[Verse 1] You've got your OSCAL documentation done Controls mapped out, implementation begun You think you're finished, ready to declare "I don't need SCAP scans, my docs are there" [Pre-Chorus] But documents tell you what should be Not what's actually running free [Chorus] OSCAL shows the plan, SCAP proves it's real Documentation lies without that technical feel You can't write fiction, call it compliance gold Verification matters, that's the story told OSCAL shows the plan, SCAP proves it's real [Verse 2] Your security control says encryption's on But is the cipher strong or is it gone? OSCAL describes the policy you wrote SCAP scans will tell you if systems actually note [Pre-Chorus] Implementation and reality Often differ drastically [Chorus] OSCAL shows the plan, SCAP proves it's real Documentation lies without that technical feel You can't write fiction, call it compliance gold Verification matters, that's the story told OSCAL shows the plan, SCAP proves it's real [Bridge] Trust but verify, the old saying goes OSCAL is trust, but SCAP really knows Evidence matters in the compliance game Without both together, you'll shoulder the blame [Verse 3] Your framework's beautiful, controls align But are the systems following that design? OSCAL documents intention clear SCAP scanning shows what's really here [Final Chorus] OSCAL shows the plan, SCAP proves it's real Documentation lies without that technical feel You can't write fiction, call it compliance gold Verification matters, that's the story told OSCAL plus SCAP makes the process whole [Outro] Don't skip the scans when OSCAL's complete Evidence and documentation make compliance sweet
← 4 "SCAP scans cover all STIG requirements" | 6 "STIG checklists are the same as OSCAL Assessment Results" →