[Verse 1] Start with XCCDF results from your previous scan Transform those findings to OSCAL's master plan Assessment Results document is what we need to build Evidence and observations, let your structure be fulfilled [Chorus] From scan to OSCAL, make the data flow Observations mapped to controls we need to know POA and M for failures that we find Assessment Results with validation in mind XCCDF to OSCAL, transform and align [Verse 2] Create observations from the key findings you collect Each vulnerability needs its proper object to reflect Map those observations to control objectives clear Security requirements linked to evidence we hold dear [Chorus] From scan to OSCAL, make the data flow Observations mapped to controls we need to know POA and M for failures that we find Assessment Results with validation in mind XCCDF to OSCAL, transform and align [Bridge] When a check fails, don't let it slide Build a POA and M with remediation guide Milestones and deadlines, resources assigned Risk mitigation with a timeline defined [Verse 3] Link your findings to the framework that applies NIST eight hundred fifty three controls comprise The baseline requirements for your system's security stance Each observation gives compliance its chance [Chorus] From scan to OSCAL, make the data flow Observations mapped to controls we need to know POA and M for failures that we find Assessment Results with validation in mind XCCDF to OSCAL, transform and align [Outro] Validate the structure when your document is done Assessment Results complete, another victory won From STIG scanner output to OSCAL's golden gate Evidence-based compliance seals your system's fate
← Lab 5: Building the Bridge with ComplianceAsCode | Lab 7: End-to-End Pipeline →