[Verse 1] In the world of compliance there's a missing link STIG and SCAP just tell you what to think But when findings surface you can't trace them back To the source control through the paper stack [Chorus] Native traceability, machine can verify Every finding flows upstream, no more wondering why Catalog to Profile to SSP in line Assessment Plan to Results, traceability by design Follow the arrows back, follow the arrows back Native traceability fills the compliance gap [Verse 2] OSCAL models import from the one before Creating chains that weren't there before Assessment Results point to where they came Through System Security Plans it's not the same [Chorus] Native traceability, machine can verify Every finding flows upstream, no more wondering why Catalog to Profile to SSP in line Assessment Plan to Results, traceability by design Follow the arrows back, follow the arrows back Native traceability fills the compliance gap [Bridge] Component Definition feeds the system plan Assessment flows downstream as designed by human hands But when you find an issue in the results you see Trace it back through profiles to the catalog with ease No more guessing games, no more manual search Machine-verifiable paths through the research [Verse 3] POA and M connects to what was found Assessment Results keep the findings sound Every arrow points to provenance clear The fundamental thing that STIG can't engineer [Final Chorus] Native traceability, machine can verify Every finding flows upstream, no more wondering why Catalog to Profile to SSP in line Assessment Plan to Results, traceability by design Follow the arrows back, follow the arrows back Native traceability fills the compliance gap [Outro] When compliance fails you'll know exactly where Native traceability shows the path was always there
← 2 The OSCAL Model Stack | 4 What OSCAL Does That STIGs Don't →