12 Essential Requirements for Policy Enforcement and Governance with OSCAL

The presentation discusses the importance of policy governance in ensuring secure information exchange and managing complexity in Kubernetes clusters. It emphasizes the need for a standardized format for exchanging information and the benefits of centralizing controls and continuous assessment of implementations. The speaker also highlights the essential ingredients for policy governance and the use of declarative configuration in compliance.

• Standardized format for exchanging information is crucial for secure information exchange
• Centralized governance of policies ensures consistency and control of change early in the process
• Continuous assessment of controls and implementations is necessary
• Declarative configuration is essential for compliance
• Oscar initiative provides a standardized schema for expressing controls
• System security plan should be in machine-readable format for easy exchange and reuse
• Git Ops can be used for compliance and automation

The speaker mentions a real-world problem of exchanging information securely across agencies and organizations with different levels of clearance. This highlights the need for a standardized format for exchanging information and centralizing controls to ensure consistency and security.

An effective policy framework provides governance capabilities to Kubernetes and cloud native applications. Policy-as-code artifacts provide visibility and drive remediation for various security and configuration aspects to help Developers and Operators meet their security and compliance requirements. Working with the Kubernetes Policy Workgroup, cloud providers and tool maintainers have signaled support for OSCAL. OSCAL is a NIST control assessment syntax and model framework providing a standard set of schema for control catalogs, customization and parameterization, assessment and reporting. Using OSCAL as a model schema for control definition, we discuss the specifics of policy enforcement and management in a multi-cluster, multi-cloud environment for seamless traceability across technical configuration, organization security standards and external regulatory compliance requirements. We break down 12 specific requirements and policy-as-code practices in a highly fluid multi-cluster operating environment. Join this hands-on, live demo session to understand the battle-tested use cases, architecture, and practical implementation details, and the deployment and operational levers for managing control implementation, policy generation and assessment, and compliance reporting.