Compliance-as-code encompasses many activities such as automation of system configuration and general DevSecOps approaches. One area examined less is how to manage the documentary artifacts associated with compliance ‘as code’, replacing word documents and excel spreadsheets with markdown, yaml and json.
Emerging data standards such as NIST’s OSCAL facilitate this approach. The OSCAL standard has been adopted by FedRAMP, Australian Cyber Security Centre, Center for Internet Security, Singapore’s GovTech, among others.

OSCAL-Compass is a project by IBM Research and Red Hat that has recently become a CNCF sandbox project. It leverages NIST's OSCAL, a set of data and process standards for compliance, and and provides an opinionated compliance-as-code approach to OSCAL adoption.

Today OSCAL-compass has three key projects which work together: Compliance-trestle; compliance 2 policy (c2p); and agile authoring. This workshop will demonstrate how to use these tools together to document and measure compliance controls on a Kubernetes cluster using Open Cluster Manager.

This workshop will be hands on: attendees will need a github.com account; python installed and a kubernetes CLI (either kubectl or oc).

Attendees will be securing their kubernetes cluster against their ACME corp corporate standards; and using compliance-trestle to generate a report for their internal auditors.

Througout the session the speakers will also discuss the adoption of OSCAL globally including how Red Hat and IBM have been adopting the standard internally.