[Verse 1] They look the same upon first glance Two documents that seem to dance Around compliance and control But dig deeper and you'll know A STIG checklist checks one thing Single product, single ring One system with its rules defined CKL format, narrow mind [Chorus] No they're not the same at all STIG is small, OSCAL is tall Checklist narrow, Results wide Different scope on either side CKL checks the parts alone Assessment Results own the throne Of system-wide authority That's the key distinction, see [Verse 2] Assessment Results paint the scene Of entire systems, complete and clean With evidence and risk in view Authorization pathway too They link controls to findings clear Show the full security sphere While checklists just say pass or fail On configuration's simple tale [Chorus] No they're not the same at all STIG is small, OSCAL is tall Checklist narrow, Results wide Different scope on either side CKL checks the parts alone Assessment Results own the throne Of system-wide authority That's the key distinction, see [Bridge] One product versus system whole Individual versus total goal Rules and settings versus controls Compliance parts versus complete souls Configuration versus authorization Single check versus full foundation [Chorus] No they're not the same at all STIG is small, OSCAL is tall Checklist narrow, Results wide Different scope on either side CKL checks the parts alone Assessment Results own the throne Of system-wide authority That's the key distinction, see [Outro] So when someone says they're equal friends Remember where each document ends STIG checklists check the single part Assessment Results are the art Of system-wide compliance view Now you know what each can do
← 5 "If I have OSCAL, I don't need SCAP scans" | 7 "You have to choose one ecosystem or the other" →