Compliance Working Group in TAG Security

[ancatri]

Description: Compliance TAG and CNCF projects

Impact: The Open Source projects Trestle, Agile Authoring, and Compliance2Policy help automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL open standard. This work is aligned with the CNCF strategy and within that the goal toward continuous compliance and compliance as code.

Scope: Planning to collaborate with Security TAG controls, Finos controls, the new AI regulations etc and help with content for compliant technology

Intent to lead:

• [x] I volunteer to be a project lead on this proposal if the community is interested in pursing this work. This statement of intent does not preclude others from co-leading or becoming lead in my stead.

Proposal to Project:

• [x] Added to the planned meeting template for mm dd
• [x] Raised in a Security TAG meeting to determine interest - mm dd
• [x] Collaborators comment on issue for determine interest and nominate project lead (Anca and Robert)
• [x] Scope determined via meeting mm dd and/or shared document add link with call for participation in #compliance-grc slack channel thread add link and mailing list email add link
• [x] Scope presented to Security TAG leadership and Sponsor is assigned

TO DO

• [x] Security TAG Leadership Representative: @ashutosh-narkar
• [x] Project leader(s): @ancatri
• [x] Issue is assigned to project leaders and Security TAG Leadership Representative
• [x] Project Members:
• [x] Fill in addition TODO items here so the project team and community can see progress!
• [x] Scope : Charter discussed in the TAG Security review in December is now public in the WG Meeting Notes
• [x] Deliverable(s) : starting to formulate them, recorded in the Meeting Notes for March 26
• [x] Project Schedule : starting to formulate
• [x] Slack Channel (as needed) : #compliance-grc
• [x] Meeting Time & Day: alternating Tuesdays, 10am ET (after public doodle recorded in the Meeting Notes for March 26)
• [x] Meeting Notes (link): WG Meeting Notes
• [x] Meeting Details (zoom or hangouts link):
• [ ] Retrospective

[ancatri]

Org is ready: https://github.com/orgs/oscal-compass/repositories

@vikas-agarwal76 Please share the CNCF sandbox request issues content here for @PushkarJ to review. Thanks

[PushkarJ]

@ancatri thank you. Can you add dates and links for following items in description

[ x] Added to the planned meeting template for mm dd [ x] Raised in a Security TAG meeting to determine interest - mm dd [ x] Collaborators comment on issue for determine interest and nominate project lead (Anca and Robert) [ x] Scope determined via meeting mm dd and/or shared document add link with call for participation in #compliance-grc slack channel thread add link and mailing list email add link

Also @ashutosh-narkar our wonderful Tech Lead will be your point of contact going forward on this! @mnm678 has already assigned the issue to him so he will get notified on any issue updates.

@ashutosh-narkar thank you for helping Anca and rest of the team to take this forward. Please reach out to the chairs in case you need our help at any time.

[ashutosh-narkar]

Happy to help! Please let us know if you need any help or have any questions @ancatri.

[vikas-agarwal76]

@PushkarJ @ancatri Here is the CNCF sandbox issue request content

Title

TrestleGRC

Application contact emails

avikas@in.ibm.com, ancas@in.ibm.com, manjiree.gadgil@ibm.com, jpower@redhat.com

Project Summary

A tooling platform for managing compliance artifacts as code using NIST's OSCAL standard.

Project Description

Trestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.

Trestle based Agile Authoring is designed to operate as a CICD pipeline running on top of compliance artifacts in git, to provide transparency for the state of compliance across multiple stakeholders in an environment friendly to developers. Trestle passes the generated artifacts on to tools that orchestrate the enforcement, measurement, and reporting of compliance.

Org repo URL

https://github.com/oscal-compass

Project repo URL in scope of application

https://github.com/oscal-compass/compliance-trestle

Additional repos in scope of the application

https://github.com/oscal-compass/compliance-trestle-agile-authoring

https://github.com/oscal-compass/compliance-to-policy

Website URL

https://oscal-compass.github.io/compliance-trestle/

Roadmap

https://github.com/oscal-compass/compliance-trestle/issues/1480

Roadmap context (optional)

Contributing Guide

https://oscal-compass.github.io/compliance-trestle/contributing/mkdocs_contributing/

Code of Conduct (CoC)

https://oscal-compass.github.io/compliance-trestle/mkdocs_code_of_conduct/

Adopters (optional)

Provide the URL of the project's Adopters file. If no file exists, move on to the next question.

Contributing or Sponsoring Org (optional)

Provide the URL of the project's contributing or sponsoring company/organization. If no such company/organization exists move on to the next question.

https://www.ibm.com/

Maintainers file

https://oscal-compass.github.io/compliance-trestle/maintainers/

Why CNCF?

Why do you want to contribute the project to the CNCF? What value does being part of the CNCF provide the project? Provide detail on why you chose the CNCF that allows the TOC to consider alignment of expectations between the project and the ecosystem.

Moving the project to CNCF will help increase its adoption in the open-source community. It will also bring more people to contribute to this open-source project. A new Compliance TAG os being created in CNCF and trestle will be the anchor project for this TAG.

Benefit to the Landscape

How will adding this project benefit the CNCF landscape? What is the differentiator or enhancement this project provides to existing project, capabilities, or challenges within the landscape?

Trestle is one of the early implemnentor of the NIST OSCAL standard in the Compliance area. Adding this project to CNCF will greatly increase the reach of CNCF to organizations and people working in the compliance area. Also as we are establishing a new CNCF Compliance TAG, this will one of the first proects in that TAG and will help attract more projects in compliance area to move to CNCF sandbox.

Cloud Native 'Fit' (optional)

Please explain where you see the project "fitting" in the Cloud Native landscape. This should detail how the project is cloud native, which elements of cloud native the project embodies or exemplifies.

Cloud Native has seen in the recent years adoption for various domains that traditionally used on-prem / dedicated environments - Financial Services, Life Sciences, AI. Shift to continuous compliance, forcing an evolution into the automation and engineering realm with concerns, technologies, and data models specific to modeling compliance - System Security Plan, Audit plan, Kitemarks.

Many commercial, non-profit community and government organizations performing services or providing data storage must abide by national, regional, or local laws and regulations regarding user privacy and data, with assurance of protection of their compute and data processing integrity and resilience. These cross cutting concerns span not only specific technical configuration of software and systems, but also require complex orchestration of human administrative, operational, and design activities, especially when involving audit activities expecting concrete, reviewable independent audit artifacts.

Moreover, the timeline for the renewal of these artifacts has shifted recently in many industries from annual and quarterly, to continuous compliance, forcing an evolution of the manual compliance processes into the automation and engineering realm with concerns, technologies, and data models specific to modeling compliance and hence aligned with, but very different from cyber security frameworks.

This project helps automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL standard,

Cloud Native 'Integration' (optional)

What CNCF projects does this project complement or depend on, and how?

Cloud Native Overlap (optional)

What CNCF projects does this project overlap with, and how?

Similar projects

Please list similar projects in the CNCF or elsewhere. If none exist, provide "N/A".

N/A

Landscape

Are you already listed on the CNCF Landscape?

We are starting under the Security TAG (Pushkar Joglekar, Andrew Martin, Francesco Beltramini) while we work our dedicated CNCF Compliance TAG as a separate landscape (Emily Fox).

Business Product or Service to Project separation

If this project is identical (name, features, etc.) or closely related to one or more products or services of the sponsoring company/organization(s), how do you plan to separate this project from any products in terms of organization and development? If it is not related to a product or service, just provide "N/A".

N/A

Project presentations

Has your project been presented to any TAG? If so, please link meeting notes and/or recordings as applicable.

Compliance TAG review at Security TAGWednesday, October 25, 2023 from 1:00 PM to 2:00 PM

MORE DETAILS: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/Pushkar Joglekar, Andrew Martin andy@control-plane.io, Francesco Beltramini), Emily Fox

Project champions

Please list any people who are part of CNCF leadership (TOC, TAGS, etc.) who can endorse or answer questions about your project.

Robert Ficcaglia rficcaglia@sunstonesecure.com

Anca Sailer ancas@us.ibm.com

Additional information (optional)

Any additional information you would like the TOC to consider when evaluating this project?

[ancatri]

@ashutosh-narkar @mnm678 @PushkarJ @vikas-agarwal76 Hey! Happy New Year and all the best near your dear ones! @ashutosh-narkar When you get a chance pls review the content above that we plan to submit for code endorsement as sandbox. Thanks!

[TheFoxAtWork]

👋🏻 I think we're crossing a few concepts here which i would like to clarify:

• trestleGRC is an open source project that would like to join the CNCF as a Sandbox project. This application must occur on the sandbox repo by filing an issue on that repo (the link will spawn an application issue to be filled out by the project)
• There is interest by several individuals in creating a Compliance Technical Advisory Group. In order to ensure the viability, sustainability, and relevance of a TAG, the TOC now requires proposals for TAGs to first begin within an existing TAG as a working group.

Technical Advisory Groups are groups of individuals that provide technical guidance and advise on specific topics or projects within the CNCF. They assist in guiding and shaping the technical direction of the CNCF. Interested individuals may file an issue on the TAG's repo to initiate a working group, begin the discussion with the TAG members, solicit interest, and begin drafting a proposed charter if their is interest. It is recommended those individuals socialize the proposed working beyond just the TAG it will be homed under, gather support from the TAG leadership in the creation of the charter, and work to refine the working group's objectives and deliverables. Once the charter is in a final state, the TOC Liaisons for the TAG may review and provide their approval of the working group. Once approved, the working group is responsible for reporting their progress and efforts to the TAG in accordance with the TAG governance, who in turn informs the TOC of the entirety of work the TAG and its working groups are engaged in.

When a working group reaches sufficient momentum, interest, and growth that aligns with cloud native goals and objectives, has alignment with several cloud native projects, and shows continued execution in alignment with their charter, the TAG and Working Group Leadership may engage the Liaisons to determine if the Working Group is eligible to be reconsidered as a TAG. This process may take a few years as these specific domains evolve and mature in similar fashion to cloud native projects evolution and maturity. The TOC may then vote to instantiate a new TAG.

Couple of things to consider:

• While TAGs may have "projects" they do not exist as cloud native projects and are homed under the TAG repo for their projects. Projects within here are for demonstration purposes or to support the TAGs in accomplishing their work. If a TAG begins a project that develops into a cloud native project, that project is anticipated to apply to sandbox when ready.
• TAGs have a long commitment. They require co-chairs, technical leads, and contributors. They advance their domain, they provide guidance to adopters attempting to solve domain specific challenges using cloud native projects, and they support project alignment within the technical domain or may provide domain expertise to projects when requested (i.e. providing a joint-assessment of a project's security, or supporting projects in achieving environmental sustainability goals and objectives).
• Not all Working Groups need to be a TAG. for sub-domains within a particular topic, the overall TAG may which to maintain a Working Group to address those sub-domain related areas as they occur in the ecosystem.

Recommendation: Change this issue to focus specifically on establishing a working group within TAG Security for Compliance. Solicit interested individuals in drafting a charter for this group with concurrence from the TAG Security Leadership team. Seek TOC Liaison approval when complete.

[ancatri]

@rficcaglia FYI ^

[ashutosh-narkar]

@ancatri as discussed on the last STAG call below is the feedback on the Trestle Sandbox application. Overall the application lgtm. Few things to consider:

• Project Description: It would be helpful if y'all could first elaborate the problem, then how Trestle solves the problem and any additional details about it.
• Roadmap: I would have expected the Roadmap to be part of the repo and not an open issue.
• Benefits to the Landscape: This section and the previous section mention the CNCF Compliance TAG which is yet to be formed. Maybe elaborating more on the compliance as code angle and how that helps the community would be useful.
• Cloud Native Fit: Great content! You could probably use some of it to broaden out the Project Description section

[ashutosh-narkar]

@ancatri if you have any follow up questions that you would like to discuss further, @PushkarJ and I are happy to get on a call if it helps.

[ashutosh-narkar]

@ancatri it would helpful if you or someone on the team is able to provide a quick summary on the latest in the group on the weekly STAG calls on Wednesday at 10a PST.

[ancatri]

@ashutosh-narkar @PushkarJ @mnm678 @vikas-agarwal76 @rficcaglia To record the summary on the latest in the Compliance WG done on the weekly STAG calls on Wednesday at 10a PST. Scope - Charter discussed in the TAG Security review in December is now public in the WG Meeting Notes Deliverable(s) - starting to formulate them, recorded in the Meeting Notes for March 26 Project Schedule - starting to formulate Slack Channel (as needed) - #compliance-grc Meeting Time & Day: alternating Tuesdays, 10am ET (after public doodle recorded in the Meeting Notes for March 26) Meeting Notes (link): https://docs.google.com/document/d/1z9xvt-Z97j4CtEH1-nR9sMWul7jQkUi_fNY7BdMPgxM/edit Meeting Details (zoom or hangouts link): https://zoom.us/j/92729235315?pwd=ZFIxU3RSanlVODh4a1g2SFdJOGpoZz09

[sunstonesecure-robert]

also of relevance/shared-interest:

https://docs.google.com/document/d/14pV0ooE40yuo0u_CH-OeWS8lZgMBfxo8F38QRIaKUXY/edit#heading=h.f2asjugvkqqx

[anvega]

Merged as a working group in https://github.com/cncf/tag-security/pull/1271. Please use the working group notes document to track activity, as the working group is now active and no longer a proposal.