|
5 | 5 | 1. What work did the WG do this year that should be highlighted? |
6 | 6 | For example, artifacts, reports, white papers produced this year. |
7 | 7 |
|
8 | | - - |
9 | | - - |
| 8 | + - [Policy Whitepaper]() |
| 9 | + - [PolicyReport CRD]() Adapters, [list here]() |
| 10 | + - [Review of whether to KEP or not to KEP for Policy Report]() |
10 | 11 | - |
11 | 12 |
|
12 | 13 | 2. What initiatives are you working on that aren't being tracked in KEPs? |
13 | 14 |
|
14 | | - - |
15 | | - - |
16 | | - - |
| 15 | + - The main topic of discussion is now whether to KEP the PolicyReport, or just keep it in a sig (e.g. sig-auth) |
| 16 | + - Outside of that there has been a lot of community interest, and workgroup effort spent, on control mapping |
| 17 | + and control-as-code implementation, eg OSCAL, that might be better served moved into its own workgroup or a |
| 18 | + sandbox project |
17 | 19 |
|
18 | 20 | ## Project health |
19 | 21 |
|
20 | 22 | 1. What's the current roadmap until completion of the working group? |
21 | 23 |
|
22 | | - - |
23 | | - - |
24 | | - - |
| 24 | + - We intend to wrap up the workgroup once the KEP for PolicyReport is created OR sig-auth or another sig accepts it |
| 25 | + - Or if neither occurs |
| 26 | + - There is considerable interest in continuing the governance and assessment and lifecycle of policy and controls, |
| 27 | + however as these necessarily cross boundaries, it seems like something that should either be re-homed to sig-security, |
| 28 | + and/or hosted in a CNCF-level workgroup and/or moved into a relevant sandbox CNCF project, eg. [SLEDGEHammer](). |
25 | 29 |
|
26 | 30 | 2. Does the group have contributors from multiple companies/affiliations? |
27 | 31 |
|
28 | | - - |
| 32 | + - Yes, RedHat, IBM, SunStone Secure, Nirmata, Google, ... |
29 | 33 |
|
30 | 34 | 3. Are there ways end users/companies can contribute that they currently are not? |
31 | 35 | If one of those ways is more full time support, what would they work on and why? |
|
0 commit comments