Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    rob-gould-implerus
    @rob-gould-implerus
    Can anyone tell me if the setting of "Control Origination" checkboxes are outputting correctly in goComply? For instance, if I put the below XML into an OSCAL file, shouldn't it render a checked checkbox for "Service Provider Corporate"? I can render the checkboxes from the "Implementation Status" area just fine.
    <control-implementation>
    <description><p>FedRAMP SSP Template Section 13</p></description>
    <implemented-requirement uuid="e0198023-c291-420f-9859-85e195c4faa9" control-id="ac-1">
    <annotation name="implementation-status" ns="https://fedramp.gov/ns/oscal" value="not-applicable"></annotation>
    <annotation name="control-origination" ns="https://fedramp.gov/ns/oscal" value="sp-corporate"></annotation>
    image.png
    Just can't seem to get Service-Provider Corporate to take.
    Šimon Lukašík
    @isimluk
    It has been while since I wrote this, but I think this part may actually be unfinished.
    Here is the place, where code needs to be written in order to add control-origination description: https://github.com/GoComply/fedramp/blob/7826afe3ac943a0818d8dea1cdb82c33639dc7eb/pkg/templater/open.go#L88
    This method has access to the OSCAL Fedramp SSP and DOCX file, it just needs to bind the variables together.
    xee5ch
    @xee5ch:matrix.org
    [m]
    So are you necessarily supporting the tools anymore? I assume GoComply was/is basically you at this point?
    In the interim, will you take PRs? :-)
    xee5ch
    @xee5ch:matrix.org
    [m]
    @isimluk: I see you started merging in some stuff in September not for this org's wonderful OSCAL tools, but the SCAP tools in September. Is this org's development still active. Is it worth working on such tools with the team here? Would you prefer people fork the code?
    Šimon Lukašík
    @isimluk
    @xee5ch:matrix.org, I don't fork. I will give you merge rights if you can deliver few patches to prove.
    Also, I am sorry, I haven't had chance to contribute much last 10 months or so.
    6 replies
    xee5ch
    @xee5ch:matrix.org
    [m]
    So I am going to try and pick this up again, is there any interest in community picking up maintainership of the GoComply projects and moving forward OSCAL support? If not, I will likely figure a way to start over from scratch as part of oscal.club. Thanks!
    Šimon Lukašík
    @isimluk
    Hey! Thanks for reaching out. There is certainly an interest, but there is no funding.
    2 replies
    Feel free to start over, if you have funding. :-)
    1 reply
    @xee5ch:matrix.org, If you want I will gladly give you access to github org. And feel free to drive the project & community in a way you would like.
    9 replies
    Šimon Lukašík
    @isimluk
    I have been involved in the compliance sphere for over 10 years, but it is constant struggle, it is not easy to find funding. So one really needs to have other sources of income to be able to afford work on this.
    1 reply
    Šimon Lukašík
    @isimluk
    Good luck! :-)
    Brandt Keller
    @brandtkeller

    Hey @isimluk , wanted to reach out here and maybe open some more transparent talks for the effort of Golang support for OSCAL/metaschema.

    I'd rather not start from scratch if there is a way to bring the metaschema/oscalkit repositories up to date.

    Do you have any advice for what that effort might entail? starting recommendations and/or ways to validate correct funtionality end-to-end?

    Šimon Lukašík
    @isimluk
    Hey, gocomply is certainly resurrectable. There is community interest, but no one is able to commit resources. I mean gocomply is investment constrained, no other problem comes to mind.
    Key is the understanding how various pieces fit together.
    Once you internalize the understanding of the design, then you just need to sync gocomply projects with usnistgov projects, as there is about 2 year long gap in the synchronization between the two.
    In other words, usnistgov organization continued to develop metaschema + OSCAL, but gocomply counterparts got stale.
    20 replies
    Šimon Lukašík
    @isimluk
    Guys, I am trying to fetch some resources about gocomply, and the best I could find is perhaps my latest blog post that gives an overview how the sausage factory was meant to operata: http://isimluk.com/posts/2020/12/gocomply-with-oscal-fedramp-introduction-to-metaschema/
    5 replies
    Šimon Lukašík
    @isimluk
    @brandtkeller, I created a test and failing PR for DTD support in metaschema: GoComply/metaschema#10
    In my mind this is the very first logical step in resurrecting gocomply.
    But obviously, it is a stub, that needs work.
    It currently segfaults, because it is a stub implementation. (TDD FTW).
    6 replies
    Šimon Lukašík
    @isimluk
    Alternatively, if community does not want to implement DTD in metaschema, maybe there is a way to actually decrease complexity in the ecosystem by offering upstream metaschema project a path forward that does not rely on the DTD.
    5 replies