[Verse 1] OSCAL sits in catalogs, describing what exists Not the logic or the rules, just properties that persist Says this control has a number, has a family, has a name But never tells you how to check if compliance is the game [Chorus] Metadata sitting in descriptive mode Never executable, just structured code Schema's deep and nested, tooling's incomplete Human eyes can't parse it, makes the circle incomplete Descriptive not prescriptive, that's the OSCAL way Tells you what but never how to validate the day [Verse 2] JSON layers stack up high, XML branches spread so wide Hand-authoring's impossible, need machines to be your guide Compliance officers squinting at the structured markup maze Can't replace your policy docs, just adds another phase [Chorus] Metadata sitting in descriptive mode Never executable, just structured code Schema's deep and nested, tooling's incomplete Human eyes can't parse it, makes the circle incomplete Descriptive not prescriptive, that's the OSCAL way Tells you what but never how to validate the day [Bridge] Inside each control definition Natural language still remains All the ambiguity problems Wrapped in structured data chains FedRAMP and NIST adoption International uptake slow Format without formal logic Limits how far you can go [Verse 3] Machine-readable by design, sacrifices human sight Structure around fuzzy text won't make the meaning bright Properties and parameters in hierarchical display But evaluation criteria still hide in prose array [Chorus] Metadata sitting in descriptive mode Never executable, just structured code Schema's deep and nested, tooling's incomplete Human eyes can't parse it, makes the circle incomplete Descriptive not prescriptive, that's the OSCAL way Tells you what but never how to validate the day [Outro] Catalog entries enumerate But never calculate or fate Supplemental not central That's OSCAL's temperamental state
← Framework-Free Design | Bridges Between Machine and Machine →