# Operation Damn Testable Framework ## Elevator Pitch NIST [SSDF](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) meets modern industry implementation and style of things like the [OSSF AllStar app](https://github.com/ossf/allstar) and CII BadgeApp. ## TODOs 1. Pick highest impact, highest urgency SSDF control that matches a NIST publication policy objective. 2. Wireframe/design a potential workflow on the dev repo config side. 3. Wireframe/design how it would look on the reporting side. 4. Workshop it with a dev, workshop it with a manager type. ## 1 Pick Highest Impact Control MVP canditate: SSDF 800-218 PW.8.2 > PW.8.2: Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team’s workflow or issue tracking system. Cross-referenced requirements from CHECKLIST FOR PUBLICATION OF RESEARCH CODE/SOFTWARE (NIST S1801.03) > A testing plan (e.g., unit, integration, acceptance, performance) was developed, followed, and documented. The testing plan and results are available at: > Continuous testing was conducted during updates and new builds. > Code includes appropriate IT security and privacy controls. (For more information, see Develop/Test Resources available at https://inet.nist.gov/adlp/open-access-research-oar/publishing- instructions/publishing-software). (After you create a record for your code in MIDAS and submit it for review, your ITSO will check for security (of software); will look at the method for release of software if it is something other than GitHub; will make sure it does not compromise dependencies (I.e., internal databases or other physical resources to which it is linked). # Appendix 1. [Publishing Data & The Basics: What do I have to do?](https://inet.nist.gov/adlp/open-access-research-oar/publishing-instructions/publishing-data) 1. [Data Research Management](https://inet.nist.gov/adlp/open-access-research-oar/research-data-management)