SHR Launches Compliance-as-Code Library, 1st Open-Source Project

On April 6, 2021, SHR Consulting Group, LLC (SHR) launched their 1st Open-Source Project, a Compliance-as-Code (CaC) library, via GitLab.

Due to recent work done by the National Institute of Standards and Technology (NIST) on the Open Security Controls Assessment Language (OSCAL) 1.0 framework, a standardized and machine-readable method of storing, sharing, and analyzing compliance information now exists. SHR uses the latest NIST OSCAL Models, internally developed tools, and standard CI/CD pipeline tools. The purpose of SHRs development of a CaC Python-based library (pyOSCAL) is to parse, create, modify files conforming to the emerging OSCAL.

Through this developing library, and SHR’s future CaC projects, SHR seeks to automate not only compliance testing, but the continuous building of System Security Plans, integration of assessment results from Ansible and Chef InSpec, and the dynamic inheritance from multiple components.

Leveraging a community-driven network of commercial product experts, CaC, like all “as Code” methodologies, applies the same process, approvals, and workflows that have long benefited software engineering. With CaC documentation, it is generated dynamically based on the inspection and assessment of live systems, ensuring it is always up to date. Automating authoring accelerates the speed at which assessment packages can be created. This allows for quicker and simpler audits, allowing faster deviation edits on the baseline code that exhibits standards and policies. Following compliance standards to update and correct deviations also ensures that all issues are tracked, further administering recorded compliance practices. This ease and speed then reduce the costs of managing and ensuring compliance in these equally effective audit processes.

SHR, Its customers, and the community: commercial, government, and contractors can all utilize this open-source library as the foundation for new tools, new interactions, and more rapidly developed compliance frameworks. Like NIST’s collaboration with industry to develop OSCAL, many organizations (i.e., DoD branches) have begun accepting “Continuous ATO (CATO)” or “ATO in a Day” practices to speed up the adoption of new technologies. While traditional security, verification, and documentation have long been the accepted reliable way of ensuring security compliance, CaC solutions meet the functional, security, and usability requirements necessary for deployment. Oftentimes open-source technologies are community-driven and maintained by the same experts in relevant fields of their solutions, architectures, and commercial products.

This product and SHR’s future open-source endeavors demonstrate our commitment to the mission, its customers, and the federal cybersecurity community. Projects such as this demonstrate not only that SHR is competent in these technologies, but enthusiastic about enabling compliance stakeholders, collaborating with our customers and partners to improve their environments and efficiencies overall.