[Verse 1]
You've got your STIG checklists all complete
But the ATO office says "not enough"
They want system documentation, policies neat
SSP and SAP, the comprehensive stuff
STIGs just cover configuration's slice
But authorization needs the whole device
[Chorus]
Six questions that they always ask
STIG and OSCAL, different tasks
One configures, one documents the flow
Both together make your system go
Don't replace, just integrate
OSCAL helps you demonstrate
[Verse 2]
"Does OSCAL make our STIGs obsolete?"
No way, you still need that guidance clear
OSCAL has no config to complete
STIGs tell you what, OSCAL proves it's here
Document and prove across the baseline
Show the full system by design
[Chorus]
Six questions that they always ask
STIG and OSCAL, different tasks
One configures, one documents the flow
Both together make your system go
Don't replace, just integrate
OSCAL helps you demonstrate
[Bridge]
Your GRC tool locks your data inside
OSCAL sets that information free
Import, export, share far and wide
Assessors see what they need to see
No more manual transcription pain
Automation breaks the data chain
[Verse 3]
"How do we start with STIGs in place?"
Component definitions are your friend
ComplianceAsCode helps you embrace
What you've built, don't start again
Import components to your SSP
Leverage investments, build what you see
[Chorus]
Six questions that they always ask
STIG and OSCAL, different tasks
One configures, one documents the flow
Both together make your system go
Don't replace, just integrate
OSCAL helps you demonstrate
[Outro]
From STIG compliance to ATO success
OSCAL bridges what you have to what you need
System-level proof, no more, no less
Both standards plant the security seed