OSCAL Support

[xee5ch]

Howdy, club manager from oscal.club. I am obviously a biased fan of OSCAL. Do you have plans to support it that as a publication format for the OSS SSC Framework controls? Would you consider a user-contributed addition if it could be developed as part of automation implemented with GitHub Actions?

Thanks for contributing this framework as open source to the community.

[david-a-wheeler]

See also this SLSA discussion: https://github.com/slsa-framework/slsa/issues/478

We probably ought to examine alternatives to OSCAL & try to understand the implications of using it, but it certainly seems worth investigating.

[xee5ch]

See also this SLSA discussion: slsa-framework/slsa#478

We probably ought to examine alternatives to OSCAL & try to understand the implications of using it, but it certainly seems worth investigating.

I guess that means someone needs to help you weight pros and cons, let our community know how we can help with that!

[adriandiglio]

Hi @xee5ch, we would like to invite you to our next Community Meeting to present an overview of OSCAL and how we could use it. Our next community meeting is on Tuesday October 18th. Does that work for you? (CC @camaleon2016)

[xee5ch]

Hi @xee5ch, we would like to invite you to our next Community Meeting to present an overview of OSCAL and how we could use it. Our next community meeting is on Tuesday October 18th. Does that work for you? (CC @camaleon2016)

I will try and make it, sounds good to me!

[adriandiglio]

@xee5ch It's been a while since we last discussed this, but we are hosting a Hackathon the week of Sept 11th, 2023 to define a schema for an OSCAL-based attestation file, along with a tool to generate it.

This repo is our legacy repo (since we've contributed this guide to the OpenSSF - and rebranded it as the Secure Supply Chain Consumption Framework (S2C2F)). We would really like you to participate and also tell us more about OSCAL. Can you please join our Discussion in our new repo? https://github.com/ossf/s2c2f/discussions/26