As a security practitioner, I would like to control the oscal content independently of the project.

[Compton-US]

Post ACSAC

When planning security, and preparing assessments, I would want to collaborate with my security partners independently of developers and any project. If the project was a submodule that I could potentially link into multiple projects, I could control the growth of the plans and assessments without being blocked, or blocking a product development team. This would allow me to work in a more friendly way with the development team.

One thought around this: if we decide to take this next step at some point, should the project have a component definition that describes the implementation of AC-8 for the demo app that can then be used by the SSP.

General thought:

• Security practitioner triggers a github action.
• Github action checks out associated projects
• Something checks for component definitions in each project's .oscal directory.
• Fails if not present. (optionally: warns [maybe: depending on branch])
• Pulls relevant CDef content into SSP, generating a new SSP if CDefs changed.
• Continues with assessment in another action if all passes.

Above should include steps to validate models where appropriate, and do any required profile resolution as we do now.

This would also open the possibility of integrating GRC tools into the specific OSCAL content repo.

This may also allow us to start establishing a pattern for storing content so that multiple GRC tools can work on the same content. (Very fuzzy thought, but wanted to capture it here for future thinking and discussion)