cncf / tag-security

🔐CNCF Security Technical Advisory Group -- secure access, policy control, privacy, auditing, explainability and more!
https://tag-security.cncf.io
Other
2.06k stars 514 forks source link

[Proposal] Compliance WG Project: Work with NIST on 800-171 and 800-172 OSCAL #1392

Open ficcaglia opened 5 days ago

ficcaglia commented 5 days ago

Description: what's your idea?

Impact: Describe the customer impact of the problem. Who will this help? How will it help them?

Who: this will help CISOs and AOs and analysts who need to adhere to NIST 800-171/2 for fun and learning (and regulatory or contractual requirements).

How: OSCAL is the emerging standard created by NIST for expressing machine readable control requirements for security, processes, documentation requirements, privacy, assessments, and risks - and much more - currently being adopted by governments, non-profits, and enterprises. As it becomes both more adopted - and in some government procurement processes eventually required - it benefits the open source community to support OSCAL for end users who want to use it for their tech stacks using CNCF projects and tools.

Scope: How much effort will this take? ok to provide a range of options if or "not yet determined" for initial proposals. Feel free to include proposed tasks below or link a Google doc

Not yet determined but NIST is already leading the effort and has scaffolded the deliverables of a first OSCAL catalog for 171. So we can use this as a launching point.

Intent to lead:

Proposal to Project:

@ancatri

ficcaglia commented 5 days ago

forgot cannot EDIT content but meant to link to related NIST GHI: https://github.com/usnistgov/oscal-content/issues/150

jkjell commented 17 hours ago

This will be discussed at the next Compliance Working Group meeting on November 5th.