How to track and communicate on specific development topics in our work? (Part 2)

[aj-stein-nist]

User Story

As a NIST or community OSCAL developer, in order to understand the current state of work, I would like to know how a certain development issue (rules, customer responsibility matrix, a large topic in ongoing development) is communicated cohesively: a summary of that topic of work, the related epic or epics, and the issues within one or more epics to understand the progression of work and what parts are "done."

This issue will focus on rounding out work started in #1496 and focus on the pending work items described in comment https://github.com/usnistgov/OSCAL/issues/1496#issuecomment-1442302443.

Goals

• [ ] Communicate where topics there in different work streams from the NIST OSCAL Team.
• [ ] Answer two key practical questions with the simplest, least effort approach:
  • [ ] Which topics have we worked on our plan to work on in the future? I want to understand where the NIST Team is at!
  • [ ] Which topic or topics are we actively working on?

Dependencies

• [x] Reorganize labels as a potential driver of organization for this work in: usnistgov/OSCAL#1496

Acceptance Criteria

• [ ] An ADR that is reviewed or merged into main documenting the approach decided.
• [ ] One or more NIST staff brief the community for feedback in the relevant public meeting venue.
  • [ ] Feedback is received and recorded in meeting minutes.
  • [ ] If applicable, NIST OSCAL Team reviews feedback and makes necessary adjustments where beneficial.
• [ ] A Pull Request (PR) is submitted that fully addresses the goals of this User Story. This issue is referenced in the PR.
• [ ] The CI-CD build process runs without any reported errors on the PR. This can be confirmed by reviewing that all checks have passed in the PR.

[aj-stein-nist]

This is sadly overdue, to work in Sprint 67 or we need to find an interim solution before the sprint in which we next schedule this work.

[aj-stein-nist]

I would like to start on this soon. I have looked at what Chris and Michaela are doing with DEFINE, so that will be a good starting point and I will hope to align with that. :-)

https://github.com/orgs/usnistgov/projects/48

[aj-stein-nist]

For now Arminta will help but A.J. will drive this issue.

[aj-stein-nist]

I have bumped up the priority of this from Moderate to High because before, during, and after the conference at the end of May messaging around this will be increasingly important.

[aj-stein-nist]

I need to sync up with @Arminta-Jenkins-NIST this afternoon but I have spent spare time between non-OSCAL work researching how different projects communicate current work and medium/long-term roadmaps, particularly open-source projects for data formats and specifications generally, and particularly those in the cybersecurity domain. I will include a list of some of those for reference for colleagues and community members following this issue.

• SLSA
• SPDX
• CycloneDX
• in-toto specification(s)
• SARIF
• The family of OASIS OpenC2 standards

I also have started to look at a few that are not specific to cybersecurity.

• OASIS DITA
• OASIS ODF
• TEI

Many of them use GitHub to track day-to-day technical work in the form of issues. Most repositories make use of these issues with labels. Very few, if any, use the GitHub Projects boards (the classic or new stable v2 version). The associated repos for these efforts that do use project boards make sparing use of them, many have infrequent usage or are completely stale. The one exception I found lately is SLSA.

https://github.com/orgs/slsa-framework/projects/1/views/1?layout=board

In terms of roadmap, the in-toto project does store the roadmap and the quarterly as Markdown files in their repo and it is worth considering.

https://github.com/in-toto/docs/tree/6400974e229b70cfa7a2585dafb854955422c8d1/roadmap-reviews

UPDATE: I also really enjoyed this roadmap as communicated for the Unison project.

https://www.unison-lang.org/roadmap/

[Arminta-Jenkins-NIST]

I've started on a comprehensive list of suggested objectives/themes to sort the development topics. Please see the following hackMD.

[aj-stein-nist]

@Arminta-Jenkins-NIST I wanted to provide some more detailed examples of what level of detail I think we need. Let me know what you think. We should catch up later today or early next week. Still very much a work in progress but let's catch up soon.

[aj-stein-nist]

Need to meet with team and move this forward adjusting for feedback.

[aj-stein-nist]

@aj-stein-nist needs to work with Chris to integrate research topics with the value stream concept (if we move forward with that), brief the time, make a decision as a group, move forward in the next 1-2 weeks.

[aj-stein-nist]

I had a series of internal meetings and did work research on better layering a communications approach. Draft ADR, minimalist example, and more to follow.

[aj-stein-nist]

Moving to Sprint 77 with related #1910, both are incomplete.

[aj-stein-nist]

Although this is not technically started, it will be prudent to handle this with #1910, which is very close to done. We will talk about moving this forward in sprint planning.

[aj-stein-nist]

This issue was discussed at length in coordination with #1910. This needs to be moved forward, with #1910 as a primary target of integrating into the board and communicating on those specific development topics. More to follow tomorrow.

[iMichaela]

HackMD where work was started: https://hackmd.io/AfAityGDSMSMG74vrzQwDA

[Compton-US]

Narrowing the scope on this issue a bit from the original broad scope team communication. For closing this issue out, we need to review 1910 and check off items that we already have tutorial content for.

For items that are not checked off, we need to review and create issues as necessary to plan the creation of new/updated content related to each of the value streams.