sandbox
sandbox copied to clipboard
cncf
[Sandbox] TrestleGRC
Application contact emails
[email protected], [email protected], [email protected], [email protected]
Project Summary
A tooling platform for managing compliance artifacts as code using NIST's OSCAL standard.
Project Description
This project helps automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL standard, The OSCAL standard provides a compliance framework and the corresponding set of key compliance artifacts expressed in machine processable formats enabling all compliance documents to be treated as code and therefore processed and managed in the same manner.
Trestle is an ensemble of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.
Trestle based Agile Authoring is designed to operate as a CICD pipeline running on top of compliance artifacts in git, to provide transparency for the state of compliance across multiple stakeholders in an environment friendly to developers. Trestle passes the generated artifacts on to tools that orchestrate the enforcement, measurement, and reporting of compliance.
Org repo URL (provide if all repos under the org are in scope of the application)
https://github.com/oscal-compass
Project repo URL in scope of application
https://github.com/oscal-compass/compliance-trestle
Additional repos in scope of the application
https://github.com/oscal-compass/compliance-trestle-agile-authoring https://github.com/oscal-compass/compliance-to-policy https://github.com/oscal-compass/compliance-trestle-fedramp
There are few additional repos in the organization for sample content and demo which are also in the scope.
Website URL
https://oscal-compass.github.io/compliance-trestle/
Roadmap
https://github.com/oscal-compass/compliance-trestle/issues/1480
Roadmap context
No response
Contributing Guide
https://oscal-compass.github.io/compliance-trestle/contributing/mkdocs_contributing/
Code of Conduct (CoC)
https://oscal-compass.github.io/compliance-trestle/mkdocs_code_of_conduct/
Adopters
No response
Contributing or Sponsoring Org
https://www.ibm.com/
Maintainers file
https://oscal-compass.github.io/compliance-trestle/maintainers/
IP Policy
- [X] If the project is accepted, I agree the project will follow the CNCF IP Policy
Trademark and accounts
- [X] If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF
Why CNCF?
Moving the project to CNCF will help increase its visibility and adoption in the open-source community. It will also bring more people to contribute to this open-source project.
Benefit to the Landscape
As organizations move their sensitive workloads to public cloud environments, they need to comply with multiple different regulations. Hence, they need to modernize from manual document based compliance management to automated processes for continuous compliance known as compliance-as-code.
Trestle is one of the early implementor of the NIST OSCAL standard in the Compliance area that enables all compliance documents to be treated as code and therefore processed and managed in the same manner.. Adding this project to CNCF will greatly increase the reach of CNCF to organizations and people working in the compliance area.
Cloud Native 'Fit'
Cloud Native has seen in the recent years adoption for various domains that traditionally used on-prem / dedicated environments - Financial Services, Life Sciences, AI. Shift to continuous compliance, forcing an evolution into the automation and engineering realm with concerns, technologies, and data models specific to modelling compliance - System Security Plan, Audit plan artifats.
Many commercial, non-profit community and government organizations performing services or providing data storage must abide by national, regional, or local laws and regulations regarding user privacy and data, with assurance of protection of their compute and data processing integrity and resilience. These cross cutting concerns span not only specific technical configuration of software and systems, but also require complex orchestration of human administrative, operational, and design activities, especially when involving audit activities expecting concrete, reviewable independent audit artifacts.
Moreover, the timeline for the renewal of these artifacts has shifted recently in many industries from annual and quarterly, to continuous compliance, forcing an evolution of the manual compliance processes into the automation and engineering realm with concerns, technologies, and data models specific to modeling compliance and hence aligned with, but very different from cyber security frameworks.
This project helps automate the creation and management of various compliance artifacts in a machine processable format based on NIST OSCAL standard,
Cloud Native 'Integration'
No response
Cloud Native Overlap
No response
Similar projects
N/A
Landscape
We are starting under the Security TAG (Pushkar Joglekar, Andrew Martin, Francesco Beltramini) while we work to find the right working group / TAG for compliance related projects.
Business Product or Service to Project separation
N/A
Project presentations
Compliance TAG review at Security TAG - Wednesday, October 25, 2023 from 1:00 PM to 2:00 PM MORE DETAILS: https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/
Pushkar Joglekar, Andrew Martin [email protected], Francesco Beltramini), Emily Fox
Project champions
Robert Ficcaglia [email protected] Anca Sailer [email protected]
Additional information
No response
@amye Please provide any updates based on the review that happened on 23 Jan. What are the next steps for us?
This project was not reviewed. It may be reviewed in the April 9th session, but it's not guaranteed.
@amye Hi, HNY :) I guess in the interest of our collaborators and users we should start the Office Hours - we reached 7k downloads per months and are interested to link to the community asap, rather than wait for months. What do you suggest?
@amye is there any way/condition to accelerate the process? also, was there any specific reason it was not reviewed (I assumed workload, but just to validate) Thank you!
This project was not reviewed. It may be reviewed in the April 9th session, but it's not guaranteed.
This is the next scheduled review session.
@amye Thank you for your reply , I understand we moved to April. Can you pls help with the clarification question : did you guys run out of time OR was anything about our submission? Thanks so much for shading some light here!
For instance, the org has 3 projects that work together , do we submit a joined sandbox request (as the one submitted above) OR we should submit a request for each project. Thanks!
@amye Hi! What was the outcome for this project in the last CNCF Sandbox review? Thanks!
This project was not reviewed. Projects in the 'upcoming' queue are reviewed by the TOC in a meeting.
TAG-CS review, this project has:
- A fairly complete Contributing document
- A well-developed contributor ladder, but no other written governance
- 6 maintainers from IBM and one from Red Hat
@jberkus Thanks for your review. We have added the governance structure at the oscal-compass organization level. It is available here - https://github.com/oscal-compass/community/blob/main/GOVERNANCE.md
@vikas-agarwal76 what's the relationship between oscal-compass and the rest of the project?
@jberkus oscal-compass is the github organization which has compliance-trestle as the main (or anchor project) and few other projects such as agile-authoring and compliance-to-policy which work together with the compliance-trestle project. The link to each of the project is included in the submission.
Follow-up from today's sandbox review, TrestleGRC will be moved to a vote 👍 /vote
Vote created
@mrbobbytables has called for a vote on [Sandbox] TrestleGRC (#78).
The members of the following teams have binding votes:
| Team |
|---|
| @cncf/cncf-toc |
Non-binding votes are also appreciated as a sign of support!
How to vote
You can cast your vote by reacting to this comment. The following reactions are supported:
| In favor | Against | Abstain |
|---|---|---|
| 👍 | 👎 | 👀 |
Please note that voting for multiple options is not allowed and those votes won't be counted.
The vote will be open for 2months 30days 2h 52m 48s. It will pass if at least 66% of the users with binding votes vote In favor 👍. Once it's closed, results will be published here as a new comment.
![git-vote[bot] avatar](https://avatars.githubusercontent.com/in/206179?v=4 "Published by a pub.dev verified publisher"){kind=small}
@jberkus in yesterday's meeting IIUC I wanted to clarify that this project does not develop compliance standards.
From our community README: The OSCAL Compass project is a set of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL (Open Security Controls Assessment Language) as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL adoption.
Does this clear up the confusion?
Vote status
So far 0.00% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 0 | 0 | 0 | 11 |
Binding votes (0)
| User | Vote | Timestamp |
|---|---|---|
| @dims | Pending | |
| @rochaporto | Pending | |
| @angellk | Pending | |
| @mauilion | Pending | |
| @linsun | Pending | |
| @dzolotusky | Pending | |
| @kevin-wangzefeng | Pending | |
| @cathyhongzhang | Pending | |
| @nikhita | Pending | |
| @TheFoxAtWork | Pending | |
| @kgamanji | Pending |
Vote status
So far 54.55% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 6 | 0 | 1 | 4 |
Binding votes (7)
| User | Vote | Timestamp |
|---|---|---|
| kgamanji | In favor | 2024-06-18 6:39:03.0 +00:00:00 |
| rochaporto | In favor | 2024-06-18 7:59:23.0 +00:00:00 |
| dzolotusky | In favor | 2024-06-18 5:13:18.0 +00:00:00 |
| linsun | In favor | 2024-06-18 14:27:18.0 +00:00:00 |
| TheFoxAtWork | Abstain | 2024-06-18 17:35:53.0 +00:00:00 |
| nikhita | In favor | 2024-06-18 4:33:26.0 +00:00:00 |
| dims | In favor | 2024-06-18 13:55:18.0 +00:00:00 |
| @angellk | Pending | |
| @mauilion | Pending | |
| @kevin-wangzefeng | Pending | |
| @cathyhongzhang | Pending |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| vikas-agarwal76 | In favor | 2024-06-18 14:51:55.0 +00:00:00 |
Vote status
So far 63.64% of the users with binding vote are in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 7 | 0 | 1 | 3 |
Binding votes (8)
| User | Vote | Timestamp |
|---|---|---|
| TheFoxAtWork | Abstain | 2024-06-18 17:35:53.0 +00:00:00 |
| dims | In favor | 2024-06-18 13:55:18.0 +00:00:00 |
| dzolotusky | In favor | 2024-06-18 5:13:18.0 +00:00:00 |
| rochaporto | In favor | 2024-06-18 7:59:23.0 +00:00:00 |
| kevin-wangzefeng | In favor | 2024-06-19 3:36:04.0 +00:00:00 |
| linsun | In favor | 2024-06-18 14:27:18.0 +00:00:00 |
| nikhita | In favor | 2024-06-18 4:33:26.0 +00:00:00 |
| kgamanji | In favor | 2024-06-18 6:39:03.0 +00:00:00 |
| @angellk | Pending | |
| @mauilion | Pending | |
| @cathyhongzhang | Pending |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| vikas-agarwal76 | In favor | 2024-06-19 4:57:50.0 +00:00:00 |
Vote closed
The vote passed! 🎉
72.73% of the users with binding vote were in favor (passing threshold: 66%).
Summary
| In favor | Against | Abstain | Not voted |
|---|---|---|---|
| 8 | 0 | 1 | 2 |
Binding votes (9)
| User | Vote | Timestamp |
|---|---|---|
| @TheFoxAtWork | Abstain | 2024-06-18 17:35:53.0 +00:00:00 |
| @kevin-wangzefeng | In favor | 2024-06-19 3:36:04.0 +00:00:00 |
| @rochaporto | In favor | 2024-06-18 7:59:23.0 +00:00:00 |
| @cathyhongzhang | In favor | 2024-06-20 22:45:34.0 +00:00:00 |
| @nikhita | In favor | 2024-06-18 4:33:26.0 +00:00:00 |
| @linsun | In favor | 2024-06-18 14:27:18.0 +00:00:00 |
| @kgamanji | In favor | 2024-06-18 6:39:03.0 +00:00:00 |
| @dims | In favor | 2024-06-18 13:55:18.0 +00:00:00 |
| @dzolotusky | In favor | 2024-06-18 5:13:18.0 +00:00:00 |
Non-binding votes (1)
| User | Vote | Timestamp |
|---|---|---|
| @vikas-agarwal76 | In favor | 2024-06-19 4:57:50.0 +00:00:00 |
Hello and congrats on being accepted as a CNCF Sandbox project!
Here is the link to your onboarding task list: https://github.com/cncf/sandbox/issues/136
Feel free to reach out with any questions you might have!
