User Tools

Site Tools


openchain:proposed-draft

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
openchain:proposed-draft [2015/01/15 20:52]
Kellyw [Multi-Level vs Single-Level Compliance Certifications]
openchain:proposed-draft [2016/08/11 12:12] (current)
AliceSmith [Software Engineering Institute (SEI)]
Line 2: Line 2:
  
  
-====== OpenChain ​<​del>​Linux Foundation Open Compliance Program</​del> ​Certification Proposal ====== ​+====== OpenChain Certification Proposal ====== ​
  
 This short proposal concerns an approach to open compliance certification. The goal is to certify that software suppliers have effective measures to assure compliance with open source license obligations when they incorporate free and open source software (FOSS) in products for external distribution. This short proposal concerns an approach to open compliance certification. The goal is to certify that software suppliers have effective measures to assure compliance with open source license obligations when they incorporate free and open source software (FOSS) in products for external distribution.
Line 28: Line 28:
 An important principle underlies the notion of certification:​ that process matters, i.e. a repeatable and systematic process results in an outcome of expected quality and consistency. So an appraisal certifies a supplier’s process as a predictor of eventual success, reducing the need to rely only on testing the supplier’s ultimate product or service. Generally, certifications address quality or conformance to a standard rather than business efficiency. ​ __By intentional design, as ongoing testing results consistently in validation of the supplier’s process as producing quality results, there is an opportunity for such results to be trusted by downstream recipients.__ An important principle underlies the notion of certification:​ that process matters, i.e. a repeatable and systematic process results in an outcome of expected quality and consistency. So an appraisal certifies a supplier’s process as a predictor of eventual success, reducing the need to rely only on testing the supplier’s ultimate product or service. Generally, certifications address quality or conformance to a standard rather than business efficiency. ​ __By intentional design, as ongoing testing results consistently in validation of the supplier’s process as producing quality results, there is an opportunity for such results to be trusted by downstream recipients.__
    
-==== Open Compliance Certification ==== +===== Open Compliance Certification ​===== 
  
 The __OpenChain Working Group with support from the__ Linux Foundation now has an opportunity to create a new certification program to help drive companies’ open compliance initiatives. The purpose or motivation for open compliance certification is to increase commitment and diligence toward achieving compliance with FOSS licenses. If certification is to gain momentum, <​del>​Linux Foundation member</​del>​ __participating OpenChain__ companies must step forward and require or incentivize their supply chains to attain certification as proof of their commitment and adherence to effective compliance practices. The __OpenChain Working Group with support from the__ Linux Foundation now has an opportunity to create a new certification program to help drive companies’ open compliance initiatives. The purpose or motivation for open compliance certification is to increase commitment and diligence toward achieving compliance with FOSS licenses. If certification is to gain momentum, <​del>​Linux Foundation member</​del>​ __participating OpenChain__ companies must step forward and require or incentivize their supply chains to attain certification as proof of their commitment and adherence to effective compliance practices.
Line 44: Line 44:
 Standard CMMI Appraisal Method for Process Improvement (SCAMPI) Lead Appraiser Certification,​ http://​www.sei.cmu.edu/​certification/​process/​scampi/​index.cfm Standard CMMI Appraisal Method for Process Improvement (SCAMPI) Lead Appraiser Certification,​ http://​www.sei.cmu.edu/​certification/​process/​scampi/​index.cfm
    
-===== Appendix A ===== +====== Appendix A ====== 
  
-First Approximation of a Compliance Reference Model +===== First Approximation of a Compliance Reference Model =====
  
 The compliance reference model will consist of a set of goals and supporting practices. In appraising whether the goals have been met, auditors typically look at the supporting practices to see whether they have been performed or instantiated. Six goals and their supporting practices are outlined below. The complete reference model will define additional levels of detail and alternative supporting practices, while the appraisal methodology will guide auditors in what to look for and how to determine whether or not a goal has been met.  __Part of the certification includes the requirement that those employees who need to adhere to the process be trained on it.  Additionally,​ as the process is dependent on such employees’ ability to know when the process is triggered (e.g., when certain open source software is used) such employees need to be trained on a consistent set of topical areas that are incorporated into the educational materials, that we propose also form part of the certification criteria.__ The compliance reference model will consist of a set of goals and supporting practices. In appraising whether the goals have been met, auditors typically look at the supporting practices to see whether they have been performed or instantiated. Six goals and their supporting practices are outlined below. The complete reference model will define additional levels of detail and alternative supporting practices, while the appraisal methodology will guide auditors in what to look for and how to determine whether or not a goal has been met.  __Part of the certification includes the requirement that those employees who need to adhere to the process be trained on it.  Additionally,​ as the process is dependent on such employees’ ability to know when the process is triggered (e.g., when certain open source software is used) such employees need to be trained on a consistent set of topical areas that are incorporated into the educational materials, that we propose also form part of the certification criteria.__
 +
 +===== Outline of Compliance Reference Model =====
 +G = Goal\\
 +SP = Supporting Practices\\
 +C = Criteria for supporting practices\\
 +(see charts below for original version)
 +
 +  - **G1: Everyone knows their FOSS responsibilities**
 +      - SP1.1  FOSS policy exists
 +          * C1.1.1 Written
 +          * C1.1.2 Internally available
 +          * C1.1.3 Content must include:
 +              * distribution of open source
 +              * internal use for code generation
 +              * requirement to comply with licenses
 +              * utilization of a FOSS approval process
 +      - SP1.2  FOSS compliance training program actively used
 +          * C1.2.1 Required for all relevant employees, including:
 +              * software developers
 +              * software program managers
 +              * software procurement roles
 +          * C1.2.2 Content:
 +              * Identify FOSS
 +              * FOSS concepts and obligations
 +              * How to adhere to FOSS approval process
 +          * C1.2.3 Delivery method\\
 +              * In-person, online //(JL: should we dictate what format the training delivery method should be? Is this to mean it can be in either in-person or online - or needs to be in both formats?)//
 +          * C1.2.4 Compliance and attendance //(JL: compliance with the training? ​ might not want to use the word "​compliance"​ here as it is more associated with license compliance?​)//​
 +              * Recordkeeping
 +              * Reoccurring training
 +  - **G2:  Responsibility for achieving compliance is assigned**
 +      - SP2.1  FOSS Compliance Officer exists
 +      - SP2.2  Compliance management activity is resourced
 +          * SP2.2.1 ​ Processes, procedures, templates, forms, etc. are developed
 +          * SP2.2.2 ​ Compliance tool needs are identified //(JL: do we want to specifically say "​tools"?​ Are tools always required, e.g. small companies who still want to use these guidelines?​)//​
 +          * SP2.2.3 ​ Compliance tools are evaluated, developed or acquired, and deployed
 +      - SP2.3  Licensing expertise is available //(JL: recommend putting this as first SP here)//
 +  - **G3: FOSS content (packages/​license) is known** //consider making this G2?//
 +      - SP3.1  Code audits/​scans are conducted
 +      - SP3.2  Supplier compliance is managed ​ //​(JL: ​ define who a supplier is; what if the company in question is situated to not really have suppliers, do they still have to comply with these goals?)//
 +          * SP3.2.1 ​ Supplier compliance practices are assessed
 +          * SP3.2.2 ​ Supplier FOSS disclosures are made and reviewed
 +          * SP3.2.3 ​ Supplier FOSS obligations are satisfied ​
 +      - SP3.3  FOSS records are maintained //(JL: move up in list here)//
 +  - **G4: FOSS content is reviewed and approved**
 +      - SP4.1  OSRB exists and is staffed appropriately
 +      - SP4.2  Planned FOSS use is reviewed in context
 +      - SP4.3  License obligations are identified, understood, and documented
 +      - SP4.4  Issues are resolved and approval decisions are followed
 +  - **G5: FOSS obligations are satisfied**
 +      - SP5.1  Documentation obligations are met
 +      - SP5.2  Source code obligations are met
 +      - SP5.3  Community interface exists
 +          * SP5.3.1 ​ Email and postal addresses work
 +          * SP5.3.2 ​ Web portal works
 +          * SP5.3.3 ​ Community requests and inquiries are satisfied
 +  - **G6: Community <​del>​contributions are encouraged</​del>​ engagement is understood** ​
 +      - <​del>​SP6.1:​ Individual contributions are reviewed and approved</​del>​
 +      - <​del>​SP6.2:​ Company contributions are reviewed and approved</​del>​
 +      - __SP6.1: Community participation is reviewed and approved.__
  
 {{:​openchain:​g1.jpg|}} {{:​openchain:​g1.jpg|}}
Line 61: Line 121:
  
 {{:​openchain:​g6.jpg|}} {{:​openchain:​g6.jpg|}}
 +====== Appendix B ======
  
-G6: Community <​del>​contributions are encouraged</​del>​ engagement is understood\\  +===== Multi-Level vs Single-Level Compliance Certifications ​=====
-Supporting Practices:​\\  +
-<​del>​SP6.1:​ Individual contributions are reviewed and approved</​del>​\\  +
-<​del>​SP6.2:​ Company contributions are reviewed and approved</​del>​\\  +
-__SP6.1: Community participation are reviewed and approved.__ +
- +
- +
- +
-===== Appendix B =====  +
- +
-==== Multi-Level vs Single-Level Compliance Certifications ====+
    
-=== Multi-Level Compliance Certification ===+==== Multi-Level Compliance Certification ​====
  
 The following text refers back to the compliance reference model presented in Appendix A, above. Inasmuch as the reference model will likely evolve, so too would the ideas presented here on levels of compliance process maturity. Community input will influence assignment of capabilities to maturity levels. Additional detail in the model will also influence the determination of maturity level. For instance, SP3.2.2 (“Supplier FOSS disclosures are made and reviewed”) could be appraised at different levels of maturity depending on the supporting practices involved. A simple supplier disclosure on paper or in a spreadsheet might characterize an Initial level of maturity; using the output report of an automated scanning tool’s analysis of the supplier’s source code might characterize a Basic level of maturity; and an SPDXTM-based bill of material prepared after a scanning tool’s analysis might characterize an Advanced level of maturity. The following text refers back to the compliance reference model presented in Appendix A, above. Inasmuch as the reference model will likely evolve, so too would the ideas presented here on levels of compliance process maturity. Community input will influence assignment of capabilities to maturity levels. Additional detail in the model will also influence the determination of maturity level. For instance, SP3.2.2 (“Supplier FOSS disclosures are made and reviewed”) could be appraised at different levels of maturity depending on the supporting practices involved. A simple supplier disclosure on paper or in a spreadsheet might characterize an Initial level of maturity; using the output report of an automated scanning tool’s analysis of the supplier’s source code might characterize a Basic level of maturity; and an SPDXTM-based bill of material prepared after a scanning tool’s analysis might characterize an Advanced level of maturity.
Line 95: Line 146:
 {{:​openchain:​compliance_certification_levels_fig_.jpg|}} {{:​openchain:​compliance_certification_levels_fig_.jpg|}}
  
-=== Single-Level Compliance Certification === +==== Single-Level Compliance Certification ​==== 
  
 A single-level compliance model for purpose of certification would correspond to the “Basic” maturity level described above. Practices at the “Basic” level are those required to achieve compliance on a routine basis, regardless of productivity or efficiency considerations. Certification is intended to communicate that a sponsor can rely on a supplier’s compliance practices. A single-level compliance model for purpose of certification would correspond to the “Basic” maturity level described above. Practices at the “Basic” level are those required to achieve compliance on a routine basis, regardless of productivity or efficiency considerations. Certification is intended to communicate that a sponsor can rely on a supplier’s compliance practices.
Line 101: Line 152:
 While the capabilities implied by the “Advanced” maturity level above may be desirable for multiple reasons, those steps may not be necessary to achieve compliance and provide the desired level of trust and reliance. Appraisals would closely examine the evidence presented and responses from interviewees to determine whether compliance processes are working effectively. Failure to achieve compliance on a routine basis may be evidence that “Advanced” practices, in fact, are needed. While the capabilities implied by the “Advanced” maturity level above may be desirable for multiple reasons, those steps may not be necessary to achieve compliance and provide the desired level of trust and reliance. Appraisals would closely examine the evidence presented and responses from interviewees to determine whether compliance processes are working effectively. Failure to achieve compliance on a routine basis may be evidence that “Advanced” practices, in fact, are needed.
    
-===== Appendix C ===== +====== Appendix C ====== 
  
-==== A Comparative Look at Popular Certification Models ====+===== A Comparative Look at Popular Certification Models ​=====
    
-=== Software Engineering Institute (SEI) ===+==== Software Engineering Institute (SEI) ====
    
  
Line 112: Line 163:
 Although the SEI originally focused on self-appraisals to encourage frank and confidential internal discussions about improvement needs, eventually many DoD contract sponsors required that bidders provide evidence of (at least) Level 3 maturity. These funding agencies required an appraisal, conducted by a government-approved appraisal team, as part of the award process. Although the SEI originally focused on self-appraisals to encourage frank and confidential internal discussions about improvement needs, eventually many DoD contract sponsors required that bidders provide evidence of (at least) Level 3 maturity. These funding agencies required an appraisal, conducted by a government-approved appraisal team, as part of the award process.
    
-Over time, the SEI’s model was recognized for the soundness of its software engineering principles and its ability to drive process improvements. A large community of industry and government people coalesced around its guidance. The model itself has continued to evolve and has spawned additional maturity models, as well as a cottage industry of consultants offering appraisal and training services.+Over time, the SEI’s model was recognized for the soundness of its software engineering principles and its ability to drive process improvements. A large community of industry and government people coalesced around its guidance. The model itself has continued to evolve and has spawned additional maturity models, as well as a cottage industry of consultants offering appraisal and training ​[[https://​www.linkedin.com/​company/​redgage-llc | services]].
    
-=== ISO 9001 === +==== ISO 9001 ==== 
  
 The ISO 9000 family of standards address quality management systems and are published by ISO, the International Organization for Standardization. ISO 9001 covers engineering and product development activity. Reportedly, over one million companies worldwide are independently certified as having met the ISO 9001 standard. Certified companies typically display their ISO 9001 banners and emblems proudly as a distinctive mark of competitive excellence. The ISO 9000 family of standards address quality management systems and are published by ISO, the International Organization for Standardization. ISO 9001 covers engineering and product development activity. Reportedly, over one million companies worldwide are independently certified as having met the ISO 9001 standard. Certified companies typically display their ISO 9001 banners and emblems proudly as a distinctive mark of competitive excellence.
Line 122: Line 173:
 An ISO 9001 audit results in a pass/fail outcome, rather than a maturity level as in the SEI model. Audits result in lists of corrective actions to be taken. Major “discrepancies” can result in audit failure; minor “discrepancies,​” no matter how numerous, will not stand in the way of passing the audit. Audit follow-up typically involves corrective actions whose completion must be reported to the certification agent. Re-certification must occur periodically,​ typically every three years. An ISO 9001 audit results in a pass/fail outcome, rather than a maturity level as in the SEI model. Audits result in lists of corrective actions to be taken. Major “discrepancies” can result in audit failure; minor “discrepancies,​” no matter how numerous, will not stand in the way of passing the audit. Audit follow-up typically involves corrective actions whose completion must be reported to the certification agent. Re-certification must occur periodically,​ typically every three years.
    
-===== Appendix ​=====+====== Appendix ​D ======
  
-==== Initial Ideas on Certification Appraisals ==== +===== Initial Ideas on Certification Appraisals ​===== 
  
 When performing certification appraisals, auditors must look for evidence that a practice is routinely and repeatedly performed and that it accomplishes its intended purpose. Typically, auditors ask to see evidence that a practice has been used, for instance, status reports, action item lists, meeting minutes, scan reports, policies and procedures, forms (both templates and completed examples), checklists, and so on. Auditors interview the people performing the compliance practices, asking them questions such as: When performing certification appraisals, auditors must look for evidence that a practice is routinely and repeatedly performed and that it accomplishes its intended purpose. Typically, auditors ask to see evidence that a practice has been used, for instance, status reports, action item lists, meeting minutes, scan reports, policies and procedures, forms (both templates and completed examples), checklists, and so on. Auditors interview the people performing the compliance practices, asking them questions such as:
Line 144: Line 195:
    
  
 +====== Comments ======
  
- +Enter comments here
  
  
openchain/proposed-draft.1421355174.txt.gz · Last modified: 2015/01/15 20:52 by Kellyw