[Verse 1] Start with your system boundary defined List every product that you can find Match each component to its STIG guide OSCAL definitions by your side Import them all into your SSP Document the gaps for policy [Chorus] Four patterns weaving STIG and OSCAL tight Pattern one through four, get compliance right From SSP authoring to monitoring flow These integration patterns help your security grow [Verse 2] Run your SCAP scans across the fleet XCCDF results make the cycle complete Transform those findings into OSCAL form Assessment results keep evidence warm Map every finding to control objectives POA and M entries stay selective [Chorus] Four patterns weaving STIG and OSCAL tight Pattern one through four, get compliance right From SSP authoring to monitoring flow These integration patterns help your security grow [Bridge] Schedule your scans on DoD time Weekly monthly keep in line Pipeline processes delta changes New and closed findings it arranges Dashboard shows your risk posture clear OSCAL based monitoring year after year [Verse 3] Pattern three completes the automation Continuous monitoring across the nation Pattern four builds on what we've learned Making sure no stone's left unturned From component definitions to live assessment These patterns ensure your security investment [Chorus] Four patterns weaving STIG and OSCAL tight Pattern one through four, get compliance right From SSP authoring to monitoring flow These integration patterns help your security grow [Outro] STIG informed authoring leads the way SCAP to OSCAL every day Continuous monitoring never sleeps Integration patterns your security keeps
← 3 The ComplianceAsCode Project | 5 CCI: The Rosetta Stone →