OSCAL Success Stories Page

[aj-stein-nist]

User Story

As an OSCAL community member, in order to better understand where my work and effort stand in the community, I want to know what kinds of people in the security industry (or in tech, adjacent to it) use OSCAL in their processes and tools, how they use it, and what successes/benefits came from it.

Goals

• [ ] A list of community adopters, with their permission, like other open-source projects (i.e. CycloneDX)
• [ ] Case studies [like those of other open data formats (i.e. like JSON Schema, specifically in these examples review any post with the Case Study tag) to address how it is used and what is the benefit

Dependencies

• [ ] An issue is added to the backlog with one case study (or completed and drafted as a PR in a ready to pull branch?)

Acceptance Criteria

• [ ] All OSCAL website and readme documentation affected by the changes in this issue have been updated. Changes to the OSCAL website can be made in the docs/content directory of your branch.
  • [ ] A page with successful adopters is added and deployed to the production website
  • [ ] A page for listing successful case studies is created
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[iMichaela]

@aj-stein-nist - Tracking this kind of activities on our website (nist.gov) needs to be discussed with the legal office, since the previous guidance we received was to not list anything we/NIST did not verified it is accurate. We are still delinquent with either obtaining proof for all tools we are listing on our website, or moving that information out to a community-maintained website. We have several tools listed on our website I contacted the producers asking for some kind of proof they are implementing OSCAL (a presentation, a description on their website clearly indicating so, a recorded demo, etc.) I haven't gotten a reply from some tool implementers and we will need to act soon. I am giving a little more time - until Jan 2, 2023.

[aj-stein-nist]

@iMichaela I just put it in the backlog, not necessarily because I (or expect others) to work on it immediately. All of these obstacles sound important, but not insurmountable. I hope we can find a way forward.

[iMichaela]

@aj-stein-nist - as long as we find an approach that meets the legal office's requirements, I am game. If not we will achieve it by working with the community to accomplish it.

[stevespringett]

Let me know how OWASP or the CycloneDX team can support the success stories.

[aj-stein-nist]

@aj-stein-nist - as long as we find an approach that meets the legal office's requirements, I am game. If not we will achieve it by working with the community to accomplish it.

On that note, a quick thought before I forget @iMichaela. Perhaps we ask our colleagues in NIST and at FedRAMP to collaborate with us and add them as the first success stories, thoughts? (I am just spitballing here, we have not even prioritized this, just occurred to me while I was coding.)

[iMichaela]

@aj-stein-nist - as long as we find an approach that meets the legal office's requirements, I am game. If not we will achieve it by working with the community to accomplish it.

On that note, a quick thought before I forget @iMichaela. Perhaps we ask our colleagues in NIST and at FedRAMP to collaborate with us and add them as the first success stories, thoughts? (I am just spitballing here, we have not even prioritized this, just occurred to me while I was coding.)

@aj-stein-nist - I did not reply earlier because I did not have a possible path forward. We can talk after you return from ACSAC.

[aj-stein-nist]

Relevant examples worth looking into from:

• from NIST CSF and guidelines for new additions
• NIST MEP success stories
• NIST standards success stores

[aj-stein-nist]

@iMichaela and I need to review viability of this and if we are unable to publish at least one success story at a minimum or close this work as WONTFIX.