[Verse 1] Let's build a system step by step today Three components in our testing way Web server front, database behind App server middle, all aligned Find the STIG for every part Apache, Oracle, Tomcat start Each component needs its own Security guide to call its own [Chorus] Scan Plan Assess Results and Trace POA and M shows every space From catalog down to STIG rule End-to-end pipeline is our tool OSCAL flows from start to end Component definitions we depend SSP imports what we need Pipeline success is guaranteed [Verse 2] SCAP scanner runs across the fleet Checking every control we meet Component definitions next in line Reference STIG compliance fine Build the SSP with profile import Assessment plan for full support Results flow in with SCAP evidence Gaps become our reference [Chorus] Scan Plan Assess Results and Trace POA and M shows every space From catalog down to STIG rule End-to-end pipeline is our tool OSCAL flows from start to end Component definitions we depend SSP imports what we need Pipeline success is guaranteed [Bridge] Trace that finding all the way back POA and M to results track Assessment plan to SSP link Profile catalog CCI think STIG rule at the very end Complete circle we defend [Verse 3] Generate POA and M for every gap Assessment results fill the map From component up to system wide OSCAL documents are our guide Nine steps complete the puzzle whole End-to-end is our main goal [Chorus] Scan Plan Assess Results and Trace POA and M shows every space From catalog down to STIG rule End-to-end pipeline is our tool OSCAL flows from start to end Component definitions we depend SSP imports what we need Pipeline success is guaranteed [Outro] Three components, nine clear steps STIG to OSCAL, no missteps End-to-end pipeline complete Security compliance can't be beat
← Lab 6: SCAP Results → OSCAL Assessment Evidence | 1 "OSCAL replaces STIGs" →