 13:55:18.0 +00:00:00 |
dzolotusky | In favor | 2024-06-18 5:13:18.0 +00:00:00 |
rochaporto | In favor | 2024-06-18 7:59:23.0 +00:00:00 |
kevin-wangzefeng | In favor | 2024-06-19 3:36:04.0 +00:00:00 |
linsun | In favor | 2024-06-18 14:27:18.0 +00:00:00 |
nikhita | In favor | 2024-06-18 4:33:26.0 +00:00:00 |
kgamanji | In favor | 2024-06-18 6:39:03.0 +00:00:00 |
@angellk | Pending | |
@mauilion | Pending | |
@cathyhongzhang | Pending |
/check-vote
Votes can only be checked once a day.
The vote passed! 🎉
72.73%
of the users with binding vote were in favor (passing threshold: 66%
).
In favor | Against | Abstain | Not voted |
---|---|---|---|
8 | 0 | 1 | 2 |
User | Vote | Timestamp |
---|---|---|
@TheFoxAtWork | Abstain | 2024-06-18 17:35:53.0 +00:00:00 |
@kevin-wangzefeng | In favor | 2024-06-19 3:36:04.0 +00:00:00 |
@rochaporto | In favor | 2024-06-18 7:59:23.0 +00:00:00 |
@cathyhongzhang | In favor | 2024-06-20 22:45:34.0 +00:00:00 |
@nikhita | In favor | 2024-06-18 4:33:26.0 +00:00:00 |
@linsun | In favor | 2024-06-18 14:27:18.0 +00:00:00 |
@kgamanji | In favor | 2024-06-18 6:39:03.0 +00:00:00 |
@dims | In favor | 2024-06-18 13:55:18.0 +00:00:00 |
@dzolotusky | In favor | 2024-06-18 5:13:18.0 +00:00:00 |
Hello and congrats on being accepted as a CNCF Sandbox project!
Here is the link to your onboarding task list: https://github.com/cncf/sandbox/issues/136
Feel free to reach out with any questions you might have!
Application contact emails
avikas@in.ibm.com, ancas@us.ibm.com, manjiree.gadgil@ibm.com, jpower@redhat.com
Project Summary
A tooling platform for managing compliance artifacts as code using NIST's OSCAL standard.
Project Description
This project helps automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL standard, The OSCAL standard provides a compliance framework and the corresponding set of key compliance artifacts expressed in machine processable formats enabling all compliance documents to be treated as code and therefore processed and managed in the same manner.
Trestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.
Trestle is designed to operate as a CI/CD pipeline running on top of compliance artifacts in git, to provide transparency for the state of compliance across multiple stakeholders in an environment friendly to developers. Trestle passes the generated artifacts onto tools that orchestrate the enforcement, measurement, and reporting of compliance.
Agile Authoring: It is a collaborative platform enabling various compliance personas to orchestrate their individual aspects of the compliance artifacts via an interface of their choice. It is a Trestle-based GitOps automated workflow and ensures artifacts consistency and traceability. It provides ready to use CI/CD pipeline configuration and setup using a GitOps approach with Trestle for OSCAL document management and collaboration.
Compliance to Policy: Compliance-to-Policy (C2P) bridges Compliance as Code and Policy as Code. C2P takes Compliance requirements and generates technical policies for Policy Validation Points (PVPs), and takes PVP native results and generates Compliance Assessment Results. C2P reduces the cost to implement the interchange between Compliance artifacts and PVP proprietary artifacts. C2P is extensible to various PVPs through plugin.
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/oscal-compass
Project repo URL in scope of application
https://github.com/oscal-compass/compliance-trestle
Additional repos in scope of the application
https://github.com/oscal-compass/compliance-trestle-agile-authoring https://github.com/oscal-compass/compliance-to-policy https://github.com/oscal-compass/compliance-trestle-fedramp
There are few additional repos in the organization for sample content and demo which are also in the scope.
Website URL
https://oscal-compass.github.io/compliance-trestle/
Roadmap
https://github.com/oscal-compass/compliance-trestle/issues/1480
Roadmap context
No response
Contributing Guide
https://oscal-compass.github.io/compliance-trestle/contributing/mkdocs_contributing/
Code of Conduct (CoC)
https://oscal-compass.github.io/compliance-trestle/mkdocs_code_of_conduct/
Adopters
We have reached 15k downloads per month from our adopters. We have internal collaboration with adopters such as SunStone, RegScale, Chicago Mercantile Exchange, Singapore Government, however only RegScale is in open-space to publicly review the adoption of our technology.
Contributing or Sponsoring Org
https://www.ibm.com/
Maintainers file
https://oscal-compass.github.io/compliance-trestle/maintainers/
IP Policy
Trademark and accounts
Why CNCF?
Cloud Native systems represent a paradigm shift in both technical and human operations workflows. The community (and industry) has invested significant time researching and solutioning approaches to Cloud Native Cyber Security concerns and topics: software vulnerabilities, risk management, software component dependencies and infrastructure as code (aka supply chain), malicious attackers, threat models, and technical security assessments. However, many commercial, non-profit community and government organizations performing services or providing data storage on cloud must abide by national, regional, or local laws and regulations regarding user privacy and data, with assurance of protection of their compute and data processing integrity and resilience. These cross cutting concerns for mission critical environments on cloud native span not only specific technical configuration of software and systems, but also require complex orchestration of human administrative, operational, and design activities, especially when involving audit activities expecting concrete, reviewable independent audit artifacts.
Moreover, the timeline for the renewal of these compliance and audit artifacts has shifted recently on cloud in many industries from annual and quarterly, to continuous compliance, forcing an evolution of the manual compliance processes into the automation and engineering realm with concerns, technologies, and data models specific to modelling compliance and requiring continuous compliance and hence specific compliance automation.
In the universe of cloud-native constraints and concerns for mission critical industries, our projects are addressing the emerging cloud and AI regulatory compliance automation requirements by supporting Compliance, Risk, and Policy from an “as code” engineering perspective vs the traditional now unscalable manual labor perspective.
Benefit to the Landscape
As organizations move their sensitive workloads to public cloud environments, they need to comply with multiple different regulations. Hence, they need to modernize from manual document based compliance management to automated processes for continuous compliance known as compliance-as-code.
Trestle is one of the early implementor of the NIST OSCAL standard in the Compliance area that enables all compliance documents to be treated as code and therefore processed and managed in the same manner.. Adding this project to CNCF will greatly increase the reach of CNCF to organizations and people working in the compliance area.
Cloud Native 'Fit'
Cloud Native has seen in the recent years adoption for various domains that traditionally used on-prem / dedicated environments - Financial Services, Life Sciences, AI. Shift to continuous compliance, forcing an evolution into the automation and engineering realm with concerns, technologies, and data models specific to modelling compliance - System Security Plan, Audit plan artifats.
Many commercial, non-profit community and government organizations performing services or providing data storage must abide by national, regional, or local laws and regulations regarding user privacy and data, with assurance of protection of their compute and data processing integrity and resilience. These cross cutting concerns span not only specific technical configuration of software and systems, but also require complex orchestration of human administrative, operational, and design activities, especially when involving audit activities expecting concrete, reviewable independent audit artifacts.
Moreover, the timeline for the renewal of these artifacts has shifted recently in many industries from annual and quarterly, to continuous compliance, forcing an evolution of the manual compliance processes into the automation and engineering realm with concerns, technologies, and data models specific to modeling compliance and hence aligned with, but very different from cyber security frameworks.
This project helps automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL standard,
Cloud Native 'Integration'
Compliance-to-Policy is designed to bridge Compliance as Code such as Open Security Controls Assessment Language (OSCAL) and Policy as Code used by Policy Validation Point (PVP). It generates policies in native format of PVP from OSCAL Component Definitions and produces OSCAL Assessment Results from the native assessment results of PVP. Compliance-to-Policy can be used both as a command-line tool and a Python library, making it easy and flexible to integrate into your Continuous Compliance pipelines, such as GitHub Actions, Tekton Pipelines, or Agile Authoring Pipelines. It supports multiple PVP engines, including Kyverno, Open Cluster Management, and the open-source Auditree, through dedicated plugins for each. Custom plugins can be implemented with a small amount of Python code.
Supported Integrations w/ CNCF projects: Kyverno, Open Cluster Management Policy, OPA (roadmap)
Kyverno is a policy engine designed for Kubernetes, where policies are managed as Kubernetes resources. Kyverno policies can validate, mutate, generate, and clean up Kubernetes resources.
Open Cluster Management is a multi-cluster management platform that provides governance of Kubernetes policies. Its policy framework allows for the validation and enforcement of policies across multiple clusters.
OPA is policy-based control for cloud native environments
Supported Integrations w/ open source technology for cloud native: Auditree, Ansible (roadmap)
Auditree is a GitOps based workflow automation that enables the collection and verification of evidence, building a long-term store of evidence in an git "evidence locker." Evidence is gathered by code scripts called "fetchers" and verified by "checks."
Ansible is a versatile automation tool used for managing and configuring various IT systems and services. Ansible latest automated Policy as Code capability will help you automate compliance and policy enforcement.
Supported Integrations w/ multi-cluster/multi-cloud compliance
Cloud Native Overlap
No response
Similar projects
N/A
Landscape
We are starting under the Security TAG (Pushkar Joglekar, Andrew Martin, Francesco Beltramini) while we work to find the right working group / TAG for compliance related projects.
Business Product or Service to Project separation
N/A
Project presentations
Compliance TAG review at Security TAG - Wednesday, October 25, 2023 from 1:00 PM to 2:00 PM MORE DETAILS: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/
Pushkar Joglekar, Andrew Martin andy@control-plane.io, Francesco Beltramini), Emily Fox
Project champions
Robert Ficcaglia rficcaglia@sunstonesecure.com Anca Sailer ancas@us.ibm.com
Additional information
No response