• ADR: 0001
  • Proposal Author(s): @eddie-knight
  • Status: Accepted

Context

During the writing of the CNCF’s Automated Governance Maturity Model (AGMM), the authors of that document came to a key observation: to build a Secure Software Factory or a fully automated governance program, maturity can be measured in at least four different areas: “Policy, Evaluation, Enforcement, and Audit.”

Both the FINOS Common Cloud Controls (CCC) and OpenSSF’s Open Source Project Security Baseline (OSPSB) projects began using the language from the AGMM, with the addition of two more areas to describe the difference between documents that give high-level recommendations alongside those which create technology-specific objectives. It was observed that these six different areas build upon eachother, similar to how the OSI Model describes the layers of digital networking.

Action

Create a community-defined model in a version-controlled project that can be extended with supplemental resources such as schemas and SDKs.

Consequences

Positive: Can be updated and extended over time Negative: Requires up-front commitment from a core maintainer group

Alternatives Considered

An alternative would be to write a white paper following on the AGMM, but this would rule out the possibility of community maintenance and extension with supplemental resources for automation acceleration.