Is OpenControl deprecated? #78
Comments
|
It makes me sad, because of all the formats/tools that are out there, this one is the one that makes the most sense. But yes, nobody is using it that I know of. We are trying to use https://github.com/IBM/compliance-trestle as a tool to make OSCAL not be so hard to work with. It's not bad, but there's still a lot more that needs to be done to make it actually useful (our agency AO/ISSO all want us to use their special Word docs), but it's at least good for us because we can use git to document changes, and when we have to update our SSP, all the docs are there in an easy to cut/paste format. Not sure if this helps, but it's a datapoint at least. |
|
OpenControl components can be converted to OSCAL 1.0.0 with the |
|
Thanks for the info, @timothy-spencer and @openprivacy! I think we'll try running with OpenControl, and export to OSCAL and .md (and then to .docx and .pdf) as required. I'll post here to let everyone know how it went (if you're visiting this page and I haven't posted for a month or two, feel free to remind me). Thanks! |
hello @gregorydulin -- could you update on the above? |
|
Believe we can safely say OpenControl isn't active, and that OSCAL serves this purpose (and is an official NIST standard!). Any objections to marking the repos as archives, and updating the READMEs to point to OSCAL? Paging @openprivacy , @gregelin , @afeld Failing any feedback, will go ahead and make the changes in a few weeks. |
|
Also paging the broader @opencontrol/18f-contributors (see comment above) |
|
No objection from me...
Greg Elin
Principal OSCAL Engineer
RegScale, Inc.
my new email: ***@***.***
p: 917-304-3488
…On Wed, Feb 22, 2023 at 10:26 PM Shawn Wells ***@***.***> wrote:
Believe we can safely say OpenControl isn't active, and that OSCAL serves
this purpose (and is an official NIST standard!).
Any objections to marking the repos as archives, and updating the READMEs
to point to OSCAL?
Paging @openprivacy <https://github.com/openprivacy> , @gregelin
<https://github.com/gregelin> , @afeld <https://github.com/afeld>
Failing any feedback, will go ahead and make the changes in a few weeks.
—
Reply to this email directly, view it on GitHub
<#78 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAGDE32NT4LHMOOY7PTU2DWY3KHFANCNFSM5VRVQALA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Agree that OpenControl is not active, and the OSCAL community is growing, but I'm not ready to say OpenControl is dead. And I believe there are still some teams using it, or at least there were last year. Perhaps just a public README at https://github.com/opencontrol with a pointer to NIST OSCAL and the OSCAL Community - I'm happy to put up a page if agreed. |
|
Over the past couple of years, less and less people have have been available to address Issues or merge PRs. I think it's safe to say that the efforts of the community aren't exactly "dead", but no longer actively worked on nor maintained in favor of NIST OSCAL. |
Sorry for the delay. We did end up using OpenControl to build an SSP PDF, and it's working pretty well. That being said, though; if accreditors are going to start accepting OSCAL YAML files in lieu of PDFs, I'll gladly make the switch. We haven't done a ton of documentation in OpenControl format, so switching now is probably better than switching later. |
What's the current preferred SSP export automation tool I should be targeting?
OpenControl looks really promising, but it also looks like a dead project (no activity for years, and evidence that industry (e.g. RedHat) is moving away from it).
It seems like OSCAL is the currently preferred SSP format, but the tooling around it doesn't seem quite as mature as OpenControl (e.g. the only "convert to .docx" tool I found warns of missing fields).
Thanks!
The text was updated successfully, but these errors were encountered: