[Verse 1]
When security teams start their inspection
They face a choice of direction
STIG asks one thing, OSCAL asks another
Different questions, like sister and brother
STIG looks close at each product's configuration
OSCAL views the whole system's documentation
[Chorus]
Two different questions, two different ways
STIG asks "Is this configured right today?"
OSCAL asks "Does the system meet requirements?"
Two different standards, two different measurements
Different scope, different goals in sight
Both keep our systems secure and tight
[Verse 2]
DISA built STIG in the late nineties era
Product by product, making configs clearer
Windows Server, Red Hat, Cisco gear
Each gets its own guidance crystal clear
Updated quarterly, keeping pace
With every threat the systems face
[Chorus]
Two different questions, two different ways
STIG asks "Is this configured right today?"
OSCAL asks "Does the system meet requirements?"
Two different standards, two different measurements
Different scope, different goals in sight
Both keep our systems secure and tight
[Verse 3]
NIST created OSCAL in twenty-sixteen
Data interchange for the security scene
Not just config but the full lifecycle
Risk Management Framework, assessment's cycle
System boundaries and authorization
Complete security documentation
[Bridge]
STIG goes narrow, one product deep
OSCAL goes wide, the whole system to keep
Configuration versus control compliance
Different owners, different guidance
But both serve security's greater call
Working together, protecting us all
[Chorus]
Two different questions, two different ways
STIG asks "Is this configured right today?"
OSCAL asks "Does the system meet requirements?"
Two different standards, two different measurements
Different scope, different goals in sight
Both keep our systems secure and tight
[Outro]
Know your question before you start
STIG or OSCAL, they're both an art
Different standards for different needs
Both plant security's vital seeds