search

opencontrol / discuss

a place to have conversations about OpenControl projects
https://github.com/opencontrol/discuss/issues
Other
16 stars 0 forks source link

Is OpenControl deprecated? #78

Open gregorydulin opened 2 years ago

gregorydulin commented 2 years ago

What's the current preferred SSP export automation tool I should be targeting?

OpenControl looks really promising, but it also looks like a dead project (no activity for years, and evidence that industry (e.g. RedHat) is moving away from it).

It seems like OSCAL is the currently preferred SSP format, but the tooling around it doesn't seem quite as mature as OpenControl (e.g. the only "convert to .docx" tool I found warns of missing fields).

Thanks!

timothy-spencer commented 2 years ago

It makes me sad, because of all the formats/tools that are out there, this one is the one that makes the most sense. But yes, nobody is using it that I know of.

We are trying to use https://github.com/IBM/compliance-trestle as a tool to make OSCAL not be so hard to work with. It's not bad, but there's still a lot more that needs to be done to make it actually useful (our agency AO/ISSO all want us to use their special Word docs), but it's at least good for us because we can use git to document changes, and when we have to update our SSP, all the docs are there in an easy to cut/paste format.

Not sure if this helps, but it's a datapoint at least.

openprivacy commented 2 years ago

OpenControl components can be converted to OSCAL 1.0.0 with the examples/oc_to_oscal_components.py code in https://github.com/CivicActions/compliance-io

gregorydulin commented 2 years ago

Thanks for the info, @timothy-spencer and @openprivacy!

I think we'll try running with OpenControl, and export to OSCAL and .md (and then to .docx and .pdf) as required. I'll post here to let everyone know how it went (if you're visiting this page and I haven't posted for a month or two, feel free to remind me).

Thanks!

hexblot commented 1 year ago

Thanks for the info, @timothy-spencer and @openprivacy!

I think we'll try running with OpenControl, and export to OSCAL and .md (and then to .docx and .pdf) as required. I'll post here to let everyone know how it went (if you're visiting this page and I haven't posted for a month or two, feel free to remind me).

Thanks!

hello @gregorydulin -- could you update on the above?

shawndwells commented 1 year ago

Believe we can safely say OpenControl isn't active, and that OSCAL serves this purpose (and is an official NIST standard!).

Any objections to marking the repos as archives, and updating the READMEs to point to OSCAL?

Paging @openprivacy , @gregelin , @afeld

Failing any feedback, will go ahead and make the changes in a few weeks.

shawndwells commented 1 year ago

Also paging the broader @opencontrol/18f-contributors (see comment above)

gregelin commented 1 year ago

No objection from me...

Greg Elin Principal OSCAL Engineer RegScale, Inc. my new email: @.*** p: 917-304-3488

On Wed, Feb 22, 2023 at 10:26 PM Shawn Wells @.***> wrote:

Believe we can safely say OpenControl isn't active, and that OSCAL serves this purpose (and is an official NIST standard!).

Any objections to marking the repos as archives, and updating the READMEs to point to OSCAL?

Paging @openprivacy https://github.com/openprivacy , @gregelin https://github.com/gregelin , @afeld https://github.com/afeld

Failing any feedback, will go ahead and make the changes in a few weeks.

— Reply to this email directly, view it on GitHub https://github.com/opencontrol/discuss/issues/78#issuecomment-1441172724, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAGDE32NT4LHMOOY7PTU2DWY3KHFANCNFSM5VRVQALA . You are receiving this because you were mentioned.Message ID: @.***>

openprivacy commented 1 year ago

Agree that OpenControl is not active, and the OSCAL community is growing, but I'm not ready to say OpenControl is dead. And I believe there are still some teams using it, or at least there were last year. Perhaps just a public README at https://github.com/opencontrol with a pointer to NIST OSCAL and the OSCAL Community - I'm happy to put up a page if agreed.

trevorbryant commented 1 year ago

Over the past couple of years, less and less people have have been available to address Issues or merge PRs. I think it's safe to say that the efforts of the community aren't exactly "dead", but no longer actively worked on nor maintained in favor of NIST OSCAL.

gregorydulin commented 1 year ago

Thanks for the info, @timothy-spencer and @openprivacy! I think we'll try running with OpenControl, and export to OSCAL and .md (and then to .docx and .pdf) as required. I'll post here to let everyone know how it went (if you're visiting this page and I haven't posted for a month or two, feel free to remind me). Thanks!

hello @gregorydulin -- could you update on the above?

Sorry for the delay. We did end up using OpenControl to build an SSP PDF, and it's working pretty well. That being said, though; if accreditors are going to start accepting OSCAL YAML files in lieu of PDFs, I'll gladly make the switch. We haven't done a ton of documentation in OpenControl format, so switching now is probably better than switching later.