In part 1 of this multi-part blog series on continuous compliance, we detailed the personas and their role in the compliance processes. We concluded that the key to achieving compliance automation and hence continuous compliance is the compliance artifacts programmatic representation, as code, expressed in generic and standard security language terms.
In this blog post, we introduce Trestle, our open-source implementation of the NIST Open Security Control Assessment Language (OSCAL) standard framework adopted as a workflow automation of compliance artifacts managed as compliance as code. Trestle enables those diverse personas to collaboratively author the compliance artifacts and offers a platform and OSCAL SDK for teams to automate their specific native processes and formats. Trestle implicitly provides a core opinionated workflow driven by its pipeline to allow standardized interlocks with other compliance tooling platforms.