-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Compliance Working Group in TAG Security #1206
Comments
Org is ready: https://github.com/orgs/oscal-compass/repositories @vikas-agarwal76 Please share the CNCF sandbox request issues content here for @PushkarJ to review. Thanks |
@ancatri thank you. Can you add dates and links for following items in description
Also @ashutosh-narkar our wonderful Tech Lead will be your point of contact going forward on this! @mnm678 has already assigned the issue to him so he will get notified on any issue updates. @ashutosh-narkar thank you for helping Anca and rest of the team to take this forward. Please reach out to the chairs in case you need our help at any time. |
Happy to help! Please let us know if you need any help or have any questions @ancatri. |
@PushkarJ @ancatri Here is the CNCF sandbox issue request content TitleTrestleGRC Application contact emailsavikas@in.ibm.com, ancas@in.ibm.com, manjiree.gadgil@ibm.com, jpower@redhat.com Project SummaryA tooling platform for managing compliance artifacts as code using NIST's OSCAL standard. Project DescriptionTrestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption. Trestle based Agile Authoring is designed to operate as a CICD pipeline running on top of compliance artifacts in git, to provide transparency for the state of compliance across multiple stakeholders in an environment friendly to developers. Trestle passes the generated artifacts on to tools that orchestrate the enforcement, measurement, and reporting of compliance. Org repo URLhttps://github.com/oscal-compass Project repo URL in scope of applicationhttps://github.com/oscal-compass/compliance-trestle Additional repos in scope of the applicationhttps://github.com/oscal-compass/compliance-trestle-agile-authoring https://github.com/oscal-compass/compliance-to-policy Website URLhttps://oscal-compass.github.io/compliance-trestle/ Roadmaposcal-compass/compliance-trestle#1480 Roadmap context (optional)Contributing Guidehttps://oscal-compass.github.io/compliance-trestle/contributing/mkdocs_contributing/ Code of Conduct (CoC)https://oscal-compass.github.io/compliance-trestle/mkdocs_code_of_conduct/ Adopters (optional)Provide the URL of the project's Adopters file. If no file exists, move on to the next question. Contributing or Sponsoring Org (optional)Provide the URL of the project's contributing or sponsoring company/organization. If no such company/organization exists move on to the next question. Maintainers filehttps://oscal-compass.github.io/compliance-trestle/maintainers/ Why CNCF?Why do you want to contribute the project to the CNCF? What value does being part of the CNCF provide the project? Provide detail on why you chose the CNCF that allows the TOC to consider alignment of expectations between the project and the ecosystem. Moving the project to CNCF will help increase its adoption in the open-source community. It will also bring more people to contribute to this open-source project. A new Compliance TAG os being created in CNCF and trestle will be the anchor project for this TAG. Benefit to the LandscapeHow will adding this project benefit the CNCF landscape? What is the differentiator or enhancement this project provides to existing project, capabilities, or challenges within the landscape? Trestle is one of the early implemnentor of the NIST OSCAL standard in the Compliance area. Adding this project to CNCF will greatly increase the reach of CNCF to organizations and people working in the compliance area. Also as we are establishing a new CNCF Compliance TAG, this will one of the first proects in that TAG and will help attract more projects in compliance area to move to CNCF sandbox. Cloud Native 'Fit' (optional)Please explain where you see the project "fitting" in the Cloud Native landscape. This should detail how the project is cloud native, which elements of cloud native the project embodies or exemplifies. Cloud Native has seen in the recent years adoption for various domains that traditionally used on-prem / dedicated environments - Financial Services, Life Sciences, AI. Shift to continuous compliance, forcing an evolution into the automation and engineering realm with concerns, technologies, and data models specific to modeling compliance - System Security Plan, Audit plan, Kitemarks. Many commercial, non-profit community and government organizations performing services or providing data storage must abide by national, regional, or local laws and regulations regarding user privacy and data, with assurance of protection of their compute and data processing integrity and resilience. These cross cutting concerns span not only specific technical configuration of software and systems, but also require complex orchestration of human administrative, operational, and design activities, especially when involving audit activities expecting concrete, reviewable independent audit artifacts. Moreover, the timeline for the renewal of these artifacts has shifted recently in many industries from annual and quarterly, to continuous compliance, forcing an evolution of the manual compliance processes into the automation and engineering realm with concerns, technologies, and data models specific to modeling compliance and hence aligned with, but very different from cyber security frameworks. This project helps automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL standard, Cloud Native 'Integration' (optional)What CNCF projects does this project complement or depend on, and how? Cloud Native Overlap (optional)What CNCF projects does this project overlap with, and how? Similar projectsPlease list similar projects in the CNCF or elsewhere. If none exist, provide "N/A". N/A LandscapeAre you already listed on the CNCF Landscape? We are starting under the Security TAG (Pushkar Joglekar, Andrew Martin, Francesco Beltramini) while we work our dedicated CNCF Compliance TAG as a separate landscape (Emily Fox). Business Product or Service to Project separationIf this project is identical (name, features, etc.) or closely related to one or more products or services of the sponsoring company/organization(s), how do you plan to separate this project from any products in terms of organization and development? If it is not related to a product or service, just provide "N/A". N/A Project presentationsHas your project been presented to any TAG? If so, please link meeting notes and/or recordings as applicable. Compliance TAG review at Security TAGWednesday, October 25, 2023 from 1:00 PM to 2:00 PM MORE DETAILS: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/Pushkar Joglekar, Andrew Martin andy@control-plane.io, Francesco Beltramini), Emily Fox Project championsPlease list any people who are part of CNCF leadership (TOC, TAGS, etc.) who can endorse or answer questions about your project. Robert Ficcaglia rficcaglia@sunstonesecure.com Anca Sailer ancas@us.ibm.com Additional information (optional)Any additional information you would like the TOC to consider when evaluating this project? |
@ashutosh-narkar @mnm678 @PushkarJ @vikas-agarwal76 Hey! Happy New Year and all the best near your dear ones! |
👋🏻 I think we're crossing a few concepts here which i would like to clarify:
Technical Advisory Groups are groups of individuals that provide technical guidance and advise on specific topics or projects within the CNCF. They assist in guiding and shaping the technical direction of the CNCF. Interested individuals may file an issue on the TAG's repo to initiate a working group, begin the discussion with the TAG members, solicit interest, and begin drafting a proposed charter if their is interest. It is recommended those individuals socialize the proposed working beyond just the TAG it will be homed under, gather support from the TAG leadership in the creation of the charter, and work to refine the working group's objectives and deliverables. Once the charter is in a final state, the TOC Liaisons for the TAG may review and provide their approval of the working group. Once approved, the working group is responsible for reporting their progress and efforts to the TAG in accordance with the TAG governance, who in turn informs the TOC of the entirety of work the TAG and its working groups are engaged in. When a working group reaches sufficient momentum, interest, and growth that aligns with cloud native goals and objectives, has alignment with several cloud native projects, and shows continued execution in alignment with their charter, the TAG and Working Group Leadership may engage the Liaisons to determine if the Working Group is eligible to be reconsidered as a TAG. This process may take a few years as these specific domains evolve and mature in similar fashion to cloud native projects evolution and maturity. The TOC may then vote to instantiate a new TAG. Couple of things to consider:
Recommendation: Change this issue to focus specifically on establishing a working group within TAG Security for Compliance. Solicit interested individuals in drafting a charter for this group with concurrence from the TAG Security Leadership team. Seek TOC Liaison approval when complete. |
@rficcaglia FYI ^ |
@ancatri as discussed on the last STAG call below is the feedback on the Trestle Sandbox application. Overall the application lgtm. Few things to consider:
|
@ancatri it would helpful if you or someone on the team is able to provide a quick summary on the latest in the group on the weekly STAG calls on Wednesday at 10a PST. |
@ashutosh-narkar @PushkarJ @mnm678 @vikas-agarwal76 @rficcaglia |
Description: Compliance TAG and CNCF projects
Impact: The Open Source projects Trestle, Agile Authoring, and Compliance2Policy help automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL open standard. This work is aligned with the CNCF strategy and within that the goal toward continuous compliance and compliance as code.
Scope: Planning to collaborate with Security TAG controls, Finos controls, the new AI regulations etc and help with content for compliant technology
Intent to lead:
interested in pursing this work. This statement of intent does not preclude
others from co-leading or becoming lead in my stead.
Proposal to Project:
lead (Anca and Robert)
with call for participation in #compliance-grc slack channel thread add link
and mailing list email add link
TO DO
Representative
see progress!
The text was updated successfully, but these errors were encountered: