Support for Gemara (GRC Engineering Model for Automated Risk Assessment) Framework

[jpower432]

Summary

This feature proposes adding support for the Simplified Compliance Infrastructure (rename pending) framework as a supported compliance framework.

Rationale

Integrating SCI would enable users who utilize this framework to seamlessly leverage C2P for policy generation and result consumption within their ecosystem.

Use Cases

• The oscal-compass organization is being evaluated against the OSPS baseline which is expressed in SCI. Adding this framework give us an opportunity to use C2P to aid in the evaluation.

Completion Criteria

• A prototype or POC is likely required to complete this issue to get community feedback
• Upon acceptance, create new commands results2sci and sci2policy (pending rename)
• Add or adopt functionality to convert SCI Layer 4 to OSCAL Assessment Layer to use with oscal2posture

[jpower432]

@yana1205 I added a new label to track request for new compliance framework support. I would like to prototype this on a fork to share out broadly, but also wanted to get your thoughts on how this would impact oscal-compass/compliance-to-policy#39.