Open aj-stein-nist opened 2 years ago
OK, @trevor-vaughan, Dave liked your comments today so we will add this to the backlog. Feel free to subscribe and provide feedback as there are updates.
Probably worth considering after one or more team members presents on commit signing for team education and awareness.
User Story:
As an OSCAL tool developer, in order to ensure the integrity of the OSCAL project source code, I would like to see a policy, procedure, and implementation of how the NIST OSCAL development team signs commits merged into the official source code repositories.
Goals:
Per community request from those reviewing SP 800-53A updates and other related cybersecurity standards from NIST , we would like to look into developer security and supply chain security goals (see 800-53 Revision 5, 800-53A Revision 5, 800-161v1, and SSDF). We can start with designing a mechanism to assist NIST OSCAL developers to setup commit signing for their
git
commits and enforce commit signing during the development lifecycle.Dependencies:
Acceptance Criteria
{The items above are general acceptance criteria for all User Stories. Please describe anything else that must be completed for this issue to be considered resolved.}