06/06/2024 Common Cloud Controls Meeting Minutes - Communications Working Group

[robmoffat]

Date

20240606 - 12pm ET / 5pm UK

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username
• ...

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• [x] Convene & roll call (5mins)
• [x] Display FINOS Antitrust Policy summary slide
• [x] Review Meeting Notices (see above)
• [x] Approve past meeting minutes
• [ ] Overview of new WG Structures
• [ ] Project board walkthrough (filter by WG label, start right to left)
• [ ] ...
• [ ] AOB, Q&A & Adjourn (5mins)

Zoom info

Join Zoom Meeting https://zoom.us/j/93861901920

Meeting ID: 938 6190 1920 Passcode: 284383

---

Dial by your location • +1 719 359 4580 US • +1 253 205 0468 US • +1 253 215 8782 US (Tacoma) • +1 301 715 8592 US (Washington DC) • +1 305 224 1968 US • +1 309 205 3325 US • +1 312 626 6799 US (Chicago) • +1 346 248 7799 US (Houston) • +1 360 209 5623 US • +1 386 347 5053 US • +1 507 473 4847 US • +1 564 217 2000 US • +1 646 558 8656 US (New York) • +1 646 931 3860 US • +1 669 444 9171 US • +1 669 900 6833 US (San Jose) • +1 689 278 1000 US • 855 880 1246 US Toll-free • 877 369 0926 US Toll-free • +1 438 809 7799 Canada • +1 587 328 1099 Canada • +1 647 374 4685 Canada • +1 647 558 0588 Canada • +1 778 907 2071 Canada • +1 780 666 0144 Canada • +1 204 272 7920 Canada • 855 703 8985 Canada Toll-free

Meeting ID: 938 6190 1920

Find your local number: https://zoom.us/u/acPjHdY2IO

[AdrianHammond]

HI 😄 Adrian Hammond / Red Hat

[Alexstpierrework]

Alex St. Pierre - METRO

[eziogas-scottlogic]

Euthyme Ziogas / Scott Logic

[sshiells-scottlogic]

Stevie Shiells / Scott Logic

[robmoffat]

Rob / FINOS

[karlmoll]

Karl Moll / FINOS

[eddie-knight]

👋 :shipit: Eddie Knight / Sonatype

[rowan-baker]

Rowan Baker / ControlPlane

[rgriffiths-scottlogic]

Rob Griffiths / Scott Logic

[abdullahsaf]

Abdullah Safdar / Citi

[smendis-scottlogic]

Sonali Mendis / Scott Logic

[damienjburks]

Damien Burks / Citi 👋🏾

[nas-hub]

Naseer Mohammad / Google

[robmoffat]

Minutes

1. Alex introduced working group leads;
   • @sshiells-scottlogic Community Structure lead
   • @jared-lambert Duplication Reduction working group
   • @smendis-scottlogic Taxonomy working group
   • @mlysaght2017 Security working group - not present
   • @damienjburks Delivery working group
   • @Alexstpierrework Communications working group (this one!)

All defined here

2. @eddie-knight presented his slide on the working groups.

   • Discussed the problem of OSCAL outputs and hardening standards and how this led to the new structure: no one had the responsibility to decide.
   • Led to formation of the steering committee.
   • Approval of Steering Committee by FINOS board.
   • Steering committee then approved the working groups.
   • Each working group has a directory in the GitHub project and an associated GitHub team that can review PRs in that directory.
   • e.g. should the Community Structure group have a template for minutes of meetings?

3. @robmoffat talked about meeting invites coming out

4. What Groups Will Be Working on:

   • @sshiells-scottlogic - Community Structure: if you don't know how you fit in, come to this. Looking at minutes, raising issues, holiday planning.
   • @smendis-scottlogic - Taxonomy. We hit issues when moving between CSPs. There is value in a common features taxonomy. Will post agenda for the next meeting to the mailing list. Will include a review of the taxonomy so far. How do we provide value to the security working group?
   • @damienjburks - Delivery Working Group. Establishing delivery schedule and content. Keen to add value around consistent, cohesive outputs. Next meeting will discuss what needs to be done to establish a release schedule.
   • @Alexstpierrework - Communications : Next WG in two weeks, will give updates from the other WGs. Establishing relationships with other groups and consistent reporting.
   • @damienjburks - Security working group. Looking at the controls side, creating risk-based assessments, looking at OSCAL and MITRE.
   • @eddie-knight - Duplication Reduction. Looking at - what are we working with? Which tools and frameworks are we going to employ? OSCAL, YAML, NIST, MITRE, etc. We need to try and avoid overlapping existing materials.

5. AOB

@AdrianHammond : What's happening with the README.md?
@robmoffat I will work on a PR for this. Those present agreed to review at the end of the meeting. @eddie-knight asked for feedback on the changes to the project structure.
@rgriffiths-scottlogic, Naseer pleased to see progress, happy with changes.

@smendis-scottlogic Q: If I contact someone from the security group, what should I do?
@eddie-knight Either reach out directly, or use the mailing list.

[EO496]

Ebi Obode

[iMichaela]

@robmoffat

Looking at the minutes above, and without being present in a meeting because I have no invitations to any CCC meetings, I wonder:

1. Do I need to sign up for the group(s) OSCAL is mentioned?

@damienjburks - Delivery Working Group. Establishing delivery schedule and content. Keen to add value around consistent, cohesive outputs. Next meeting will discuss what needs to be done to establish a release schedule.

2. Based on the above note , will OSCAL representation of the artifacts (catalog, profiles, component definitions, etc) be considered a deliverable the above group will have to track?

@damienjburks - Security working group. Looking at the controls side, creating risk-based assessments, looking at OSCAL and MITRE.

3. Based on the above note, "looking at OSCAL" means what? Crating samples of best representation of the data so the Delivery WG follows those examples?

@eddie-knight - Duplication Reduction. Looking at - what are we working with? Which tools and frameworks are we going to employ? OSCAL, YAML, NIST, MITRE, etc. We need to try and avoid overlapping existing materials.

4. OSCAL provides XML, JSON and YAML formats and information can be converted and maintained in all formats . Listing OSCAL and YAML and then NIST means... what exactly? OSCAL is not a tool but WG members would benefit from tools to convert the artifacts generated into OSCAL (not do that by hand which would be error prone for large data sets and prevent many contributors the are not developers to contribute by creating or reviewing the represented data)

[github-actions[bot]]

This issue will be closed as stale in 7 days. Please update this issue if it is still needed.

[github-actions[bot]]

Closed as stale. An update may reopen this issue.