[discussion] Layers of validations and meaningful compliance evaluation

[brandtkeller]

Is your feature request related to a problem? Please describe.

In consideration of transient compliance data we have two classes of validations:

• executable
• non-executable

Lula as an OSCAL native tool means that where-possible, we reference source of truth for the composition of artifacts. There is an assumption that there are validations we want to run in apps/packages and dev/test/staging environments that we do not want to run in production due to potential concerns for write-operations and privileges required.

At the same time, we want to be able to evaluate the compliance of production systems in such a way that Automated Governance can build the artifacts and body-of-evidence required to meet accreditation.

Describe the solution you'd like

• Given machine-readable compliance information
• When many sources of information are compiled for a production system
• Then artifacts and evidence can be provided that can be used for accreditation

Describe alternatives you've considered

Create a stance where any executable validations that are not validated mark the finding as not-satisfied