Compliance as Code

Standards

• SCAP: Security Content Automation Protocol
• OSCAL: Open Security Controls Assessment Language
• BPMN: Business Process Model and Notation
• DMN: Decision Model and Notation

Guidelines

• ComplianceAsCode: The ComplianceAsCode project

  Previously known as SCAP Security Guide (SSG)

Tools

• OpenSCAP: open source security compliance toolkit

  NIST certified for SCAP 1.2

• Trestle: Manage compliance as code using NIST’s OSCAL standard
• Open Policy Agent (OPA): Declarative Policies

  Context-aware, Expressive, Fast, Portable

• OPAL: Open Policy Administration Layer

Good reads and presentations

• OSCAL Mini Workshop Series