User Tools

Site Tools


openchain:proposed-draft

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
openchain:proposed-draft [2015/02/03 15:55]
jlovejoy [Outline of Compliance Reference Model]
openchain:proposed-draft [2016/08/11 12:12] (current)
AliceSmith [Software Engineering Institute (SEI)]
Line 75: Line 75:
               * How to adhere to FOSS approval process               * How to adhere to FOSS approval process
           * C1.2.3 Delivery method\\           * C1.2.3 Delivery method\\
-              * In-person, online //should we dictate what format the training delivery method should be? Is this to mean it can be in either in-person or online - or needs to be in both formats?//​ +              * In-person, online //(JL: should we dictate what format the training delivery method should be? Is this to mean it can be in either in-person or online - or needs to be in both formats?)// 
-          * C1.2.4 Compliance and attendance //​compliance with the training? ​ might not want to use the word "​compliance"​ here as it is more associated with license compliance?//​+          * C1.2.4 Compliance and attendance //(JL: compliance with the training? ​ might not want to use the word "​compliance"​ here as it is more associated with license compliance?)//
               * Recordkeeping               * Recordkeeping
               * Reoccurring training               * Reoccurring training
Line 83: Line 83:
       - SP2.2  Compliance management activity is resourced       - SP2.2  Compliance management activity is resourced
           * SP2.2.1 ​ Processes, procedures, templates, forms, etc. are developed           * SP2.2.1 ​ Processes, procedures, templates, forms, etc. are developed
-          * SP2.2.2 ​ Compliance tool needs are identified //do we want to specifically say "​tools"?//​+          * SP2.2.2 ​ Compliance tool needs are identified //(JL: do we want to specifically say "​tools"? ​Are tools always required, e.g. small companies who still want to use these guidelines?​)//
           * SP2.2.3 ​ Compliance tools are evaluated, developed or acquired, and deployed           * SP2.2.3 ​ Compliance tools are evaluated, developed or acquired, and deployed
-      - SP2.3  Licensing expertise is available //recommend putting this as first SP here//+      - SP2.3  Licensing expertise is available //(JL: recommend putting this as first SP here)//
   - **G3: FOSS content (packages/​license) is known** //consider making this G2?//   - **G3: FOSS content (packages/​license) is known** //consider making this G2?//
       - SP3.1  Code audits/​scans are conducted       - SP3.1  Code audits/​scans are conducted
-      - SP3.2  Supplier compliance is managed ​ //define who a supplier is; what if the company in question is situated to not really have suppliers, do they still have to comply with these goals?//+      - SP3.2  Supplier compliance is managed ​ //(JL:  ​define who a supplier is; what if the company in question is situated to not really have suppliers, do they still have to comply with these goals?)//
           * SP3.2.1 ​ Supplier compliance practices are assessed           * SP3.2.1 ​ Supplier compliance practices are assessed
           * SP3.2.2 ​ Supplier FOSS disclosures are made and reviewed           * SP3.2.2 ​ Supplier FOSS disclosures are made and reviewed
           * SP3.2.3 ​ Supplier FOSS obligations are satisfied ​           * SP3.2.3 ​ Supplier FOSS obligations are satisfied ​
-      - SP3.3  FOSS records are maintained //move up in list here// +      - SP3.3  FOSS records are maintained //(JL: move up in list here)//
   - **G4: FOSS content is reviewed and approved**   - **G4: FOSS content is reviewed and approved**
-Supporting practices:​\\ +      - SP4.1  OSRB exists and is staffed appropriately 
-SP4.1  OSRB exists and is staffed appropriately\\ +      ​- ​SP4.2  Planned FOSS use is reviewed in context 
-SP4.2  Planned FOSS use is reviewed in context +      ​- ​SP4.3  License obligations are identified, understood, and documented 
-SP4.3  License obligations are identified, understood, and documented\\ +      ​- ​SP4.4  Issues are resolved and approval decisions are followed 
-SP4.4  Issues are resolved and approval decisions are followed\\ +  - **G5: FOSS obligations are satisfied** 
- +      ​- ​SP5.1  Documentation obligations are met 
-G5: FOSS obligations are satisfied\\ +      ​- ​SP5.2  Source code obligations are met 
-Supporting practices:​\\ +      ​- ​SP5.3  Community interface exists 
-SP5.1  Documentation obligations are met\\ +          ​* ​SP5.3.1 ​ Email and postal addresses work 
-SP5.2  Source code obligations are met\\ +          ​* ​SP5.3.2 ​ Web portal works 
-SP5.3  Community interface exists\\ +          ​* ​SP5.3.3 ​ Community requests and inquiries are satisfied 
--SP5.3.1 ​ Email and postal addresses work\\ +  - **G6: Community <​del>​contributions are encouraged</​del>​ engagement is understood**  
--SP5.3.2 ​ Web portal works\\ +      ​- ​<​del>​SP6.1:​ Individual contributions are reviewed and approved</​del>​ 
--SP5.3.3 ​ Community requests and inquiries are satisfied\\ +      ​- ​<​del>​SP6.2:​ Company contributions are reviewed and approved</​del>​ 
- +      ​- ​__SP6.1: Community participation is reviewed and approved.__
-G6: Community <​del>​contributions are encouraged</​del>​ engagement is understood\\  +
-Supporting Practices:​\\ ​ +
-<​del>​SP6.1:​ Individual contributions are reviewed and approved</​del>​\\  +
-<​del>​SP6.2:​ Company contributions are reviewed and approved</​del>​\\  +
-__SP6.1: Community participation is reviewed and approved.__+
  
 {{:​openchain:​g1.jpg|}} {{:​openchain:​g1.jpg|}}
Line 169: Line 163:
 Although the SEI originally focused on self-appraisals to encourage frank and confidential internal discussions about improvement needs, eventually many DoD contract sponsors required that bidders provide evidence of (at least) Level 3 maturity. These funding agencies required an appraisal, conducted by a government-approved appraisal team, as part of the award process. Although the SEI originally focused on self-appraisals to encourage frank and confidential internal discussions about improvement needs, eventually many DoD contract sponsors required that bidders provide evidence of (at least) Level 3 maturity. These funding agencies required an appraisal, conducted by a government-approved appraisal team, as part of the award process.
    
-Over time, the SEI’s model was recognized for the soundness of its software engineering principles and its ability to drive process improvements. A large community of industry and government people coalesced around its guidance. The model itself has continued to evolve and has spawned additional maturity models, as well as a cottage industry of consultants offering appraisal and training services.+Over time, the SEI’s model was recognized for the soundness of its software engineering principles and its ability to drive process improvements. A large community of industry and government people coalesced around its guidance. The model itself has continued to evolve and has spawned additional maturity models, as well as a cottage industry of consultants offering appraisal and training ​[[https://​www.linkedin.com/​company/​redgage-llc | services]].
    
 ==== ISO 9001 ====  ==== ISO 9001 ==== 
openchain/proposed-draft.1422978951.txt.gz · Last modified: 2015/02/03 15:55 by jlovejoy