[Verse 1] At the bottom lie our systems real and true Servers, databases, and cloud services too Network devices running day and night These are the things we need to keep secure and right [Chorus] Stack it up, stack it up, layer by layer STIG and SCAP, OSCAL makes it clearer From systems up to authorization's call Six layers strong in the compliance wall Stack it up, stack it up, unified and whole Each layer plays its vital role [Verse 2] STIG rules define the technical way SCAP benchmarks guide us day by day Scan results prove our settings are right Product configurations shining bright [Chorus] Stack it up, stack it up, layer by layer STIG and SCAP, OSCAL makes it clearer From systems up to authorization's call Six layers strong in the compliance wall Stack it up, stack it up, unified and whole Each layer plays its vital role [Verse 3] Controls layer brings the catalog to life Profile cuts through regulatory strife These are the controls that apply to me With parameter values set precisely [Bridge] Implementation tells our story complete Component definitions make the suite System Security Plan ties it together neat Shows how every control we meet [Verse 4] Assessment layer documents the test Plan and results put us to the test POA and M for gaps we find Fixes planned with deadline in mind [Chorus] Stack it up, stack it up, layer by layer STIG and SCAP, OSCAL makes it clearer From systems up to authorization's call Six layers strong in the compliance wall Stack it up, stack it up, unified and whole Each layer plays its vital role [Outro] Authorizing Official at the top Grants the ATO or makes it stop Six layers unified from ground to sky That's how compliance reaches high
← 5 What OSCAL Doesn't Do That STIGs Do | 2 How STIG Evidence Flows Into OSCAL →