STIG vs. OSCAL: A Complete Curriculum
Subject: STIG vs. OSCAL: A Complete Curriculum
54 chapters
1. 1 The Core Problem Both Address
[Verse 1]
Four thousand hours for one ATO
Manual checks that drain your soul
Hundreds of STIG requirements calling
Dozens of products, compliance falling
Map to eight hundred fifty-three controls
While deadlines crush organizational goals
[Chorus]
The burden's real, the pain is shared
Both STIG and OSCAL know we're scared
Of drowning in documentation seas
Manual processes bring us to our knees
Automation's not a question of if
It's finding the right tools for the shift
[Verse 2]
FedRAMP审查 demands perfection
Every control needs deep inspection
DoD systems joining the network spine
Must prove each baseline's by design
SSPs growing beyond human scale
Where paper processes always fail
[Chorus]
The burden's real, the pain is shared
Both STIG and OSCAL know we're scared
Of drowning in documentation seas
Manual processes bring us to our knees
Automation's not a question of if
It's finding the right tools for the shift
[Bridge]
Same mountain, different climbing gear
STIG checklists make compliance clear
OSCAL frameworks standardize the flow
Both solve the problems that we know
Volume, complexity, human error
Time constraints that breed terror
[Verse 3]
Information systems multiply fast
Security postures that have to last
Evidence gathering, risk assessment
Continuous monitoring, no rest meant
The question's not whether we automate
It's which tool fits our current state
[Final Chorus]
The burden's real, both understand
Manual methods can't withstand
Modern scale and speed demands
That's why both extend helping hands
Different approaches, same core fight
Making cybersecurity right
[Outro]
One problem, two solutions calling
Which will catch you when you're falling?
2. 2 Two Different Questions, Two Different Standards
[Verse 1]
When security teams start their inspection
They face a choice of direction
STIG asks one thing, OSCAL asks another
Different questions, like sister and brother
STIG looks close at each product's configuration
OSCAL views the whole system's documentation
[Chorus]
Two different questions, two different ways
STIG asks "Is this configured right today?"
OSCAL asks "Does the system meet requirements?"
Two different standards, two different measurements
Different scope, different goals in sight
Both keep our systems secure and tight
[Verse 2]
DISA built STIG in the late nineties era
Product by product, making configs clearer
Windows Server, Red Hat, Cisco gear
Each gets its own guidance crystal clear
Updated quarterly, keeping pace
With every threat the systems face
[Chorus]
Two different questions, two different ways
STIG asks "Is this configured right today?"
OSCAL asks "Does the system meet requirements?"
Two different standards, two different measurements
Different scope, different goals in sight
Both keep our systems secure and tight
[Verse 3]
NIST created OSCAL in twenty-sixteen
Data interchange for the security scene
Not just config but the full lifecycle
Risk Management Framework, assessment's cycle
System boundaries and authorization
Complete security documentation
[Bridge]
STIG goes narrow, one product deep
OSCAL goes wide, the whole system to keep
Configuration versus control compliance
Different owners, different guidance
But both serve security's greater call
Working together, protecting us all
[Chorus]
Two different questions, two different ways
STIG asks "Is this configured right today?"
OSCAL asks "Does the system meet requirements?"
Two different standards, two different measurements
Different scope, different goals in sight
Both keep our systems secure and tight
[Outro]
Know your question before you start
STIG or OSCAL, they're both an art
Different standards for different needs
Both plant security's vital seeds
3. 3 The Analogy
[Verse 1]
Picture building your dream house, foundation to the roof
Every trade has got their standards, that's the basic truth
Electricians wire by the code, plumbers follow rules
Framers build the structure right with their specific tools
[Chorus]
STIGs are the building codes, product by product guide
OSCAL is the paperwork that keeps you certified
One tells you how to build it, one proves that you comply
You need them both together, like the earth needs the sky
[Verse 2]
Network switches need their settings, servers need their locks
Databases and firewalls, each one's got their blocks
STIGs define the standards for every piece of kit
Like electrical and plumbing codes, they make everything fit
[Chorus]
STIGs are the building codes, product by product guide
OSCAL is the paperwork that keeps you certified
One tells you how to build it, one proves that you comply
You need them both together, like the earth needs the sky
[Bridge]
Permit application starts the show
Inspection reports let the progress flow
Certificate of occupancy makes it legal now
OSCAL documents the what, the when, the why, the how
[Verse 3]
When the inspector comes around to check your cyber space
They want to see the OSCAL forms, documentation's face
But underneath those reports are STIGs that guide the way
Both working hand in hand to keep the threats at bay
[Chorus]
STIGs are the building codes, product by product guide
OSCAL is the paperwork that keeps you certified
One tells you how to build it, one proves that you comply
You need them both together, like the earth needs the sky
[Outro]
Don't think one replaces the other in this game
They're partners in security, not playing for the same
Build it right with STIGs, document with OSCAL's might
That's how you keep your systems running day and night
4. 4 Prerequisites
[Verse 1]
Before we dive into STIG and OSCAL ways
You need four pillars to guide through the maze
NIST eight hundred fifty-three revision five
Security controls to keep systems alive
From access control to incident response
Each family matters, each one counts of course
[Chorus]
Four prerequisites, learn them well
NIST controls and RMF to tell
Compliance frameworks, one you should know
XML JSON, let the data flow
Four prerequisites, build your foundation
STIG meets OSCAL transformation
[Verse 2]
Risk Management Framework, eight hundred thirty-seven
Seven steps to take you from earth up to heaven
Categorize systems, select your controls
Implement and assess, that's how security rolls
Authorize to operate, monitor with care
RMF cycle keeps your data aware
[Chorus]
Four prerequisites, learn them well
NIST controls and RMF to tell
Compliance frameworks, one you should know
XML JSON, let the data flow
Four prerequisites, build your foundation
STIG meets OSCAL transformation
[Bridge]
FedRAMP for the cloud, CMMC for defense
HIPAA guards health data, each framework makes sense
Choose one that speaks to your industry's call
Understanding compliance helps you stand tall
[Verse 3]
Markup languages hold the structured key
XML with angle brackets, hierarchy free
JSON with objects, arrays nested clean
Both carry data in ways clearly seen
Comfort reading either opens the door
To automation treasures and so much more
[Chorus]
Four prerequisites, learn them well
NIST controls and RMF to tell
Compliance frameworks, one you should know
XML JSON, let the data flow
Four prerequisites, build your foundation
STIG meets OSCAL transformation
[Outro]
Master these four before you begin
STIG and OSCAL knowledge you'll win
5. 1 What a STIG Actually Is
[Verse 1]
DISA publishes guides to keep systems secure
Configuration standards that are tested and sure
Each STIG document covers one product line
Operating systems, databases, apps defined
Hundreds of rules inside each comprehensive tome
Making your infrastructure a hardened home
[Chorus]
STIG means Security Technical Implementation Guide
Rules and checks and fixes are your cyber guide
Rule ID, STIG ID, severity cats one through three
Description, check text, fix text, CCI
From critical to low risk, every finding has its place
DISA updates quarterly to keep up with the pace
[Verse 2]
Rule ID starts with SV, numbers follow long
STIG ID is shorter, product specific and strong
RHEL dash zero eight means Red Hat Enterprise Linux
Every rule maps clearly to the systems that it links
Category One is critical, must fix right away
Category Two significant, Category Three can wait a day
[Chorus]
STIG means Security Technical Implementation Guide
Rules and checks and fixes are your cyber guide
Rule ID, STIG ID, severity cats one through three
Description, check text, fix text, CCI
From critical to low risk, every finding has its place
DISA updates quarterly to keep up with the pace
[Bridge]
Description tells you what the vulnerability means
Check text shows you how to verify what the scanner sees
Fix text gives the steps to remediate the flaw
CCI maps to NIST eight hundred fifty-three controls you saw
Network devices, middleware, cloud services too
Every platform gets a STIG to see your setup through
[Verse 3]
When auditors come knocking with their compliance demands
You'll have documented proof that security stands
Each finding cross-references to federal control frameworks
Manual instructions that eliminate the guesswork
From Windows Server down to Oracle database
STIG compliance puts security in its rightful place
[Chorus]
STIG means Security Technical Implementation Guide
Rules and checks and fixes are your cyber guide
Rule ID, STIG ID, severity cats one through three
Description, check text, fix text, CCI
From critical to low risk, every finding has its place
DISA updates quarterly to keep up with the pace
[Outro]
Six components make each rule complete and clear
DISA's technical guidance keeps threats from drawing near
STIG documentation, your security foundation
Protecting all our systems across the entire nation
6. 2 STIG Formats and Artifacts
[Verse 1]
When security standards need to be clear
Four artifacts help us engineer
STIG Manual leads the way today
XCCDF benchmark shows us how to stay
Safe and sound with rules defined
Machine and human both aligned
[Chorus]
STIG formats, four to know
Manual, Benchmark, Checklist, SRG flow
XCCDF XML shows the way
OVAL checks what systems say
Status codes tell the story true
Open findings, not reviewed
[Verse 2]
STIG Benchmark takes it further still
XCCDF plus OVAL gives the skill
Data streams for automated checks
SCAP content that interconnects
Machine readable, precise and clean
Best security you've ever seen
[Chorus]
STIG formats, four to know
Manual, Benchmark, Checklist, SRG flow
XCCDF XML shows the way
OVAL checks what systems say
Status codes tell the story true
Open findings, not reviewed
[Bridge]
Checklist files in CKL we find
XML structure, well designed
Per system evidence we trace
Not a Finding, Not Applicable
Not Reviewed or Open case
Each rule status has its place
[Verse 3]
SRG stands above them all
Security Requirements Guide stands tall
Higher level, bridges the gap
DoD policy to product map
Documents that pave the way
For STIGs we use today
[Final Chorus]
STIG formats, four to know
Manual, Benchmark, Checklist, SRG flow
XCCDF XML shows the way
OVAL checks what systems say
Four artifacts working as one
Security compliance, job well done
[Outro]
From requirements down to code
STIG artifacts light the road
Manual, Benchmark, Checklist, Guide
Security standards, verified
7. 3 The SCAP Protocol Suite
[Verse 1]
STIGs were made for human eyes to read and understand
But automation needs a way to scan across the land
SCAP Protocol Suite steps in to bridge this growing gap
Making security checklists run with just a single tap
[Chorus]
Six specifications working as one team
XCCDF, OVAL, CPE - building the machine
CCE, CVSS, OCIL too - each one plays its part
SCAP automation flowing like a work of art
[Verse 2]
XCCDF speaks in XML to structure every test
Extensible Configuration format does it best
Publishing STIGs in schemas machines can comprehend
While keeping all the guidance that administrators depend
[Chorus]
Six specifications working as one team
XCCDF, OVAL, CPE - building the machine
CCE, CVSS, OCIL too - each one plays its part
SCAP automation flowing like a work of art
[Verse 3]
OVAL dives deep with technical checks so precise
"Is minimum length fifteen?" - it runs the test twice
Open Vulnerability Assessment Language knows the way
To verify configurations every single day
[Bridge]
CPE identifies the platform where tests should run
CCE gives standard names when configuration's done
CVSS scores the severity from low risk up to ten
OCIL asks the questions that need human review again
[Chorus]
Six specifications working as one team
XCCDF, OVAL, CPE - building the machine
CCE, CVSS, OCIL too - each one plays its part
SCAP automation flowing like a work of art
[Verse 4]
Common Platform Enumeration maps the systems right
Common Configuration names keep standards burning bright
When humans need to answer what machines cannot decide
OCIL Interactive Language keeps reviewers as your guide
[Outro]
From manual checklists to automated scans
SCAP Protocol Suite executes your plans
Six components unified in automation's embrace
Security compliance running at machine-driven pace
8. 4 The STIG/SCAP Workflow
[Verse 1]
DISA takes the standards, makes them clear and bright
Publishing the STIG benchmarks, security done right
XCCDF for the checklist, OVAL for the tests
SCAP format packages all the compliance requests
[Chorus]
From STIG to SCAP to scanner evaluation
XCCDF results for system validation
Import to the viewer, make your checklist clean
CKL for the ATO, complete security scene
The workflow keeps on flowing, each step builds the next
STIG SCAP workflow, putting security to the test
[Verse 2]
OpenSCAP is ready, DISA SCC stands by
Nessus joins the party, scanning systems high and low
Automated checking, every rule gets its turn
XML results returning, lessons that we learn
[Chorus]
From STIG to SCAP to scanner evaluation
XCCDF results for system validation
Import to the viewer, make your checklist clean
CKL for the ATO, complete security scene
The workflow keeps on flowing, each step builds the next
STIG SCAP workflow, putting security to the test
[Bridge]
STIG Viewer takes the data, transforms what we see
XCCDF becomes a checklist, organized and free
Evidence collection, documentation trail
ATO package ready, compliance will not fail
[Verse 3]
Every finding matters, pass or fail or not reviewed
Manual verification, automated results pursued
The checklist tells the story, of security controls
From benchmark to approval, achieving all our goals
[Chorus]
From STIG to SCAP to scanner evaluation
XCCDF results for system validation
Import to the viewer, make your checklist clean
CKL for the ATO, complete security scene
The workflow keeps on flowing, each step builds the next
STIG SCAP workflow, putting security to the test
[Outro]
DISA STIG to SCAP benchmark flowing
Scanner evaluation, results are showing
Viewer makes the checklist, ATO evidence
STIG SCAP workflow, security's defense
9. 5 SCAP Scanning Tools
[Verse 1]
When you need to scan for compliance today
Five tools will guide you on your way
OpenSCAP leads the open source fight
Command line power with NIST certified might
Oscap xccdf eval runs the test
Most widely trusted, passes every request
[Chorus]
Five scanners strong, remember the names
OpenSCAP, SCC for DoD games
Workbench GUI makes it visual and clean
Nessus commercial, CIS-CAT Pro machine
SCAP tools working, keeping systems secure
Five ways to scan when compliance is sure
[Verse 2]
DISA brings us SCC from NIWC's hand
Official DoD scanner across the land
Download it free from Cyber Exchange site
When military standards must be done right
Government approved for federal use
This scanner delivers what you can't refuse
[Chorus]
Five scanners strong, remember the names
OpenSCAP, SCC for DoD games
Workbench GUI makes it visual and clean
Nessus commercial, CIS-CAT Pro machine
SCAP tools working, keeping systems secure
Five ways to scan when compliance is sure
[Verse 3]
SCAP Workbench wraps OpenSCAP around
Interactive scanning, GUI-based and sound
Customize profiles with point and click ease
Visual results that are sure to please
Built by OpenSCAP project team
Making scanning more than command line dreams
[Bridge]
Tenable's Nessus brings commercial grade
SCAP audit features professionally made
Exports XCCDF when the scanning's complete
Enterprise power that can't be beat
[Verse 4]
CIS-CAT Pro from Center Internet Security
Benchmarks and STIGs working in harmony
Paying members get XCCDF export gold
Assessment power that's worth being sold
Five tools together, each serves its role
SCAP compliance is the ultimate goal
[Outro]
From open source free to commercial paid
Five scanning tools help compliance get made
Choose your scanner for the job at hand
SCAP standards across every land
10. 6 What STIGs Don't Do
[Verse 1]
When you think that STIGs can do it all
You're setting yourself up to fall
They're powerful tools but they have their place
Six limitations you need to face
One product at a time is all they see
No system view for you and me
Your enterprise has dozens more
But STIGs can't see from shore to shore
[Chorus]
STIGs don't do what you think they do
Six big gaps that will trouble you
No system view, no docs to make
No multi-maps, automation breaks
No continuous watch, no relationships too
STIGs don't do what you think they do
[Verse 2]
Need an SSP or assessment plan?
STIGs won't lend a helping hand
POA and Ms are not their game
Documentation's not their claim to fame
FedRAMP, CMMC, HIPAA too
SOC 2 and PCI coming through
STIGs map to NIST controls alone
Multi-framework mapping's not their zone
[Chorus]
STIGs don't do what you think they do
Six big gaps that will trouble you
No system view, no docs to make
No multi-maps, automation breaks
No continuous watch, no relationships too
STIGs don't do what you think they do
[Bridge]
Manual checks need human eyes
Interviews and doc reviews
Physical inspections, no surprise
SCAP can't automate all clues
Point-in-time is all you get
No ongoing posture view
Continuous monitoring? Not yet
That's not what STIGs do
[Verse 3]
Inherited controls from other systems
Shared responsibility arrangements
Authorization boundary conditions
STIGs don't model these engagements
Six limitations, now you know
Where STIGs excel and where they don't go
Powerful tools within their scope
But know their bounds to avoid false hope
[Chorus]
STIGs don't do what you think they do
Six big gaps that will trouble you
No system view, no docs to make
No multi-maps, automation breaks
No continuous watch, no relationships too
STIGs don't do what you think they do
[Outro]
STIGs are strong but they're not complete
Know their limits, avoid defeat
Six things missing from their design
Keep these gaps in your front of mind
11. 1 What OSCAL Actually Is
[Verse 1]
There's a language for security that you need to know
Not a tool or application, but the way data flows
XML and JSON, YAML too
Machine-readable formats that speak compliance through
Every control and assessment, every plan you make
OSCAL is the standard for the data that you take
[Chorus]
OSCAL is the language, not the tool
Open Security Controls Assessment rule
Lifecycle management from start to end
Machine-readable data that systems comprehend
O-S-C-A-L, remember this way
Language for compliance every single day
[Verse 2]
From the catalog of controls to implementation plans
Assessment results and reports, it's all in OSCAL's hands
Tools consume and produce it, but OSCAL stands alone
Standardized and structured, it's the common ground we've known
No more proprietary formats causing all the pain
OSCAL speaks one language across the compliance chain
[Chorus]
OSCAL is the language, not the tool
Open Security Controls Assessment rule
Lifecycle management from start to end
Machine-readable data that systems comprehend
O-S-C-A-L, remember this way
Language for compliance every single day
[Bridge]
Think of it like HTML for the web we see
OSCAL is the markup for security
Controls and assessments in a common tongue
The future of compliance has already begun
[Verse 3]
When you automate compliance, OSCAL leads the dance
Every phase of control lifecycle gets its proper chance
Documentation, testing, monitoring what's real
OSCAL makes it possible for systems to feel
The pulse of your security in formats they can read
A universal language for every compliance need
[Chorus]
OSCAL is the language, not the tool
Open Security Controls Assessment rule
Lifecycle management from start to end
Machine-readable data that systems comprehend
O-S-C-A-L, remember this way
Language for compliance every single day
[Outro]
Not a tool, but a language
For security's true way
OSCAL is the standard
For compliance today
12. 2 The OSCAL Model Stack
[Verse 1]
Seven models in a stack of three
OSCAL's architecture runs so free
Controls layer at the foundation
Building blocks for every nation
Catalog holds the rules we need
Profile picks the ones that lead
Mapping bridges different frames
Connecting all the standard names
[Chorus]
Three layers high, seven models strong
Controls, Implementation, Assessment song
CCP in the first floor
CD and SSP explore
Then APA and POA-M more
OSCAL stack from floor to floor
[Verse 2]
Implementation layer number two
Component Definition shows us through
How products meet the control demand
System Security Plan in hand
Documents the complete design
Every control mapped in line
Real world meeting policy
Security implementation spree
[Chorus]
Three layers high, seven models strong
Controls, Implementation, Assessment song
CCP in the first floor
CD and SSP explore
Then APA and POA-M more
OSCAL stack from floor to floor
[Bridge]
Assessment layer tops them all
Plan and Results standing tall
POA-M tracks the risks we find
Remediation peace of mind
From Catalog to final test
OSCAL keeps your system blessed
[Verse 3]
Assessment Plan defines the scope
Methodology gives us hope
Assessment Results document
Every finding that was sent
Plan of Action tracks the way
Milestones mark each passing day
Seven models working true
OSCAL framework seeing through
[Final Chorus]
Three layers high, seven models strong
Controls, Implementation, Assessment song
Catalog Profile Mapping floor
Component Definition and SSP explore
Assessment Plan and Results more
POA-M completes the OSCAL store
[Outro]
Stack them up from base to peak
OSCAL gives you all you seek
Seven models, three layers wide
Compliance framework by your side
13. 3 Native Traceability
[Verse 1]
In the world of compliance there's a missing link
STIG and SCAP just tell you what to think
But when findings surface you can't trace them back
To the source control through the paper stack
[Chorus]
Native traceability, machine can verify
Every finding flows upstream, no more wondering why
Catalog to Profile to SSP in line
Assessment Plan to Results, traceability by design
Follow the arrows back, follow the arrows back
Native traceability fills the compliance gap
[Verse 2]
OSCAL models import from the one before
Creating chains that weren't there before
Assessment Results point to where they came
Through System Security Plans it's not the same
[Chorus]
Native traceability, machine can verify
Every finding flows upstream, no more wondering why
Catalog to Profile to SSP in line
Assessment Plan to Results, traceability by design
Follow the arrows back, follow the arrows back
Native traceability fills the compliance gap
[Bridge]
Component Definition feeds the system plan
Assessment flows downstream as designed by human hands
But when you find an issue in the results you see
Trace it back through profiles to the catalog with ease
No more guessing games, no more manual search
Machine-verifiable paths through the research
[Verse 3]
POA and M connects to what was found
Assessment Results keep the findings sound
Every arrow points to provenance clear
The fundamental thing that STIG can't engineer
[Final Chorus]
Native traceability, machine can verify
Every finding flows upstream, no more wondering why
Catalog to Profile to SSP in line
Assessment Plan to Results, traceability by design
Follow the arrows back, follow the arrows back
Native traceability fills the compliance gap
[Outro]
When compliance fails you'll know exactly where
Native traceability shows the path was always there
14. 4 What OSCAL Does That STIGs Don't
[Verse 1]
STIGs tell you how to lock one system down
Check the boxes, follow rules that they have found
But what happens when you need the bigger view?
When compliance spans across frameworks too?
OSCAL rises where the STIGs fall short
System-wide and multi-standard support
[Chorus]
Four things OSCAL does that STIGs don't know
System-level, multi-framework flow
Lifecycle management, shared responsibility
Machine-readable for true security
Assessment automation, evidence in place
Continuous monitoring keeps up the pace
[Verse 2]
Authorization lifecycle from start to end
Control selection through assessment and defend
Shared responsibility modeled in the code
Provider, customer, inherited load
No more guessing who controls what part
OSCAL makes it clear right from the start
[Chorus]
Four things OSCAL does that STIGs don't know
System-level, multi-framework flow
Lifecycle management, shared responsibility
Machine-readable for true security
Assessment automation, evidence in place
Continuous monitoring keeps up the pace
[Bridge]
Gone are three hundred page documents
Word files that nobody implements
Structured data drives the tools we need
Assessment workflows automated indeed
Evidence attached in back-matter clean
Best compliance model we've ever seen
[Verse 3]
FedRAMP, CMMC, SOC 2 at once
Single dataset handles every hunt
Point-in-time snapshots are yesterday's game
Continuous findings keep security's flame
Observation models capture what you find
Ongoing monitoring peace of mind
[Chorus]
Four things OSCAL does that STIGs don't know
System-level, multi-framework flow
Lifecycle management, shared responsibility
Machine-readable for true security
Assessment automation, evidence in place
Continuous monitoring keeps up the pace
[Outro]
When you need more than configuration rules
OSCAL gives you comprehensive tools
System-wide compliance made to last
OSCAL's the future, STIGs are the past
15. 5 What OSCAL Doesn't Do That STIGs Do
[Verse 1]
OSCAL sets the framework, draws the bigger scene
Documents the policies, keeps the governance clean
But when you need specifics, configuration details
OSCAL won't tell you where your system setup fails
[Chorus]
OSCAL doesn't scan your code
Doesn't build the fix-it mode
Doesn't set your password length
STIGs provide that deeper strength
Three things OSCAL leaves behind
Product configs you must find
Scanning tools and scripts to heal
OSCAL maps but doesn't feel
[Verse 2]
Your pwquality dot conf needs a minimum length
But OSCAL won't specify what gives your passwords strength
No product-specific guidance in its structured frame
It documents the standards but won't configure your game
[Chorus]
OSCAL doesn't scan your code
Doesn't build the fix-it mode
Doesn't set your password length
STIGs provide that deeper strength
Three things OSCAL leaves behind
Product configs you must find
Scanning tools and scripts to heal
OSCAL maps but doesn't feel
[Verse 3]
When scanning time arrives to check your system state
OSCAL won't run the tools that validate
SCAP tools do the heavy lifting, probe your server's core
While OSCAL holds the blueprint but won't walk through your door
[Bridge]
ComplianceAsCode generates the Ansible plays
Bash scripts for remediation, fixes for your days
But OSCAL stays above it all, governance in view
Documents the what and why, not the how-to-do
[Verse 4]
STIGs give you remediation, scripts that make it right
OSCAL shows the bigger picture, governance insight
One layer documents control, the other makes it real
Together they're the answer but they each have their appeal
[Chorus]
OSCAL doesn't scan your code
Doesn't build the fix-it mode
Doesn't set your password length
STIGs provide that deeper strength
Three things OSCAL leaves behind
Product configs you must find
Scanning tools and scripts to heal
OSCAL maps but doesn't feel
[Outro]
Know the boundaries, know the roles
OSCAL governs, STIGs control
Each has purpose, each has place
In your compliance interface
16. 1 The Unified Compliance Stack
[Verse 1]
At the bottom lie our systems real and true
Servers, databases, and cloud services too
Network devices running day and night
These are the things we need to keep secure and right
[Chorus]
Stack it up, stack it up, layer by layer
STIG and SCAP, OSCAL makes it clearer
From systems up to authorization's call
Six layers strong in the compliance wall
Stack it up, stack it up, unified and whole
Each layer plays its vital role
[Verse 2]
STIG rules define the technical way
SCAP benchmarks guide us day by day
Scan results prove our settings are right
Product configurations shining bright
[Chorus]
Stack it up, stack it up, layer by layer
STIG and SCAP, OSCAL makes it clearer
From systems up to authorization's call
Six layers strong in the compliance wall
Stack it up, stack it up, unified and whole
Each layer plays its vital role
[Verse 3]
Controls layer brings the catalog to life
Profile cuts through regulatory strife
These are the controls that apply to me
With parameter values set precisely
[Bridge]
Implementation tells our story complete
Component definitions make the suite
System Security Plan ties it together neat
Shows how every control we meet
[Verse 4]
Assessment layer documents the test
Plan and results put us to the test
POA and M for gaps we find
Fixes planned with deadline in mind
[Chorus]
Stack it up, stack it up, layer by layer
STIG and SCAP, OSCAL makes it clearer
From systems up to authorization's call
Six layers strong in the compliance wall
Stack it up, stack it up, unified and whole
Each layer plays its vital role
[Outro]
Authorizing Official at the top
Grants the ATO or makes it stop
Six layers unified from ground to sky
That's how compliance reaches high
17. 2 How STIG Evidence Flows Into OSCAL
[Verse 1]
Every STIG rule carries a key inside
CCI numbers bridge the divide
Three-six-six maps to CM control six
Configuration settings in the mix
Product-specific rules find their way
To framework controls where they'll stay
[Chorus]
Evidence flows from STIG to OSCAL
Step by step, it connects them all
CCI maps the rules, SCAP scans provide proof
Component definitions build the roof
SSP ties it together in the end
Evidence flows, compliance won't bend
[Verse 2]
SCAP scans run and show the truth
Which rules passed, which need proof
XCCDF results become the gold
Evidence attachments to behold
Observations turn to findings clear
GRC tooling makes it appear
[Chorus]
Evidence flows from STIG to OSCAL
Step by step, it connects them all
CCI maps the rules, SCAP scans provide proof
Component definitions build the roof
SSP ties it together in the end
Evidence flows, compliance won't bend
[Bridge]
Component definitions shine the light
RHEL nine configured just right
When STIG's applied the component shows
AC-two, AU-three, that's how it goes
CM-six, IA-five, controls align
Import the component, everything's fine
[Verse 3]
SSP authors bring it all together now
Profile baseline tells them how
Import components, document the way
Each control satisfied day by day
STIG compliance as the mechanism
SCAP results verify the system
[Chorus]
Evidence flows from STIG to OSCAL
Step by step, it connects them all
CCI maps the rules, SCAP scans provide proof
Component definitions build the roof
SSP ties it together in the end
Evidence flows, compliance won't bend
[Outro]
Four steps make the journey complete
From STIG rules to evidence neat
CCI bridges, SCAP transforms
Components define, SSP performs
Evidence flows in perfect line
STIG to OSCAL by design
18. 3 The ComplianceAsCode Project
[Verse 1]
There's a bridge between the old and new way
STIG meets OSCAL in the light of day
ComplianceAsCode is the name we know
Used to be called SSG, watch it grow
Open source repository, community wide
Red Hat and agencies working side by side
Security content for every platform
Converting compliance to a common form
[Chorus]
One source, many outputs, that's the key
SCAP and OSCAL living in harmony
ComplianceAsCode builds the bridge we need
From legacy STIGs to modern feed
Generate, translate, automate the way
One source, many outputs, every day
[Verse 2]
From a single source it generates them all
SCAP data streams that answer the call
XCCDF and OVAL for the scanning phase
Ansible playbooks for automated ways
Bash scripts running remediation fast
Puppet and Chef InSpec built to last
IBM Trestle helps create the flow
OSCAL components ready to go
[Chorus]
One source, many outputs, that's the key
SCAP and OSCAL living in harmony
ComplianceAsCode builds the bridge we need
From legacy STIGs to modern feed
Generate, translate, automate the way
One source, many outputs, every day
[Bridge]
Dozens of platforms, all covered here
Making compliance crystal clear
The practical tool that makes it real
Converting content with mass appeal
Community driven, standards aligned
Bridging the gap between old and refined
[Chorus]
One source, many outputs, that's the key
SCAP and OSCAL living in harmony
ComplianceAsCode builds the bridge we need
From legacy STIGs to modern feed
Generate, translate, automate the way
One source, many outputs, every day
[Outro]
ComplianceAsCode, the bridge is built
STIG to OSCAL, no more guilt
One repository, formats for all
Answering security's modern call
19. 4 Practical Integration Patterns
[Verse 1]
Start with your system boundary defined
List every product that you can find
Match each component to its STIG guide
OSCAL definitions by your side
Import them all into your SSP
Document the gaps for policy
[Chorus]
Four patterns weaving STIG and OSCAL tight
Pattern one through four, get compliance right
From SSP authoring to monitoring flow
These integration patterns help your security grow
[Verse 2]
Run your SCAP scans across the fleet
XCCDF results make the cycle complete
Transform those findings into OSCAL form
Assessment results keep evidence warm
Map every finding to control objectives
POA and M entries stay selective
[Chorus]
Four patterns weaving STIG and OSCAL tight
Pattern one through four, get compliance right
From SSP authoring to monitoring flow
These integration patterns help your security grow
[Bridge]
Schedule your scans on DoD time
Weekly monthly keep in line
Pipeline processes delta changes
New and closed findings it arranges
Dashboard shows your risk posture clear
OSCAL based monitoring year after year
[Verse 3]
Pattern three completes the automation
Continuous monitoring across the nation
Pattern four builds on what we've learned
Making sure no stone's left unturned
From component definitions to live assessment
These patterns ensure your security investment
[Chorus]
Four patterns weaving STIG and OSCAL tight
Pattern one through four, get compliance right
From SSP authoring to monitoring flow
These integration patterns help your security grow
[Outro]
STIG informed authoring leads the way
SCAP to OSCAL every day
Continuous monitoring never sleeps
Integration patterns your security keeps
20. 5 CCI: The Rosetta Stone
[Verse 1]
In the world of compliance there's a bridge we need
Between the STIG rules and controls that we read
DISA built a system to connect the dots
Control Correlation Identifiers tie up loose knots
Each CCI maps to one control statement clean
While STIG rules reference what the numbers mean
Multiple products can share the same code
When they implement controls on the same road
[Chorus]
CCI is the Rosetta Stone
Translation key we've always known
From STIG to NIST it shows the way
One identifier lights the pathway
CCI one four five three tells the tale
How encryption keeps our systems safe and well
The bridge between compliance worlds so wide
CCI is our trusty guide
[Verse 2]
Take RHEL zero eight zero one zero four zero zero
DOD approved encryption is the hero
Maps to CCI one thousand four five three
Which points to AC seventeen part two you see
Protection of confidentiality and integrity
Using encryption for our network security
The chain connects from rule to control clean
OSCAL SSP shows what it all means
[Chorus]
CCI is the Rosetta Stone
Translation key we've always known
From STIG to NIST it shows the way
One identifier lights the pathway
CCI one four five three tells the tale
How encryption keeps our systems safe and well
The bridge between compliance worlds so wide
CCI is our trusty guide
[Bridge]
Component RHEL eight server in the frame
Implementation status plays the game
Evidence provided through the STIG requirement
FIPS validated crypto shows compliance achievement
One CCI to many STIG rules can relate
When products implement controls at the same rate
The identifier shows which statement applies
No more guessing no more compliance lies
[Chorus]
CCI is the Rosetta Stone
Translation key we've always known
From STIG to NIST it shows the way
One identifier lights the pathway
CCI one four five three tells the tale
How encryption keeps our systems safe and well
The bridge between compliance worlds so wide
CCI is our trusty guide
[Outro]
When STIG meets OSCAL and the mapping's unclear
Just find the CCI and the path will appear
DISA's gift to compliance teams everywhere
The Rosetta Stone that shows us how to care
21. 1 STIG/SCAP Format Stack
[Verse 1]
In the world of compliance checking today
There's a stack that shows us the STIG way
XCCDF Benchmark sits up on top
Defining the rules that make systems stop
XML structure holds it all in place
Benchmarks and profiles set the pace
Groups contain rules with severity high
Each one numbered with an ID
[Chorus]
STIG stack climbing from bottom to top
OVAL defines where the checking won't stop
XCCDF Benchmark sets the standard clear
Results flow back when the tests appear
Format stack, format stack
SCAP components working back to back
Benchmark, rules, and OVAL too
STIG compliance coming through
[Verse 2]
Profile selects which rules to run
MAC-One Classified when security's done
Rule ID shows the specific test
SV numbers put controls to rest
Title tells you what must be true
RHEL Eight crypto FIPS won't do
Description explains the reasoning why
Check content makes the system comply
[Chorus]
STIG stack climbing from bottom to top
OVAL defines where the checking won't stop
XCCDF Benchmark sets the standard clear
Results flow back when the tests appear
Format stack, format stack
SCAP components working back to back
Benchmark, rules, and OVAL too
STIG compliance coming through
[Bridge]
Check system points to OVAL down below
Content reference tells us where to go
When the test runs results come back
Pass or fail upon this track
Fix element shows the remedy
CCI ident links to NIST taxonomy
Test result captures what was found
STIG format keeps systems sound
[Chorus]
STIG stack climbing from bottom to top
OVAL defines where the checking won't stop
XCCDF Benchmark sets the standard clear
Results flow back when the tests appear
Format stack, format stack
SCAP components working back to back
Benchmark, rules, and OVAL too
STIG compliance coming through
[Outro]
From benchmark down to OVAL's core
STIG format gives us so much more
Structured compliance in XML
The SCAP stack serves security well
22. 2 OSCAL Format Stack
[Verse 1]
Component Definition starts the show
Software systems need a way to go
From STIG requirements to implementation code
Red Hat Enterprise Linux on the road
UUID identifies each piece we build
Control implementations get fulfilled
Source points to profiles that define the way
FedRAMP High compliance here to stay
[Chorus]
Stack them up, OSCAL format stack
Component first, Assessment tracks back
Evidence flows from SCAP to findings clear
Implementation statement makes it all appear
Stack them up, format by format
Documentation layers where compliance is at
[Verse 2]
Assessment Results come next in line
Observations capture what we find
Methods show us how the testing's done
SCAP scans tell us when the work is won
Relevant evidence points the way
OpenSCAP results from testing day
XCCDF benchmark version two R one
RHEL nine STIG scanning has begun
[Chorus]
Stack them up, OSCAL format stack
Component first, Assessment tracks back
Evidence flows from SCAP to findings clear
Implementation statement makes it all appear
Stack them up, format by format
Documentation layers where compliance is at
[Bridge]
Findings link the target to the proof
Objective ID becomes the truth
Implementation statement UUID connects
Component Definition to what we expect
Related observations tie it tight
Assessment evidence shines the light
[Verse 3]
From component type of software kind
To cryptography that's FIPS-aligned
AC seventeen point two control ID
Enforced through STIG methodology
Six seven one zero one zero rule
RHEL nine configuration tool
[Final Chorus]
Stack them up, OSCAL format stack
Component first, Assessment tracks back
Evidence flows from SCAP to findings clear
Implementation statement makes it all appear
Stack them up, two formats unite
OSCAL documentation done right
[Outro]
Component Definition shows the way
Assessment Results prove compliance today
Stack them up, stack them high
OSCAL formats reaching for the sky
23. 3 Schema Comparison
[Verse 1]
In the world of schemas, two paths divide
XML Schema on the STIG side
XCCDF and OVAL, defined in XSD
While OSCAL takes a different key
Metaschema generates what you need
Both XSD and JSON Schema freed
[Chorus]
Schema showdown, pick your way
XML only versus three-format play
STIG says XSD, one path to go
OSCAL's metaschema lets formats flow
JSON, XML, YAML too
Lossless conversion sees you through
[Verse 2]
Serialization tells the tale
STIG keeps XML without fail
But OSCAL breaks the single chain
JSON, XML, YAML domain
Convert between them, nothing lost
Flexibility without the cost
[Chorus]
Schema showdown, pick your way
XML only versus three-format play
STIG says XSD, one path to go
OSCAL's metaschema lets formats flow
JSON, XML, YAML too
Lossless conversion sees you through
[Verse 3]
Validation tools help you check
OpenSCAP keeps STIG in spec
xmllint for the XML way
OSCAL CLI starts your day
JSON validators join the game
Any schema tool can stake its claim
[Bridge]
Extensibility sets them apart
STIG's tailoring files, limited start
OSCAL opens every door
Properties, annotations, links and more
Back-matter gives you room to grow
Rich extensions steal the show
[Verse 4]
Identifiers mark the trail
Rule IDs where STIGs prevail
CCIs and OVAL definitions too
OSCAL takes a different view
UUIDs everywhere you see
RFC four-one-two-two, version three
[Chorus]
Schema showdown, pick your way
XML only versus three-format play
STIG says XSD, one path to go
OSCAL's metaschema lets formats flow
JSON, XML, YAML too
Lossless conversion sees you through
[Verse 5]
Versioning tracks the change
STIG benchmarks in their range
V-two-R-one, release by name
OSCAL plays a different game
Root UUID shifts with every edit
Metadata keeps the history credited
[Outro]
From XML Schema to metaschema's might
Choose your format, choose your flight
STIG or OSCAL, now you know
How their schemas help them grow
24. 1 Who Cares About STIGs
[Verse 1]
System administrators wake up every morning
Hardening servers with STIG configurations
Running SCAP scans to check their compliance warnings
Making sure systems meet security specifications
[Verse 2]
Security engineers selecting what applies
Managing exceptions when standards can't be met
Interpreting results with their trained expert eyes
Choosing the right STIGs without any regret
[Chorus]
Who cares about STIGs, who needs them today
System admins, security teams show the way
ISSM and ISSO keeping watch from above
Vendors and auditors, STIGs are what they love
Who cares about STIGs, everyone plays their part
Making systems secure right from the start
[Verse 3]
Information System Security Managers lead
Overseeing compliance across every machine
ISSO partners help fulfill the need
Managing checklist evidence kept clean
[Verse 4]
Vendors and developers work with DISA's crew
Building STIGs for products they create
Ensuring their software can meet standards too
Requirements their systems can accommodate
[Chorus]
Who cares about STIGs, who needs them today
System admins, security teams show the way
ISSM and ISSO keeping watch from above
Vendors and auditors, STIGs are what they love
Who cares about STIGs, everyone plays their part
Making systems secure right from the start
[Bridge]
Auditors inspect the checklist results
Reviewing SCAP findings line by line
Each role has purpose, no one insults
Working together by security design
[Chorus]
Who cares about STIGs, who needs them today
System admins, security teams show the way
ISSM and ISSO keeping watch from above
Vendors and auditors, STIGs are what they love
Who cares about STIGs, everyone plays their part
Making systems secure right from the start
[Outro]
Five key players in the STIG game
Each one essential, each one the same
Security's strength comes from their combined frame
Who cares about STIGs, everyone knows the name
25. 2 Who Cares About OSCAL
[Verse 1]
When compliance gets complex and the paperwork grows
Every stakeholder needs structure that clearly shows
From the SSP author writing security plans
To the cloud service provider serving enterprise demands
[Chorus]
Who cares about OSCAL? Everyone in the chain
Authors and assessors, vendors feeling the pain
Standardized and structured, machine-readable too
OSCAL makes compliance work for me and you
[Verse 2]
GRC tool vendors building platforms that scale
Need consistent formats that will never fail
Assessors and three-P-A-Os create their plans
Document all their findings with structured commands
[Chorus]
Who cares about OSCAL? Everyone in the chain
Authors and assessors, vendors feeling the pain
Standardized and structured, machine-readable too
OSCAL makes compliance work for me and you
[Verse 3]
Authorizing officials need packages they can trust
Machine-validatable content is really a must
Cloud providers publish components defined
FedRAMP packages formatted and aligned
[Bridge]
Compliance consultants building SSPs with care
Managing lifecycles, frameworks everywhere
Policy authors writing catalogs and baselines clean
Most readable format the industry's seen
[Chorus]
Who cares about OSCAL? Everyone in the chain
Authors and assessors, vendors feeling the pain
Standardized and structured, machine-readable too
OSCAL makes compliance work for me and you
[Outro]
From creation to assessment to authorization day
OSCAL serves the stakeholders in every way
One format to rule them, one standard so true
OSCAL makes compliance work for me and you
26. 3 Who Needs Both
[Verse 1]
DoD system owners face a double bind
Technical hardening and docs combined
STIG controls lock down every machine
OSCAL packages keep the records clean
Product level compliance is just the start
Authorization papers play their part
[Chorus]
Who needs both, who needs both
STIG and OSCAL oath by oath
Technical depth and governance height
Both together make it right
Who needs both, can't choose one side
Hardening specs and docs collide
[Verse 2]
FedRAMP providers know this game so well
Infrastructure STIGs they know by smell
But PMO wants packages formatted clean
OSCAL structures for the compliance scene
Cloud service providers bridge the gap
Between the hardening and the paperwork map
[Chorus]
Who needs both, who needs both
STIG and OSCAL oath by oath
Technical depth and governance height
Both together make it right
Who needs both, can't choose one side
Hardening specs and docs collide
[Verse 3]
CMMC contractors seeking their certification
STIG hardening for CUI information
Assessment documentation needs OSCAL form
Two different languages, both are the norm
Defense contractors learn this bitter truth
Both frameworks needed as compliance proof
[Bridge]
GRC platforms bridge the divide
SCAP results flowing inside
Transforming technical data streams
Into OSCAL governance dreams
Consultants working federal ground
Master both or you'll be found
[Chorus]
Who needs both, who needs both
STIG and OSCAL oath by oath
Technical depth and governance height
Both together make it right
Who needs both, can't choose one side
Hardening specs and docs collide
[Outro]
Technical layer, governance layer
Both required for the prayer
STIG and OSCAL hand in hand
Compliance across the land
27. 1 DoD / CMMC Context
[Verse 1]
In the world of DoD networks, there's a rule you need to know
Every system on the DoDIN has a path it has to go
STIGs are mandatory, no exceptions to the game
Hardening every server with security's true name
[Chorus]
STIG to OSCAL, mapping all the way
CCI to eight-oh-three, controls that guide our day
CMMC practices flow from NIST's guiding light
Documentation structured, machine-readable and tight
[Verse 2]
From NIST eight-oh-one-seventy-one the practices begin
Mapping up to eight-oh-five-three where controls kick in
Controls become CCIs, then STIG rules take their place
Every step connected in this cybersecurity space
[Chorus]
STIG to OSCAL, mapping all the way
CCI to eight-oh-three, controls that guide our day
CMMC practices flow from NIST's guiding light
Documentation structured, machine-readable and tight
[Bridge]
Assessment documentation's changing how we prove
OSCAL's structured formats help our compliance groove
Level Two and higher need a double-sided plan
Hardened STIG systems plus docs that prove you can
[Verse 3]
Implementation evidence in formats machines read
OSCAL's value proposition feeds the compliance need
Both the technical hardening and the paperwork that shows
Your organization follows where the security road goes
[Chorus]
STIG to OSCAL, mapping all the way
CCI to eight-oh-three, controls that guide our day
CMMC practices flow from NIST's guiding light
Documentation structured, machine-readable and tight
[Outro]
Two sides of the same coin in the DoD domain
STIG hardens your systems, OSCAL proves your game
Together they're the future of compliance done right
Security and documentation shining bright
28. 2 FedRAMP Context
[Verse 1]
In twenty twenty-two the clouds began to shift
AWS submitted something quite a gift
First OSCAL formatted SSP arrived
At FedRAMP PMO, automation came alive
Baselines now published as profiles we can read
Machine-readable standards, that's exactly what we need
[Chorus]
FedRAMP twenty-x is pushing toward the goal
Automated continuous authorization on a roll
SSP SAP SAR and POA&M too
OSCAL templates waiting there for you
High baselines need STIG beneath the surface still
Infrastructure compliance, that's the underlying drill
[Verse 2]
Remember the four letters that matter most today
System Security Plan leads the compliance way
Security Assessment Plan comes next in line
Security Assessment Report shows if you're doing fine
Plan of Action and Milestones rounds out the set
OSCAL format makes them easier to get
[Chorus]
FedRAMP twenty-x is pushing toward the goal
Automated continuous authorization on a roll
SSP SAP SAR and POA&M too
OSCAL templates waiting there for you
High baselines need STIG beneath the surface still
Infrastructure compliance, that's the underlying drill
[Bridge]
Profiles define the baseline requirements clear
Templates structure documents we hold dear
Continuous monitoring through automation's lens
Machine-readable compliance that never ends
[Verse 3]
When you're building systems for the federal space
OSCAL and STIG work together face to face
Profiles at the top and hardening below
That's the modern way that compliance has to go
[Chorus]
FedRAMP twenty-x is pushing toward the goal
Automated continuous authorization on a roll
SSP SAP SAR and POA&M too
OSCAL templates waiting there for you
High baselines need STIG beneath the surface still
Infrastructure compliance, that's the underlying drill
[Outro]
From AWS to everyone who follows suit
OSCAL-based compliance is the modern route
29. 3 Civilian Federal / FISMA Context
[Verse 1]
In the federal space where security reigns
NIST RMF sets the governing chains
Eight hundred thirty seven shows the way
How to manage risk every single day
OSCAL models all the documentation
Structured data for the entire nation
[Chorus]
RMF governs, OSCAL models the flow
STIGs and benchmarks tell us what to know
Agencies demanding structured artifacts
FISMA compliance, these are all the facts
Document it right, automate the game
Federal security will never be the same
[Verse 2]
STIGs from DISA bring the hardening guide
Technical baselines that we can't hide
CIS Benchmarks offer another path
Both give us standards to avoid security's wrath
Choose your baseline, make it crystal clear
Technical controls that agencies hold dear
[Chorus]
RMF governs, OSCAL models the flow
STIGs and benchmarks tell us what to know
Agencies demanding structured artifacts
FISMA compliance, these are all the facts
Document it right, automate the game
Federal security will never be the same
[Bridge]
Gone are the days of Word docs and PDFs
Machine readable formats reduce the stress
JSON and YAML in OSCAL's embrace
Automation flowing at government pace
Components and catalogs, profiles defined
Structured security for peace of mind
[Verse 3]
Federal agencies now expect the change
OSCAL artifacts across the range
Assessment plans and system security plans
Implementation guides in structured hands
The future is here, no turning back
OSCAL compliance keeps you on track
[Final Chorus]
RMF governs, OSCAL models the flow
STIGs and benchmarks tell us what to know
Agencies requiring structured artifacts
FISMA compliance, now those are the facts
Document it right, automate the game
Federal security has changed the game
[Outro]
NIST and DISA working hand in hand
OSCAL transformation across the land
30. 4 Private Sector Context
[Verse 1]
In the private sector world, defense STIGs don't reign
CIS Benchmarks take the lead when security's the game
Defense contractors know the drill, but most companies choose
Industry standard frameworks that better fit their use
[Chorus]
CIS leads the way, when STIGs fade away
OSCAL grows each day, multi-framework play
Assess once report many, saves time and money
Private sector's calling, compliance is sprawling
[Verse 2]
SOC 2 for your service trust, HIPAA for your health
PCI DSS guards the cards, regulatory wealth
Juggling all these frameworks used to be a pain
Until OSCAL came along to break the compliance chain
[Chorus]
CIS leads the way, when STIGs fade away
OSCAL grows each day, multi-framework play
Assess once report many, saves time and money
Private sector's calling, compliance is sprawling
[Bridge]
One assessment feeds them all
Common format breaks the wall
JSON structures hold the key
Cross-framework harmony
[Verse 3]
Enterprise organizations with complex compliance needs
See OSCAL as the answer when efficiency succeeds
Map your controls once and then deploy across the board
Multi-framework paradise, efficiency restored
[Chorus]
CIS leads the way, when STIGs fade away
OSCAL grows each day, multi-framework play
Assess once report many, saves time and money
Private sector's calling, compliance is sprawling
[Outro]
From defense to private ground
OSCAL's benefits are found
Assess once report many
The future's here for any
31. 5 Canadian Defence / CPCSC Context
[Verse 1]
North of the border, cyber rules are changing fast
CPCSC emerging from the lessons of the past
Drawing from CMMC concepts, building something new
Canadian defense contractors need compliance that rings true
[Chorus]
Map it once, comply twice, OSCAL makes it right
Single dataset, dual frameworks, shining bright
CPCSC and CMMC, STIG compliance too
Framework agnostic magic, one source pulls you through
[Verse 2]
When Canadian contractors touch US DoD space
STIG compliance matters for that interop embrace
Systems talking to each other across the friendly line
Need security controls that properly align
[Chorus]
Map it once, comply twice, OSCAL makes it right
Single dataset, dual frameworks, shining bright
CPCSC and CMMC, STIG compliance too
Framework agnostic magic, one source pulls you through
[Bridge]
Dual compliance scenarios, that's where OSCAL shines
Multi-framework mapping across national lines
One control catalog expressing both requirements
No duplicate effort, no compliance clearance
[Verse 3]
Assessment results flowing to both nations' needs
Component definitions planting compliance seeds
System security plans that speak multiple tongues
OSCAL automation keeps the process young
[Chorus]
Map it once, comply twice, OSCAL makes it right
Single dataset, dual frameworks, shining bright
CPCSC and CMMC, STIG compliance too
Framework agnostic magic, one source pulls you through
[Outro]
Canadian defense in the digital age
OSCAL writes the compliance page
Cross-border security, unified and strong
That's how we sing the OSCAL song
32. 1 STIG/SCAP Tools
[Verse 1]
DISA STIG Viewer on your desktop screen
Managing checklists, keeping systems clean
CKL files organized in perfect rows
Import SCAP results, watch compliance grow
[Verse 2]
OpenSCAP from the command line runs
XCCDF benchmarks till the scanning's done
Reports and results in structured form
Evaluating systems through every storm
[Chorus]
Eight tools to master, compliance made clear
STIG Viewer, OpenSCAP, keeping risks from here
Workbench for GUI, SCC for DoD way
ComplianceAsCode generating night and day
Ansible automating, OpenRMF tracking too
eMASS for the enterprise, security breaking through
[Verse 3]
SCAP Workbench brings the GUI delight
Interactive scanning, profiles customized right
Built on OpenSCAP but visual and clean
Best of both worlds in the compliance scene
[Verse 4]
DISA SCC is the official choice
DoD SCAP Compliance Checker, the trusted voice
Scanner built for government grade
Meeting standards that will never fade
[Chorus]
Eight tools to master, compliance made clear
STIG Viewer, OpenSCAP, keeping risks from here
Workbench for GUI, SCC for DoD way
ComplianceAsCode generating night and day
Ansible automating, OpenRMF tracking too
eMASS for the enterprise, security breaking through
[Bridge]
ComplianceAsCode, the content king
Single source generating everything
SCAP and Ansible, Bash and OSCAL too
One project making compliance new
[Verse 5]
Ansible STIG roles automate the night
Apply those settings, make security tight
Vendor maintained or ComplianceAsCode born
Configuration management from dusk until dawn
[Verse 6]
OpenRMF web app tracks it all
Manages checklists, standing tall
SCAP results imported, compliance tracked
Systems monitored, nothing cracked
[Verse 7]
eMASS platform, DoD's own way
Enterprise Mission Assurance every day
RMF management, official and true
Government standard seeing projects through
[Outro]
From desktop viewers to enterprise scale
Eight tools ensure you'll never fail
STIG and SCAP working hand in hand
Compliance mastery across the land
33. 2 OSCAL Tools
[Verse 1]
When OSCAL documents need checking and care
NIST CLI is the tool that's always there
Validate your format, convert with ease
Command line power puts your mind at ease
From JSON to XML, back and forth it goes
Making sure your compliance properly flows
[Chorus]
Two tools to remember, CLI and Trestle
NIST validates while IBM helps you wrestle
Every artifact, every bridge you need
OSCAL tools that help you succeed
Validate, convert, create and generate
These tools make compliance first-rate
[Verse 2]
IBM Trestle brings the library might
CLI commands and code that works just right
Create your artifacts from the ground up high
Bridge from SCAP to OSCAL, watch it fly
Generate the documents your project needs
Trestle plants compliance like fertile seeds
[Chorus]
Two tools to remember, CLI and Trestle
NIST validates while IBM helps you wrestle
Every artifact, every bridge you need
OSCAL tools that help you succeed
Validate, convert, create and generate
These tools make compliance first-rate
[Bridge]
NIST keeps it simple, validation clean
IBM goes further than you've ever seen
Open source power in your terminal window
Making OSCAL workflow smooth as you go
[Verse 3]
Command line warriors, these tools are your friends
From document start to compliance that never ends
NIST CLI checks, Trestle creates the way
Together they power your OSCAL day
[Chorus]
Two tools to remember, CLI and Trestle
NIST validates while IBM helps you wrestle
Every artifact, every bridge you need
OSCAL tools that help you succeed
Validate, convert, create and generate
These tools make compliance first-rate
[Outro]
When compliance calls and standards are due
OSCAL tools will see you through
34. 3 Tools That Bridge Both Worlds
[Verse 1]
When STIG and OSCAL worlds collide
You need a bridge to cross the divide
ComplianceAsCode leads the way
From single source to dual display
SCAP data streams and component definitions too
Same content base, two formats shining through
[Chorus]
Four tools that bridge, four tools that bind
STIG to OSCAL, peace of mind
ComplianceAsCode, Trestle, RegScale, OpenRMF
Building bridges, that's enough
Convert and manage, scan and export
Bridging worlds with strong support
[Verse 2]
IBM Trestle takes the stage
Converting STIG to OSCAL page
Pipeline management, CI CD flow
OSCAL artifacts wherever you go
From legacy checklists to modern frames
Trestle transforms the compliance games
[Chorus]
Four tools that bridge, four tools that bind
STIG to OSCAL, peace of mind
ComplianceAsCode, Trestle, RegScale, OpenRMF
Building bridges, that's enough
Convert and manage, scan and export
Bridging worlds with strong support
[Verse 3]
RegScale ingests those SCAP results
Transforms the data, no defaults
OSCAL formatted documentation
Automated compliance generation
Scan results flowing, reports refined
Bridging gaps by design
[Bridge]
OpenRMF manages every checklist
STIG workflows you cannot miss
Export to formats OSCAL can consume
Breaking down that legacy gloom
Four solutions, one shared goal
Making compliance systems whole
[Chorus]
Four tools that bridge, four tools that bind
STIG to OSCAL, peace of mind
ComplianceAsCode, Trestle, RegScale, OpenRMF
Building bridges, that's enough
Convert and manage, scan and export
Bridging worlds with strong support
[Outro]
From STIG checklists to OSCAL dreams
These bridges connect your compliance schemes
Four tools working, hand in hand
Bridging worlds across the land
35. Lab 1: Anatomy of a STIG
[Verse 1]
Head to DoD Cyber Exchange today
Download RHEL or Windows Server way
XCCDF benchmark XML in hand
Open your text editor, take a stand
Thousands of lines scroll down the screen
Security rules in code machine
[Chorus]
STIG anatomy, let's break it down
Rule ID, STIG ID spinning around
Severity level, CCI reference too
Check text and fix text, that's what we do
X-C-C-D-F tells the story
Security rules in all their glory
[Verse 2]
Find a single rule within the maze
Rule ID numbers guide your gaze
STIG ID follows close behind
Severity shows what threats you'll find
High or medium, low or none
Each rule's importance weighs a ton
[Chorus]
STIG anatomy, let's break it down
Rule ID, STIG ID spinning around
Severity level, CCI reference too
Check text and fix text, that's what we do
X-C-C-D-F tells the story
Security rules in all their glory
[Bridge]
CCI reference points the way
To NIST eight hundred fifty-three
Control Correlation Identifier
Links compliance to the key
Access Control, System Info
Audit trails that help us know
[Verse 3]
Check text tells you what to find
Fix text shows how to align
Trace that CCI through NIST's list
No control should be missed
STIG Viewer makes it clean
Best graphical tool I've seen
[Chorus]
STIG anatomy, let's break it down
Rule ID, STIG ID spinning around
Severity level, CCI reference too
Check text and fix text, that's what we do
X-C-C-D-F tells the story
Security rules in all their glory
[Outro]
XML versus viewer display
Both roads lead to compliance way
STIG anatomy now you know
Security standards help systems grow
36. Lab 2: Running a SCAP Scan
[Verse 1]
Fire up your virtual machine today
RHEL or Ubuntu, either way
Time to scan for security flaws
With OpenSCAP and SCAP laws
Install the tools we need to see
Where vulnerabilities might be
SCAP Security Guide in hand
We'll scan across this testing land
[Chorus]
O-S-C-A-P info command
List the profiles, understand
S-T-I-G scan with eval
HTML report will reveal
Passed and failed and not applied
Security status, nothing to hide
X-C-C-D-F results in XML
SCAP scanning serves us well
[Verse 2]
Navigate to the sharing place
usr share xml scap base
SSG content with your distro name
DataStream file, that's the game
Run oscap info to display
All the profiles you can play
Choose your target, make it clear
STIG compliance drawing near
[Chorus]
O-S-C-A-P info command
List the profiles, understand
S-T-I-G scan with eval
HTML report will reveal
Passed and failed and not applied
Security status, nothing to hide
X-C-C-D-F results in XML
SCAP scanning serves us well
[Verse 3]
Oscap xccdf eval the way
Profile STIG will save the day
Report dot HTML for the view
Results dot XML structured too
DataStream file at the end
Watch the scanning process blend
Every check gets its own test
Pass or fail, we'll see the rest
[Bridge]
Open up that HTML file
Browse the results, stay a while
Green means passed, red means failed
Gray shows checks that weren't detailed
Not applicable, that's okay
Some don't match your system's way
XML holds the structured data
Compliance dreams are getting better
[Chorus]
O-S-C-A-P info command
List the profiles, understand
S-T-I-G scan with eval
HTML report will reveal
Passed and failed and not applied
Security status, nothing to hide
X-C-C-D-F results in XML
SCAP scanning serves us well
[Outro]
Now you've learned to run the scan
SCAP compliance, you're the man
Virtual machine tested clean
Best security you've ever seen
37. Lab 3: Anatomy of OSCAL
[Verse 1]
Clone the repo, let's dive inside
OSCAL content where frameworks hide
Navigate to NIST eight hundred fifty-three
Revision five in JSON, let's see
Open the catalog, find your way
To AC seventeen dash two today
Control structure laid out so clear
Statements, parameters, guidance here
[Chorus]
Clone, Open, Find, Tailor, Implement
Five steps to OSCAL's document
From catalog to profile to plan
Understanding OSCAL's master hand
Structure flows from top to bottom
Framework layers, learn and spot them
[Verse 2]
Remote access with cryptographic protection
That's what AC seventeen two's direction
Statements tell you what to do
Parameters let you configure too
Guidance gives the how and why
Implementation details to rely
[Chorus]
Clone, Open, Find, Tailor, Implement
Five steps to OSCAL's document
From catalog to profile to plan
Understanding OSCAL's master hand
Structure flows from top to bottom
Framework layers, learn and spot them
[Verse 3]
FedRAMP High profile next in line
Find where imports are defined
Look for AC seventeen two inside
See how tailoring is applied
Modifications and additions clear
Baseline adjustments appear
[Bridge]
Three layers working hand in hand
Catalog gives the master plan
Profile tailors what you need
SSP shows how you succeed
[Verse 4]
SSP template, final piece
Implementation descriptions release
AC seventeen two lives here too
Shows exactly what to do
Response text fills in the blank
System-specific, frank and frank
[Chorus]
Clone, Open, Find, Tailor, Implement
Five steps to OSCAL's document
From catalog to profile to plan
Understanding OSCAL's master hand
Structure flows from top to bottom
Framework layers, learn and spot them
[Outro]
From NIST controls to system plans
OSCAL connects with steady hands
Three documents, one flowing stream
Living the compliance dream
38. Lab 4: Tracing a STIG Rule to an OSCAL Control
[Verse 1]
Start with RHEL-08-010400, the rule we're gonna trace
FIPS cryptography protection, keeping systems safe
Every STIG rule has a number that connects the flow
To a CCI identifier, that's how compliance goes
[Chorus]
From STIG to CCI to NIST control
Map the path and play your role
AC-17-2 in the catalog
OSCAL components, build the bridge across
Trace the rule from start to end
Documentation is your friend
[Verse 2]
CCI-001453 is the bridge we need to find
Links our STIG rule to the framework that's defined
NIST 800-53 has the control we seek
AC-17 parentheses 2, remote access technique
[Chorus]
From STIG to CCI to NIST control
Map the path and play your role
AC-17-2 in the catalog
OSCAL components, build the bridge across
Trace the rule from start to end
Documentation is your friend
[Bridge]
Open up the 800-53 Rev 5 catalog file
Find AC-17-2 in the JSON style
FedRAMP profile shows us what's required
Component definitions get us wired
[Verse 3]
Write the snippet that explains the how
RHEL 8 configured, following STIG now
Satisfies the control through proper implementation
OSCAL format for the whole organization
[Final Chorus]
From STIG to CCI to NIST control
Map the path and play your role
AC-17-2 documented clear
OSCAL tracing, year by year
Trace the rule from start to end
Compliance flows when standards blend
[Outro]
RHEL-08-010400 to AC-17-2
That's the tracing path for me and you
39. Lab 5: Building the Bridge with ComplianceAsCode
[Verse 1]
Start by cloning the repo down
ComplianceAsCode is what we've found
Git pull the latest source today
Security frameworks on display
Build your product with one command
Build underscore product in your hand
RHEL nine target, watch it compile
SCAP content in XML style
[Chorus]
Clone, build, examine, generate, validate
Five steps to bridge the compliance gate
STIG to OSCAL, we're building the way
ComplianceAsCode lights up the day
Clone, build, examine, generate, validate
Security standards we translate
[Verse 2]
Examine the data stream we made
SCAP XML structure displayed
Rules and checks all organized
Security controls itemized
Now we'll bridge the format gap
OSCAL component definition map
Builder script will do the work
Converting STIG with expert quirk
[Chorus]
Clone, build, examine, generate, validate
Five steps to bridge the compliance gate
STIG to OSCAL, we're building the way
ComplianceAsCode lights up the day
Clone, build, examine, generate, validate
Security standards we translate
[Bridge]
From legacy STIG to modern OSCAL flow
Component definitions help us grow
Automated tools make the transformation
Cross-platform security information
[Verse 3]
Run the builder script with care
OSCAL component definition there
Generated from the STIG profile
Machine-readable, versatile
Final step is validation time
Schema check to make it shine
Ensure the format meets the spec
Quality control, we inspect
[Chorus]
Clone, build, examine, generate, validate
Five steps to bridge the compliance gate
STIG to OSCAL, we're building the way
ComplianceAsCode lights up the day
Clone, build, examine, generate, validate
Security standards we translate
[Outro]
From source code to SCAP to OSCAL gold
Compliance stories now retold
The bridge is built, the gap is crossed
No security context ever lost
40. Lab 6: SCAP Results → OSCAL Assessment Evidence
[Verse 1]
Start with XCCDF results from your previous scan
Transform those findings to OSCAL's master plan
Assessment Results document is what we need to build
Evidence and observations, let your structure be fulfilled
[Chorus]
From scan to OSCAL, make the data flow
Observations mapped to controls we need to know
POA and M for failures that we find
Assessment Results with validation in mind
XCCDF to OSCAL, transform and align
[Verse 2]
Create observations from the key findings you collect
Each vulnerability needs its proper object to reflect
Map those observations to control objectives clear
Security requirements linked to evidence we hold dear
[Chorus]
From scan to OSCAL, make the data flow
Observations mapped to controls we need to know
POA and M for failures that we find
Assessment Results with validation in mind
XCCDF to OSCAL, transform and align
[Bridge]
When a check fails, don't let it slide
Build a POA and M with remediation guide
Milestones and deadlines, resources assigned
Risk mitigation with a timeline defined
[Verse 3]
Link your findings to the framework that applies
NIST eight hundred fifty three controls comprise
The baseline requirements for your system's security stance
Each observation gives compliance its chance
[Chorus]
From scan to OSCAL, make the data flow
Observations mapped to controls we need to know
POA and M for failures that we find
Assessment Results with validation in mind
XCCDF to OSCAL, transform and align
[Outro]
Validate the structure when your document is done
Assessment Results complete, another victory won
From STIG scanner output to OSCAL's golden gate
Evidence-based compliance seals your system's fate
41. Lab 7: End-to-End Pipeline
[Verse 1]
Let's build a system step by step today
Three components in our testing way
Web server front, database behind
App server middle, all aligned
Find the STIG for every part
Apache, Oracle, Tomcat start
Each component needs its own
Security guide to call its own
[Chorus]
Scan Plan Assess Results and Trace
POA and M shows every space
From catalog down to STIG rule
End-to-end pipeline is our tool
OSCAL flows from start to end
Component definitions we depend
SSP imports what we need
Pipeline success is guaranteed
[Verse 2]
SCAP scanner runs across the fleet
Checking every control we meet
Component definitions next in line
Reference STIG compliance fine
Build the SSP with profile import
Assessment plan for full support
Results flow in with SCAP evidence
Gaps become our reference
[Chorus]
Scan Plan Assess Results and Trace
POA and M shows every space
From catalog down to STIG rule
End-to-end pipeline is our tool
OSCAL flows from start to end
Component definitions we depend
SSP imports what we need
Pipeline success is guaranteed
[Bridge]
Trace that finding all the way back
POA and M to results track
Assessment plan to SSP link
Profile catalog CCI think
STIG rule at the very end
Complete circle we defend
[Verse 3]
Generate POA and M for every gap
Assessment results fill the map
From component up to system wide
OSCAL documents are our guide
Nine steps complete the puzzle whole
End-to-end is our main goal
[Chorus]
Scan Plan Assess Results and Trace
POA and M shows every space
From catalog down to STIG rule
End-to-end pipeline is our tool
OSCAL flows from start to end
Component definitions we depend
SSP imports what we need
Pipeline success is guaranteed
[Outro]
Three components, nine clear steps
STIG to OSCAL, no missteps
End-to-end pipeline complete
Security compliance can't be beat
42. 1 "OSCAL replaces STIGs"
[Verse 1]
There's a myth that's going round the compliance floor
That OSCAL came to end what came before
They say it replaces STIGs completely
But that's not how security works neatly
OSCAL tracks your governance and policy dreams
While STIGs give you technical config schemes
One documents the "what" and "why" you do
The other shows the "how" to make it true
[Chorus]
You need both layers, don't believe the hype
OSCAL plus STIGs, that's the winning type
Documentation up above
Technical guidance that you love
Two different tools for two different jobs
Don't let confusion make you sob
[Verse 2]
OSCAL has no opinion on your SSH config file
It won't tell you which ciphers are worthwhile
That's where STIGs come in to save the day
With exact settings spelled out all the way
Think of OSCAL as your governance brain
Recording policies through compliance terrain
STIGs are your technical implementation guide
Both tools working closely side by side
[Chorus]
You need both layers, don't believe the hype
OSCAL plus STIGs, that's the winning type
Documentation up above
Technical guidance that you love
Two different tools for two different jobs
Don't let confusion make you sob
[Bridge]
Governance layer, technical layer
Each one serves a different savior
OSCAL documents what you decide
STIGs show how to implement with pride
[Verse 3]
So when someone says OSCAL makes STIGs obsolete
Just smile and know that claim's incomplete
They complement each other perfectly
In your security strategy symphony
[Chorus]
You need both layers, don't believe the hype
OSCAL plus STIGs, that's the winning type
Documentation up above
Technical guidance that you love
Two different tools for two different jobs
Now you know the truth, give yourself props
[Outro]
OSCAL and STIGs together as one
Your compliance journey has just begun
43. 2 "STIGs are only for DoD"
[Verse 1]
There's a myth that's spreading wide
Says that STIGs must hide inside
Pentagon walls and nowhere else
Time to clear this off the shelves
DoD created them, it's true
But the doors are open too
Federal agencies take their pick
Private sectors use this trick
[Chorus]
STIGs aren't locked behind DoD doors
They're free for all, not just for wars
Civilian feds and contractors see
This hardening guide's available free
Don't believe the myth you've heard
STIGs fly free like open birds
Quality guidance, depth so deep
Anyone can download and keep
[Verse 2]
Defense contractors know the way
Use these STIGs every day
Banks and hospitals, they're smart
Make these baselines their fresh start
While mandatory for DoDIN space
Other orgs embrace their grace
Configuration standards strong
This misconception's been too long
[Chorus]
STIGs aren't locked behind DoD doors
They're free for all, not just for wars
Civilian feds and contractors see
This hardening guide's available free
Don't believe the myth you've heard
STIGs fly free like open birds
Quality guidance, depth so deep
Anyone can download and keep
[Bridge]
Rigorous hardening for every need
Public access, yes indeed
From government to private ground
Best security can be found
[Outro]
So remember when you hear them say
STIGs are DoD's only way
Speak the truth and make it clear
Open standards for all who care
44. 3 "OSCAL is just for FedRAMP"
[Verse 1]
They say OSCAL's just for FedRAMP alone
A government tool that can't leave home
But that's a myth we need to break today
OSCAL's designed to work every which way
Framework agnostic from the very start
Built to represent any control's part
Any catalog, baseline, system wide
OSCAL's foundations run deep and wide
[Chorus]
Not just FedRAMP, not just one way
OSCAL's built for global display
Any framework, any standard's call
OSCAL represents them all
Framework freedom, that's the key
OSCAL's flexibility sets us free
[Verse 2]
FedRAMP was the early adopter's name
The most visible player in OSCAL's game
But being first doesn't mean being only
NIST designed it broad, never lonely
International adoption's on the rise
Organizations worldwide opening their eyes
To OSCAL's power across the globe
Every compliance need it can probe
[Chorus]
Not just FedRAMP, not just one way
OSCAL's built for global display
Any framework, any standard's call
OSCAL represents them all
Framework freedom, that's the key
OSCAL's flexibility sets us free
[Bridge]
From ISO twenty-seven thousand one
To any control framework under the sun
OSCAL speaks the language they all share
Structured data flowing everywhere
Custom catalogs, bespoke controls
OSCAL adapts to all your goals
Don't box it in, don't limit scope
OSCAL's the universal hope
[Chorus]
Not just FedRAMP, not just one way
OSCAL's built for global display
Any framework, any standard's call
OSCAL represents them all
Framework freedom, that's the key
OSCAL's flexibility sets us free
[Outro]
So remember when you hear that myth again
OSCAL's not locked to government's pen
It's framework agnostic, built to grow
Universal standards, that's what we know
45. 4 "SCAP scans cover all STIG requirements"
[Verse 1]
System admins think they've got it made
Running SCAP scans, thinking rules are all obeyed
But behind the automated screen
There's a world that scanners have never seen
Manual checks are waiting in the wings
Interviews and documents, all the human things
[Chorus]
SCAP won't cover every STIG requirement
Manual verification is adherent
Thirty to sixty percent automation
The rest needs human investigation
Don't believe the myth, don't fall for the trap
SCAP scans alone will leave compliance gaps
[Verse 2]
Physical inspections can't be automated away
Process observations need human eyes today
Document review requires reading comprehension
Staff interviews reveal what tech can't mention
Configuration checks are just the start
Human judgment plays the crucial part
[Chorus]
SCAP won't cover every STIG requirement
Manual verification is adherent
Thirty to sixty percent automation
The rest needs human investigation
Don't believe the myth, don't fall for the trap
SCAP scans alone will leave compliance gaps
[Bridge]
Technical verification has its place
But don't let automation set the pace
Policies and procedures need review
Administrative controls need follow-through
SCAP's a tool but not the final word
Human oversight must still be heard
[Verse 3]
When compliance officers make their rounds
They're looking for what scanning never found
Training records, incident response plans
Security awareness across all hands
SCAP handles configs, that much is true
But governance needs the human view
[Chorus]
SCAP won't cover every STIG requirement
Manual verification is adherent
Thirty to sixty percent automation
The rest needs human investigation
Don't believe the myth, don't fall for the trap
SCAP scans alone will leave compliance gaps
[Outro]
So plan your STIG assessment right
Combine the automated with human insight
SCAP and manual working as one team
That's how you build a compliance dream
46. 5 "If I have OSCAL, I don't need SCAP scans"
[Verse 1]
You've got your OSCAL documentation done
Controls mapped out, implementation begun
You think you're finished, ready to declare
"I don't need SCAP scans, my docs are there"
[Pre-Chorus]
But documents tell you what should be
Not what's actually running free
[Chorus]
OSCAL shows the plan, SCAP proves it's real
Documentation lies without that technical feel
You can't write fiction, call it compliance gold
Verification matters, that's the story told
OSCAL shows the plan, SCAP proves it's real
[Verse 2]
Your security control says encryption's on
But is the cipher strong or is it gone?
OSCAL describes the policy you wrote
SCAP scans will tell you if systems actually note
[Pre-Chorus]
Implementation and reality
Often differ drastically
[Chorus]
OSCAL shows the plan, SCAP proves it's real
Documentation lies without that technical feel
You can't write fiction, call it compliance gold
Verification matters, that's the story told
OSCAL shows the plan, SCAP proves it's real
[Bridge]
Trust but verify, the old saying goes
OSCAL is trust, but SCAP really knows
Evidence matters in the compliance game
Without both together, you'll shoulder the blame
[Verse 3]
Your framework's beautiful, controls align
But are the systems following that design?
OSCAL documents intention clear
SCAP scanning shows what's really here
[Final Chorus]
OSCAL shows the plan, SCAP proves it's real
Documentation lies without that technical feel
You can't write fiction, call it compliance gold
Verification matters, that's the story told
OSCAL plus SCAP makes the process whole
[Outro]
Don't skip the scans when OSCAL's complete
Evidence and documentation make compliance sweet
47. 6 "STIG checklists are the same as OSCAL Assessment Results"
[Verse 1]
They look the same upon first glance
Two documents that seem to dance
Around compliance and control
But dig deeper and you'll know
A STIG checklist checks one thing
Single product, single ring
One system with its rules defined
CKL format, narrow mind
[Chorus]
No they're not the same at all
STIG is small, OSCAL is tall
Checklist narrow, Results wide
Different scope on either side
CKL checks the parts alone
Assessment Results own the throne
Of system-wide authority
That's the key distinction, see
[Verse 2]
Assessment Results paint the scene
Of entire systems, complete and clean
With evidence and risk in view
Authorization pathway too
They link controls to findings clear
Show the full security sphere
While checklists just say pass or fail
On configuration's simple tale
[Chorus]
No they're not the same at all
STIG is small, OSCAL is tall
Checklist narrow, Results wide
Different scope on either side
CKL checks the parts alone
Assessment Results own the throne
Of system-wide authority
That's the key distinction, see
[Bridge]
One product versus system whole
Individual versus total goal
Rules and settings versus controls
Compliance parts versus complete souls
Configuration versus authorization
Single check versus full foundation
[Chorus]
No they're not the same at all
STIG is small, OSCAL is tall
Checklist narrow, Results wide
Different scope on either side
CKL checks the parts alone
Assessment Results own the throne
Of system-wide authority
That's the key distinction, see
[Outro]
So when someone says they're equal friends
Remember where each document ends
STIG checklists check the single part
Assessment Results are the art
Of system-wide compliance view
Now you know what each can do
48. 7 "You have to choose one ecosystem or the other"
[Verse 1]
They tell you pick a side, it's one or the other way
STIGs or OSCAL, you can't have both they say
But that's old thinking from a siloed past
The future's integration, built to last
[Chorus]
Don't choose between, integrate the scene
STIGs configure, SCAP verifies clean
OSCAL governs what the docs all mean
Three layers working as one machine
Don't choose between, integrate the scene
[Verse 2]
Configuration layer needs those STIG rules tight
SCAP automation checks if settings are right
OSCAL documentation keeps governance clear
Three different jobs, but they work as peers
[Chorus]
Don't choose between, integrate the scene
STIGs configure, SCAP verifies clean
OSCAL governs what the docs all mean
Three layers working as one machine
Don't choose between, integrate the scene
[Bridge]
ComplianceAsCode builds the bridge you need
Compliance Trestle makes the pipeline feed
Organizations getting value most
Use integrated approach, not either-or boast
[Verse 3]
Mature approach says use them all as one
Pipeline flowing till the job is done
Configuration, verification, documentation flow
Together they make compliance systems grow
[Chorus]
Don't choose between, integrate the scene
STIGs configure, SCAP verifies clean
OSCAL governs what the docs all mean
Three layers working as one machine
Don't choose between, integrate the scene
[Outro]
False dichotomy leads you astray
Integration is the modern way
STIGs and OSCAL working hand in hand
That's how the best compliance systems stand
49. 1 One-Liner Distinction
[Verse 1]
When you're building systems that need to be secure
There's two different paths that you need to ensure
One tells you the settings, the switches to flip
The other shows compliance from bottom to tip
STIGs are the playbook for locking things down
They give you the steps to secure what you've found
But OSCAL's the language for broader control
It maps how your system protects as a whole
[Chorus]
STIGs configure products, OSCAL validates systems
STIGs give you the how-to, OSCAL shows what you've written
Configuration guidance versus documentation proof
STIGs configure products, OSCAL validates truth
[Verse 2]
Imagine you're hardening Apache or Windows
STIG tells you exactly which settings to win with
Disable that service, encrypt this connection
Product-focused guidance for cyber protection
But when auditors come asking how you meet requirements
OSCAL's what you need for compliance adherents
It documents controls across your whole architecture
Shows how every piece fits your security picture
[Chorus]
STIGs configure products, OSCAL validates systems
STIGs give you the how-to, OSCAL shows what you've written
Configuration guidance versus documentation proof
STIGs configure products, OSCAL validates truth
[Bridge]
One's operational, one's organizational
STIGs are tactical, OSCAL's relational
Product configuration versus system documentation
Different tools for different parts of your foundation
[Chorus]
STIGs configure products, OSCAL validates systems
STIGs give you the how-to, OSCAL shows what you've written
Configuration guidance versus documentation proof
STIGs configure products, OSCAL validates truth
[Outro]
When you need to secure it, reach for the STIG
When you need to prove it, OSCAL's your gig
50. 2 For a Technical Audience
[Verse 1]
In the world of compliance there's a tale to tell
Two different layers working oh so well
STIGs and SCAP down at configuration ground
Checking every setting that can be found
Product specific rules they verify and test
While OSCAL sits above doing governance best
[Chorus]
Configuration down below
Governance up above
STIG and SCAP make settings flow
OSCAL models what we love
Catalogs and baselines too
SSPs in machine format
Evidence feeds right on through
That's where both the layers at
[Verse 2]
OSCAL speaks in structured data streams
Control catalogs and assessment schemes
System security plans in readable code
Assessment results down a digital road
While STIG scans tell you what's right or wrong
OSCAL makes the governance strong
[Chorus]
Configuration down below
Governance up above
STIG and SCAP make settings flow
OSCAL models what we love
Catalogs and baselines too
SSPs in machine format
Evidence feeds right on through
That's where both the layers at
[Bridge]
ComplianceAsCode builds the bridge between
Compliance Trestle keeps the pathway clean
STIG content becomes component definitions
OSCAL ready for all implementations
Two layers working hand in hand
Making compliance easier to understand
[Chorus]
Configuration down below
Governance up above
STIG and SCAP make settings flow
OSCAL models what we love
Catalogs and baselines too
SSPs in machine format
Evidence feeds right on through
That's where both the layers at
[Outro]
From settings to governance they unite
Making compliance frameworks work just right
51. 3 For a Leadership Audience
[Verse 1]
STIGs are our technical blueprints in hand
Checklists that harden each system we command
Engineers follow each step and each rule
Making our networks a security tool
But documentation takes hours to write
Manual reports keeping teams up all night
[Chorus]
STIGs check the tech, OSCAL makes it flow
Hardening pipelines that leadership should know
Technical meets compliance in automated streams
STIGs check the tech, OSCAL builds the dreams
No more manual labor, no more audit pain
STIGs check the tech, OSCAL breaks the chain
[Verse 2]
OSCAL speaks in standardized tongue
Documentation language that's precisely sung
Every control and every compliance need
Captured in formats that systems can read
What engineers harden gets reflected fast
Authorization docs that are built to last
[Chorus]
STIGs check the tech, OSCAL makes it flow
Hardening pipelines that leadership should know
Technical meets compliance in automated streams
STIGs check the tech, OSCAL builds the dreams
No more manual labor, no more audit pain
STIGs check the tech, OSCAL breaks the chain
[Bridge]
Pipeline connection, seamless translation
Technical hardening meets authorization
Reduce the effort, cut the audit time
Compliance posture working in its prime
From checklist item to official report
Automation gives us the support
[Chorus]
STIGs check the tech, OSCAL makes it flow
Hardening pipelines that leadership should know
Technical meets compliance in automated streams
STIGs check the tech, OSCAL builds the dreams
No more manual labor, no more audit pain
STIGs check the tech, OSCAL breaks the chain
[Outro]
Together they create the perfect pair
Technical security with documentation care
STIGs and OSCAL, working hand in hand
The future of compliance across the land
52. 4 For a Sales/Consulting Conversation
[Verse 1]
Four thousand hours just to get approved
STIG checklists scattered, nothing's been improved
Word docs for your SSPs, spreadsheets for results
Disconnected chaos with inefficient faults
Your scanning tools find problems every day
But evidence gets lost along the way
Each control's a silo, each team works alone
Manual updates breaking what you've grown
[Chorus]
Connect the dots with OSCAL's flow
From SCAP scans to the docs you show
Automated evidence, real-time control
Four thousand hours down to manageable goals
STIG plus OSCAL equals ATO speed
Data models linking what you need
No more silos, no more delay
OSCAL integration paves the way
[Verse 2]
Server passes scanning, evidence appears
But transferring findings takes you weeks or years
Copy-paste the findings, format once again
Human error creeping through your pen
OSCAL speaks the language every tool can read
Common data model serving every need
When your SCAP results flow automatically through
Assessment documentation updates too
[Chorus]
Connect the dots with OSCAL's flow
From SCAP scans to the docs you show
Automated evidence, real-time control
Four thousand hours down to manageable goals
STIG plus OSCAL equals ATO speed
Data models linking what you need
No more silos, no more delay
OSCAL integration paves the way
[Bridge]
Picture this transformation in your hands
One unified approach across all your lands
Evidence to planning, planning to assess
OSCAL makes your workflow effortless
[Verse 3]
ROI calculations show the massive gain
Time and money saved from reduced pain
Your organization ready for the shift
OSCAL automation is compliance gift
From reactive patching to proactive flow
Real-time compliance status helps you grow
Investment in integration pays dividends
When manual processes finally end
[Chorus]
Connect the dots with OSCAL's flow
From SCAP scans to the docs you show
Automated evidence, real-time control
Four thousand hours down to manageable goals
STIG plus OSCAL equals ATO speed
Data models linking what you need
No more silos, no more delay
OSCAL integration paves the way
[Outro]
Four thousand two hundred hours before
Now a fraction through OSCAL's door
Connected compliance is the way to go
Let automation help your business grow
53. 5 For Canadian Defense Clients
[Verse 1]
When you're building systems for both sides of the border
Canadian defense meets US DoD order
STIG compliance needed for interoperability
But CPCSC requirements add complexity
Two different frameworks, two sets of rules to follow
Separate documentation makes the workload hollow
There's got to be a better way to handle this demand
One solution that can serve both chains of command
[Chorus]
OSCAL makes it singular, not plural anymore
One data set expressing what you need for both shores
Map your profiles cleanly through the framework models true
STIG and CPCSC living in one structure too
Machine-readable formats keep your compliance tight
OSCAL bridges borders, makes your documentation right
[Verse 2]
Defense contractors know the burden of dual maintenance
Updating twice for every change creates resistance
Security controls scattered across different files
Audit trails get messy spanning regulatory miles
But OSCAL's architecture has the mapping power
Profile models link requirements every hour
Canadian CPCSC aligns with STIG controls
Through standardized expressions that achieve both goals
[Chorus]
OSCAL makes it singular, not plural anymore
One data set expressing what you need for both shores
Map your profiles cleanly through the framework models true
STIG and CPCSC living in one structure too
Machine-readable formats keep your compliance tight
OSCAL bridges borders, makes your documentation right
[Bridge]
Interoperability demands you meet US standards
While Canadian requirements can't be abandoned
OSCAL's unified approach eliminates the divide
Single source of truth with both frameworks inside
[Chorus]
OSCAL makes it singular, not plural anymore
One data set expressing what you need for both shores
Map your profiles cleanly through the framework models true
STIG and CPCSC living in one structure too
Machine-readable formats keep your compliance tight
OSCAL bridges borders, makes your documentation right
[Outro]
One set of artifacts for two jurisdictions
OSCAL eliminates the dual restrictions
Canadian defense with US interoperability
All through OSCAL's mapping capability
54. 6 Questions You Should Be Ready For
[Verse 1]
You've got your STIG checklists all complete
But the ATO office says "not enough"
They want system documentation, policies neat
SSP and SAP, the comprehensive stuff
STIGs just cover configuration's slice
But authorization needs the whole device
[Chorus]
Six questions that they always ask
STIG and OSCAL, different tasks
One configures, one documents the flow
Both together make your system go
Don't replace, just integrate
OSCAL helps you demonstrate
[Verse 2]
"Does OSCAL make our STIGs obsolete?"
No way, you still need that guidance clear
OSCAL has no config to complete
STIGs tell you what, OSCAL proves it's here
Document and prove across the baseline
Show the full system by design
[Chorus]
Six questions that they always ask
STIG and OSCAL, different tasks
One configures, one documents the flow
Both together make your system go
Don't replace, just integrate
OSCAL helps you demonstrate
[Bridge]
Your GRC tool locks your data inside
OSCAL sets that information free
Import, export, share far and wide
Assessors see what they need to see
No more manual transcription pain
Automation breaks the data chain
[Verse 3]
"How do we start with STIGs in place?"
Component definitions are your friend
ComplianceAsCode helps you embrace
What you've built, don't start again
Import components to your SSP
Leverage investments, build what you see
[Chorus]
Six questions that they always ask
STIG and OSCAL, different tasks
One configures, one documents the flow
Both together make your system go
Don't replace, just integrate
OSCAL helps you demonstrate
[Outro]
From STIG compliance to ATO success
OSCAL bridges what you have to what you need
System-level proof, no more, no less
Both standards plant the security seed
Back to Home