aj-stein-nist
commented
2 years ago OK, @trevor-vaughan, Dave liked your comments today so we will add this to the backlog. Feel free to subscribe and provide feedback as there are updates.
Open aj-stein-nist opened 2 years ago
aj-stein-nist
commented
2 years ago OK, @trevor-vaughan, Dave liked your comments today so we will add this to the backlog. Feel free to subscribe and provide feedback as there are updates.
aj-stein-nist
commented
2 years ago aj-stein-nist
commented
11 months ago Probably worth considering after one or more team members presents on commit signing for team education and awareness.
User Story:
As an OSCAL tool developer, in order to ensure the integrity of the OSCAL project source code, I would like to see a policy, procedure, and implementation of how the NIST OSCAL development team signs commits merged into the official source code repositories.
Goals:
Per community request from those reviewing SP 800-53A updates and other related cybersecurity standards from NIST , we would like to look into developer security and supply chain security goals (see 800-53 Revision 5, 800-53A Revision 5, 800-161v1, and SSDF). We can start with designing a mechanism to assist NIST OSCAL developers to setup commit signing for their
gitcommits and enforce commit signing during the development lifecycle.Dependencies:
Acceptance Criteria
{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}