[Verse 1] Every STIG rule carries a key inside CCI numbers bridge the divide Three-six-six maps to CM control six Configuration settings in the mix Product-specific rules find their way To framework controls where they'll stay [Chorus] Evidence flows from STIG to OSCAL Step by step, it connects them all CCI maps the rules, SCAP scans provide proof Component definitions build the roof SSP ties it together in the end Evidence flows, compliance won't bend [Verse 2] SCAP scans run and show the truth Which rules passed, which need proof XCCDF results become the gold Evidence attachments to behold Observations turn to findings clear GRC tooling makes it appear [Chorus] Evidence flows from STIG to OSCAL Step by step, it connects them all CCI maps the rules, SCAP scans provide proof Component definitions build the roof SSP ties it together in the end Evidence flows, compliance won't bend [Bridge] Component definitions shine the light RHEL nine configured just right When STIG's applied the component shows AC-two, AU-three, that's how it goes CM-six, IA-five, controls align Import the component, everything's fine [Verse 3] SSP authors bring it all together now Profile baseline tells them how Import components, document the way Each control satisfied day by day STIG compliance as the mechanism SCAP results verify the system [Chorus] Evidence flows from STIG to OSCAL Step by step, it connects them all CCI maps the rules, SCAP scans provide proof Component definitions build the roof SSP ties it together in the end Evidence flows, compliance won't bend [Outro] Four steps make the journey complete From STIG rules to evidence neat CCI bridges, SCAP transforms Components define, SSP performs Evidence flows in perfect line STIG to OSCAL by design
← 1 The Unified Compliance Stack | 3 The ComplianceAsCode Project →