OSCAL FY24 Strategy

# Vision # New Key Deliverables for Gaps - CRM - Mapping - Rules and checks (metrics) ([previous work](https://hackmd.io/JZkedRyZRAmUEWOSxQn0jg), [SP800-80](https://csrc.nist.gov/files/pubs/sp/800/80/ipd/docs/sp800-80-draft.pdf)). - Policy representation within OSCAL - Recording and publication of OSCAL 4th Conference (2023) Workshop material # Ongoing Maintenance Priorities - OSCAL documentation - model documentation - tutorials and examples - OSCAL reference implementations (software) - liboscal-java and oscal-cli - XSLT-based tools - OSCAL profile resolver; schema docs generation; converters? (not schema generation) - SP 800-53 rev5.x (new updates) prior to a major shift to a CPRT native generation (rev 6 and beyond). # Challenges - Technical debt for OSCAL and key OSCAL dependencies - Metaschema-based model reference documentation generation for OSCAL - Lack of developer familiarity with advanced, Metaschema-based software - Lack of developer familiarity with beginner-friendly, OSCAL-first tooling # Risks - Lack of general experience, desire for Java-based development (oscal-cli -> liboscal-java -> metaschema-java) - Lack of general XSLT experience for profile resolution and other core OSCAL tools - Community engagement on rightsizing model strictness/laxness to support organic evolution of models # Transition Plan - A.J. will continue to work until a formal transition date 30 days (including not working days) from 2 October 2023 or 30 days after work resumes from tentative furlough. (Leadership would like us to consult the team. TBD) - A.J. and Dave have agreed to continue development and maintenance of liboscal-java and oscal-cli, after transition window. - After transition window, A.J. is open to training NIST staff and contractors working on CPRT. - [ ] A.J. will hand over credentials, multi-factor tokens, automation configuration secrets to other team members. - Overall - [ ] [oscalbuilder (automation account for GitHub)](https://github.com/oscalbuilder) and rotate his credentials - [ ] add permanent members to the [itl-oscal-admins](https://github.com/orgs/usnistgov/teams/itl-oscal-admins) group in the GitHub usnistgov organization - [ ] Team management and duties - [ ] knowledge sharing and training of more junior employees (e.g. Arminta) - [ ] Prioritization and refinement of technical requirements of issues - [ ] complete and [refine prioritization workflow](https://github.com/usnistgov/OSCAL/wiki/Issue-Triage-and-Backlog-Refinement) - [ ] Tool development (liboscal-java and oscal-cli) - [ ] share access to PGP access to release keys during or after the transition window - [ ] share access to Sonatype OSSRH during or after the transition window - [ ] A.J. and Michaela need to work on a solution for the OSCAL Events calendar account with minimal impact for the community. - [ ] A.J and Michaela will work to transfer team's meeting invitations. - [ ] A.J. and Michaela will need to plan how to staff technical support meetings with external stakeholder grouops - FedRAMP - NSA - Center for Internet Security - Ad-hoc requests from new or occassional groups