What is our scope of work?

[adammontville]

During our weekly meeting (2021-12-13), and while we were discussing the Log4j issues, we wondered what the scope of our work would be in PACE. It would be ideal to have a vision/scope document created, so that we have a target to shoot for and can avoid scope creep.

For example, is an "SBOM Preferred" something we want to take under the PACE wing?

[adammontville]

Consider reviewing/leveraging the PACE charter.

[sparrell]

I believe the charter is the attachment to https://lists.oasis-open-projects.org/g/oca-pgb/topic/posture_attribute_collection/86296436?p=,,,20,0,0,0::recentpostdate/sticky,,,20,2,0,86296436,previd=1634934194220224110,nextid=1632463213447063679&previd=1634934194220224110&nextid=1632463213447063679

I recommend we copy that content into our repo somwhere

[adammontville]

2022-01-31: During the PACE meeting it was thought that scope of work should speak to what we are actually looking to build. Let's continue this discussion, so that we are able to consider the components we need to build and...start building them.

[dlemire60]

I think a relevant input to this conversation is what external documentation should be adopted as resources / guidance. Examples include:

1. SACM Architecture Internet Draft
2. Endpoint Posture Collection Profile Internet Draft
3. Endpoint Security Posture Assessment: Enterprise Use Cases (RFC 7632)

I realized the IDs are expired but the content is arguably still useful. RFC 7632 has a lot of good content, organized as building block functions, use cases, and usage scenarios. Another part of the work is then figuring out how related technologies and standards (SBOM, VEX, CACAO, OpenC2) factor in.

[adammontville]

2022-02-07: PACE Meeting Discussion

• Scope: Indicates what PACE will specify/develop
• Fuzzy Edges
  • Hardware and Software Asset Inventory - is this in or out of scope?
  • Are hardware BOMs in scope?
  • SBOM + VEX would be in scope?
  • Have we defined posture? SACM defined posture as including hardware and software.
• "Gold Standards" SBOM - is this something we want (either in PACE or OCA)?
  • Is this an aspect of posture?
  • Similar to STIX-preferred
• What sort of projects belong in our repo (or related repos)?
  • EX: Cyber Automation Workshop Plugfest - does PACE want to play?

Conclusions:

• (Related to"Fuzzy Edges") Specify the PACE interface for inventory systems to use. It's not the role of PACE to define asset inventory systems. PACE will rely on information originating from inventory system. The inventory system is responsible to describe components to be assessed.

Others remain.

[sparrell]

I propose the scope issues have children issues because there are several scope issues and these threads will become very intertwined. Based on the discussion we just had, I think the following are children issues:

• Asset Inventory #28
• Hardware BOM #29
• open source software repo's within PACE (ie on OCA open project) #24
• SBOM-preferred ala STIX-preferred as part of PACE #30
• is PAR within or outside scope #36

I propose making each a separate issue and referencing them in initial description of this issue

[adammontville]

Should the PAR be in scope or should the interface to a PAR be in scope?

[adammontville]

While I missed the 2022-02-14 meeting (apologies). I understand that some of the discussion centered on whether the Posture Attribute Repository is in scope, or if an interface to a given PAR is what is really in scope. We had similar conversations in SCAPv2 before that effort was defunct, and we settled on standardizing the interface not the implementation. I strongly recommend that we follow this approach.

For proof of concept or implementation, however, we will need something. But, to me, that is a different discussion.

[slarchacki22]

Added to FAQ on 4/25/2022 PACE meeting.