The OSCAL Compass project is a set of tools that enable the creation, validation, and governance of documentation artifacts for compliance needs. It leverages NIST's OSCAL (Open Security Controls Assessment Language) as a standard data format for interchange between tools and people, and provides an opinionated approach to OSCAL SDK and adoption by policy engines.
The OSCAL Compass project is hosted by the Cloud Native Computing Foundation (CNCF)
Check out the Community page to get started with using and contributing to the project. This guide details all the ways to collaborate with project maintainers and your fellow users of OSCAL Compass tools. Anyone is welcome to participate and contribute provided they follow the OSCAL Compass Code of Conduct.
Trestle - Command line tool and SDK for interacting with OSCAL-based compliance-as-code documents
Agile Authoring - Ready to use CI/CD pipeline configuration and setup using a GitOps approach and Trestle SDK for human and machine readable OSCAL compliance documents collaborative authoring. Manage semantic versioning, provenance traceability, change log, and approval based release to foster continuous compliance.
Compliance to Policy (AKA C2P) - C2P is a plugin-based tool that transforms compliance-as-code artifacts represented in OSCAL into native formats understood by policy validation or enforcement engines, and collects and normalizes their native results into OSCAL audit required format. It supports multiple policy engines such as Kyverno (for Kubernetes resources), Open Cluster Management Policy Framework (for Kubernetes resources), Auditree (generic), and others.
- Visit the OSCAL Compass website at https://oscal-compass.dev
- See the Project Listing
The OSCAL Compass Lab organization comprises projects aligned with the OSCAL Compass project.
Personas and Roles
Trestle SDK
Artifacts and Personas
Topologies of Compliance Policy Administration Centers
A Lack of Network Boundaries Invites a Lack of Compliance
Compliance to Policy for Multiple Kubernetes Clusters
