20230209 Model Engineering Meeting Notes

# 20230209 Model Engineering Meeting Notes ## Overview - No comments or feedback. ## Ground Rules - No comments or feedback. ## Review of Current and Completed Work - Focus on near term: improving CI/CD - making evaluation easier - docs where there is confusion or missing detail - high reward/low risk changes to models (features or fixes) board is at https://github.com/orgs/usnistgov/projects/25/views/2 - Community Attendee #1 asked how does this prioritization? lots of high asks for a couple of examples - A.J. notes that many isssues require some work - some issues are old! - offers web site enhancements as an example - complex partly due to Metaschema dependency - high-impact because user-facing - we are doing infrastructure work to trace performance - Issues (and impact of improvements) on the site and project tracker in GitHub - Labels ("tags") added to the project tracking page per community feedback (Github Labels) - Community Attendee #2 asks about docs regarding FedRAMP process and alignment with other regimes (ISO, HIPAA) - we will revisit - Per Michaela, this is a large topic and not just about mapping between control catalogs! - Michaela did a high-level overview about using multiple compliance and security frameworks from heterogenous catalogs and use them in documentation of systems in components and system security plans - Wendell explained his perspective and added for testing and conformance - Community Attendee #3 had a question about comment about the ROC in PCI-DSS and if that compliance report is more like a assessment plan in OSCAL more than SSP. Thoughts from the NIST OSCAL Team? - A.J. said he had no formal awareness of the PCI-DSS data owners talking about the people. - Dmitry said he met people at an OSCAL meetup working with PCI-DSS and HIPAA work, but not outside - Wendell has a request for alignment: for PR review. For review, we should look at branches and "not in `main`" work, how do we get that community help with awareness. Wendell cited a volunteer contributor working on profile resolution and she wants feedback from others. - Community Attendee #1 said as he learned there are different repositories: how does one know which ones exist, their relationship between them, and what are their purpose? - We agreed we need to make an issue for making a Repository Map ("lay of the land") for OSCAL and OSCAL-related work. - Community Attendee #2 asked in chat requested a unique subscription calendar that updates itself to simplify keeping up with you automatically? A.J. explained this is part of current work. - A.J. describes Issue [usnistgov/OSCAL#1638](https://github.com/usnistgov/OSCAL/pull/1638), ADRs (Architectural Decision Records), calendar work forthcoming - Community Attendee #1 GE surveys "how do I open an issue" - Page points to Help Wanted but not to New Issue - Github issues not really designed for "I need help" questions - Creating Issue to track work item: what are all the repositories I need to know about? - Useful discussion on blocks to creating Issues ## Help Needed - PRs reviewing and comments - Model reviews - Bring your experience - Identify priorities for cookbook recipes/tutorials - No comments or feedback. ## Attendance 22 people