[Verse 1]
In the world of compliance there's a tale to tell
Two different layers working oh so well
STIGs and SCAP down at configuration ground
Checking every setting that can be found
Product specific rules they verify and test
While OSCAL sits above doing governance best
[Chorus]
Configuration down below
Governance up above
STIG and SCAP make settings flow
OSCAL models what we love
Catalogs and baselines too
SSPs in machine format
Evidence feeds right on through
That's where both the layers at
[Verse 2]
OSCAL speaks in structured data streams
Control catalogs and assessment schemes
System security plans in readable code
Assessment results down a digital road
While STIG scans tell you what's right or wrong
OSCAL makes the governance strong
[Chorus]
Configuration down below
Governance up above
STIG and SCAP make settings flow
OSCAL models what we love
Catalogs and baselines too
SSPs in machine format
Evidence feeds right on through
That's where both the layers at
[Bridge]
ComplianceAsCode builds the bridge between
Compliance Trestle keeps the pathway clean
STIG content becomes component definitions
OSCAL ready for all implementations
Two layers working hand in hand
Making compliance easier to understand
[Chorus]
Configuration down below
Governance up above
STIG and SCAP make settings flow
OSCAL models what we love
Catalogs and baselines too
SSPs in machine format
Evidence feeds right on through
That's where both the layers at
[Outro]
From settings to governance they unite
Making compliance frameworks work just right