Skip to content

Instantly share code, notes, and snippets.

@evankanderson

evankanderson/baseline.md.diff

Created October 13, 2025 19:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save evankanderson/c73cc87cba9b6ee1605d8f5e5cfac54f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save evankanderson/c73cc87cba9b6ee1605d8f5e5cfac54f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
baseline.md.diff
--- docs/versions/2025-02-25.md 2025-10-13 12:41:28.344206651 -0700
+++ docs/versions/2025-10-10.md 2025-10-13 12:41:28.344707215 -0700
@@ -1,10 +1,14 @@
+---
+nav-title: Current Version
+---
# Open Source Project Security Baseline
-Version: 2025-02-25
+Version: 2025-10-10
+
<button onclick="toTop()" id="topButton" title="Go to top"
-style="display: none; position: fixed; bottom: 20px; right: 30px; border: none; background-color: CornflowerBlue; color: white; cursor: pointer; padding: 10px; border-radius: 10px; font-size: 18px;">to top</button>
+style="display: none; position: fixed; bottom: 20px; right: 30px; border: none; background-color: CornflowerBlue; color: white; cursor: pointer; padding: 10px; border-radius: 10px; font-size: 18px;">to top</button>
<script>
let topButton = document.getElementById("topButton");
@@ -33,7 +37,6 @@
The controls are organized by maturity level and category.
In the detailed subsections you will find the control, rationale, and details notes.
-
Where possible, we have added control mappings to external frameworks.
These are not guaranteed to be 100% matches, but instead serve as references
when working to meet the corresponding controls.
@@ -50,80 +53,92 @@
### Level 1
-**[OSPS-AC-01.01](#osps-ac-0101)**: When a user attempts to access a sensitive resource in the project&#39;s
-[version control system], the system MUST require the user to complete
+**[OSPS-AC-01.01](#osps-ac-0101)**: When a [user] attempts to read or modify a [sensitive resource] in the [project]&#39;s
+authoritative [repository], the system MUST require the [user] to complete
a [multi-factor authentication] process.
**[OSPS-AC-02.01](#osps-ac-0201)**: When a new [collaborator] is added, the [version control system] MUST
require manual permission assignment, or restrict the [collaborator]
permissions to the lowest available privileges by default.
-**[OSPS-AC-03.01](#osps-ac-0301)**: When a direct [commit] is attempted on the project&#39;s [primary branch],
+**[OSPS-AC-03.01](#osps-ac-0301)**: When a direct [commit] is attempted on the [project]&#39;s [primary branch],
an enforcement mechanism MUST prevent the [change] from being applied.
-**[OSPS-AC-03.02](#osps-ac-0302)**: When an attempt is made to delete the project&#39;s [primary branch],
+**[OSPS-AC-03.02](#osps-ac-0302)**: When an attempt is made to delete the [project]&#39;s [primary branch],
the [version control system] MUST treat this as a sensitive activity
and require explicit confirmation of intent.
**[OSPS-BR-01.01](#osps-br-0101)**: When a [CI/CD pipeline] accepts an input parameter, that parameter MUST
be sanitized and validated prior to use in the pipeline.
-**[OSPS-BR-03.01](#osps-br-0301)**: When the project lists a URI as an official project channel, that URI
+**[OSPS-BR-01.02](#osps-br-0102)**: When a [CI/CD pipeline] uses a branch name in its functionality, that
+name value MUST be sanitized and validated prior to use in the
+pipeline.
+
+**[OSPS-BR-03.01](#osps-br-0301)**: When the [project] lists a URI as an official [project] channel, that URI
MUST be exclusively delivered using encrypted channels.
-**[OSPS-DO-01.01](#osps-do-0101)**: When the project has made a [release], the [project documentation] MUST
-include user guides for all basic functionality.
+**[OSPS-BR-03.02](#osps-br-0302)**: When the [project] lists a URI as an official distribution channel,
+that URI MUST be exclusively delivered using encrypted channels.
-**[OSPS-DO-02.01](#osps-do-0201)**: When the project has made a [release], the [project documentation] MUST
+**[OSPS-BR-07.01](#osps-br-0701)**: The [project] MUST prevent the unintentional storage of unencrypted [sensitive data], such as secrets and credentials, in the [version control system].
+
+**[OSPS-DO-01.01](#osps-do-0101)**: When the [project] has made a [release], the [project] documentation MUST
+include [user] guides for all basic functionality.
+
+**[OSPS-DO-02.01](#osps-do-0201)**: When the [project] has made a [release], the [project] documentation MUST
include a guide for reporting [defects].
-**[OSPS-GV-02.01](#osps-gv-0201)**: While active, the project MUST have one or more mechanisms for public
+**[OSPS-GV-02.01](#osps-gv-0201)**: While active, the [project] MUST have one or more mechanisms for public
discussions about proposed [changes] and usage obstacles.
-**[OSPS-GV-03.01](#osps-gv-0301)**: While active, the [project documentation] MUST include an explanation
+**[OSPS-GV-03.01](#osps-gv-0301)**: While active, the [project] documentation MUST include an explanation
of the contribution process.
-**[OSPS-LE-02.01](#osps-le-0201)**: While active, the [license] for the source code MUST meet the OSI Open
+**[OSPS-LE-02.01](#osps-le-0201)**: While active, the [license] for the source [code] MUST meet the OSI Open
Source Definition or the FSF Free Software Definition.
**[OSPS-LE-02.02](#osps-le-0202)**: While active, the [license] for the [released software assets] MUST meet
the OSI Open Source Definition or the FSF Free Software Definition.
-**[OSPS-LE-03.01](#osps-le-0301)**: While active, the [license] for the source code MUST be maintained in
+**[OSPS-LE-03.01](#osps-le-0301)**: While active, the [license] for the source [code] MUST be maintained in
the corresponding [repository]&#39;s [LICENSE] file, COPYING file, or
[LICENSE]/ directory.
**[OSPS-LE-03.02](#osps-le-0302)**: While active, the [license] for the [released software assets] MUST be
-included in the released source code, or in a [LICENSE] file, COPYING
+included in the released source [code], or in a [LICENSE] file, COPYING
file, or [LICENSE]/ directory alongside the corresponding [release]
assets.
-**[OSPS-QA-01.01](#osps-qa-0101)**: While active, the project&#39;s source code [repository] MUST be publicly
+**[OSPS-QA-01.01](#osps-qa-0101)**: While active, the [project]&#39;s source [code] [repository] MUST be publicly
readable at a static URL.
**[OSPS-QA-01.02](#osps-qa-0102)**: The [version control system] MUST contain a publicly readable record of
all [changes] made, who made the [changes], and when the [changes] were
made.
-**[OSPS-QA-02.01](#osps-qa-0201)**: When the package management system supports it, the source code
+**[OSPS-QA-02.01](#osps-qa-0201)**: When the package management system supports it, the source [code]
[repository] MUST contain a dependency list that accounts for the direct
language dependencies.
-**[OSPS-QA-04.01](#osps-qa-0401)**: While active, the [project documentation] MUST contain a list of any
-[codebases] that are considered [subprojects] or additional [repositories].
+**[OSPS-QA-04.01](#osps-qa-0401)**: While active, the [project] documentation MUST contain a list of any
+codebases that are considered [subprojects].
**[OSPS-QA-05.01](#osps-qa-0501)**: While active, the [version control system] MUST NOT contain generated
executable artifacts.
-**[OSPS-VM-02.01](#osps-vm-0201)**: While active, the [project documentation] MUST contain
+**[OSPS-QA-05.02](#osps-qa-0502)**: While active, the [version control system] MUST NOT contain unreviewable
+binary artifacts.
+
+**[OSPS-VM-02.01](#osps-vm-0201)**: While active, the [project] documentation MUST contain
security contacts.
### Level 2
**[OSPS-AC-04.01](#osps-ac-0401)**: When a CI/CD task is executed with no permissions specified, the
-project&#39;s [version control system] MUST default to the lowest available
-permissions for all activities in the pipeline.
+CI/CD system MUST default the task&#39;s permissions to the lowest
+permissions granted in the pipeline.
**[OSPS-BR-02.01](#osps-br-0201)**: When an official [release] is created, that [release] MUST be assigned a
unique [version identifier].
@@ -139,125 +154,131 @@
accounted for in a signed manifest including each asset&#39;s
cryptographic hashes.
-**[OSPS-DO-06.01](#osps-do-0601)**: When the project has made a [release], the [project documentation] MUST
-include a description of how the project selects, obtains, and tracks
+**[OSPS-DO-06.01](#osps-do-0601)**: When the [project] has made a [release], the [project] documentation MUST
+include a description of how the [project] selects, obtains, and tracks
its dependencies.
-**[OSPS-GV-01.01](#osps-gv-0101)**: While active, the [project documentation] MUST include a list of
-project members with access to sensitive resources.
+**[OSPS-GV-01.01](#osps-gv-0101)**: While active, the [project] documentation MUST include a list of
+[project] members with access to [sensitive resources].
-**[OSPS-GV-01.02](#osps-gv-0102)**: While active, the [project documentation] MUST include descriptions of
-the roles and responsibilities for members of the project.
+**[OSPS-GV-01.02](#osps-gv-0102)**: While active, the [project] documentation MUST include descriptions of
+the roles and responsibilities for members of the [project].
-**[OSPS-GV-03.02](#osps-gv-0302)**: While active, the [project documentation] MUST include a guide for code
+**[OSPS-GV-03.02](#osps-gv-0302)**: While active, the [project] documentation MUST include a guide for [code]
[contributors] that includes requirements for acceptable contributions.
-**[OSPS-LE-01.01](#osps-le-0101)**: While active, the [version control system] MUST require all code
+**[OSPS-LE-01.01](#osps-le-0101)**: While active, the [version control system] MUST require all [code]
[contributors] to assert that they are legally authorized to make the
associated contributions on every [commit].
**[OSPS-QA-03.01](#osps-qa-0301)**: When a [commit] is made to the [primary branch], any automated status
checks for [commits] MUST pass or be manually bypassed.
-**[OSPS-QA-06.01](#osps-qa-0601)**: Prior to a [commit] being accepted, the project&#39;s [CI/CD pipelines] MUST
+**[OSPS-QA-06.01](#osps-qa-0601)**: Prior to a [commit] being accepted, the [project]&#39;s [CI/CD pipelines] MUST
run at least one [automated test suite] to ensure the [changes] meet
expectations.
-**[OSPS-SA-01.01](#osps-sa-0101)**: When the project has made a [release], the [project documentation] MUST
+**[OSPS-SA-01.01](#osps-sa-0101)**: When the [project] has made a [release], the [project] documentation MUST
include design documentation demonstrating all actions and actors
within the system.
-**[OSPS-SA-02.01](#osps-sa-0201)**: When the project has made a [release], the [project documentation] MUST
+**[OSPS-SA-02.01](#osps-sa-0201)**: When the [project] has made a [release], the [project] documentation MUST
include descriptions of all external software interfaces of the
[released software assets].
-**[OSPS-SA-03.01](#osps-sa-0301)**: When the project has made a [release], the project MUST perform a
+**[OSPS-SA-03.01](#osps-sa-0301)**: When the [project] has made a [release], the [project] MUST perform a
security assessment to understand the most likely and impactful
potential security problems that could occur within the software.
-**[OSPS-VM-01.01](#osps-vm-0101)**: While active, the [project documentation] MUST
-include a policy for coordinated [vulnerability reporting], with a clear
+**[OSPS-VM-01.01](#osps-vm-0101)**: While active, the [project] documentation MUST
+include a policy for [coordinated vulnerability disclosure] ([CVD]), with a clear
timeframe for response.
-**[OSPS-VM-03.01](#osps-vm-0301)**: While active, the [project documentation] MUST
-provide a means for reporting security vulnerabilities privately to
-the security contacts within the project.
+**[OSPS-VM-03.01](#osps-vm-0301)**: While active, the [project] documentation MUST
+provide a means for [private vulnerability reporting] directly to
+the security contacts within the [project].
-**[OSPS-VM-04.01](#osps-vm-0401)**: While active, the [project documentation] MUST
+**[OSPS-VM-04.01](#osps-vm-0401)**: While active, the [project] documentation MUST
publicly publish data about discovered vulnerabilities.
### Level 3
**[OSPS-AC-04.02](#osps-ac-0402)**: When a job is assigned permissions in a [CI/CD pipeline], the source
-code or configuration MUST only assign the minimum privileges
+[code] or configuration MUST only assign the minimum privileges
necessary for the corresponding activity.
**[OSPS-BR-02.02](#osps-br-0202)**: When an official [release] is created, all assets within that [release]
MUST be clearly associated with the [release] identifier or another
unique identifier for the asset.
-**[OSPS-DO-03.01](#osps-do-0301)**: When the project has made a [release], the [project documentation] MUST
+**[OSPS-BR-07.02](#osps-br-0702)**: The [project] MUST define a policy for managing secrets and credentials used by the [project]. The policy should include guidelines for storing, accessing, and rotating secrets and credentials.
+
+**[OSPS-DO-03.01](#osps-do-0301)**: When the [project] has made a [release], the [project] documentation MUST
contain instructions to verify the integrity and authenticity of the
[release] assets.
-**[OSPS-DO-04.01](#osps-do-0401)**: When the project has made a [release], the [project documentation] MUST
+**[OSPS-DO-03.02](#osps-do-0302)**: When the [project] has made a [release], the [project] documentation MUST
+contain instructions to verify the expected identity of the [person] or
+process authoring the software [release].
+
+**[OSPS-DO-04.01](#osps-do-0401)**: When the [project] has made a [release], the [project] documentation MUST
include a descriptive statement about the scope and duration of
support for each [release].
-**[OSPS-DO-05.01](#osps-do-0501)**: When the project has made a [release], the [project documentation] MUST
+**[OSPS-DO-05.01](#osps-do-0501)**: When the [project] has made a [release], the [project] documentation MUST
provide a descriptive statement when [releases] or versions will no
longer receive security updates.
-**[OSPS-GV-04.01](#osps-gv-0401)**: While active, the [project documentation] MUST have a policy that code
-[contributors] are reviewed prior to granting escalated permissions to
-sensitive resources.
+**[OSPS-GV-04.01](#osps-gv-0401)**: While active, the [project] documentation MUST have a policy that [code]
+[collaborators] are reviewed prior to granting escalated permissions to
+[sensitive resources].
-**[OSPS-QA-02.02](#osps-qa-0202)**: When the project has made a [release], all compiled released software
+**[OSPS-QA-02.02](#osps-qa-0202)**: When the [project] has made a [release], all compiled released software
assets MUST be delivered with a [software bill of materials].
-**[OSPS-QA-04.02](#osps-qa-0402)**: When the project has made a [release] comprising multiple source code
+**[OSPS-QA-04.02](#osps-qa-0402)**: When the [project] has made a [release] comprising multiple source [code]
[repositories], all [subprojects] MUST enforce security requirements that
-are as strict or stricter than the primary [codebase].
+are as strict or stricter than the primary codebase.
-**[OSPS-QA-06.02](#osps-qa-0602)**: While active, project&#39;s documentation MUST clearly document when and
+**[OSPS-QA-06.02](#osps-qa-0602)**: While active, [project]&#39;s documentation MUST clearly document when and
how tests are run.
-**[OSPS-QA-06.03](#osps-qa-0603)**: While active, the project&#39;s documentation MUST include a policy that
-all major [changes] to the software produced by the project should add
+**[OSPS-QA-06.03](#osps-qa-0603)**: While active, the [project]&#39;s documentation MUST include a policy that
+all major [changes] to the software produced by the [project] should add
or update tests of the functionality in an [automated test suite].
-**[OSPS-QA-07.01](#osps-qa-0701)**: When a [commit] is made to the [primary branch], the project&#39;s version
-control system MUST require at least one non-author approval of the
+**[OSPS-QA-07.01](#osps-qa-0701)**: When a [commit] is made to the [primary branch], the [project]&#39;s version
+control system MUST require at least one non-author human approval of the
[changes] before merging.
-**[OSPS-SA-03.02](#osps-sa-0302)**: When the project has made a [release], the project MUST perform a threat
+**[OSPS-SA-03.02](#osps-sa-0302)**: When the [project] has made a [release], the [project] MUST perform a threat
modeling and [attack surface analysis] to understand and protect against
-attacks on critical code paths, functions, and interactions within the
+attacks on critical [code] paths, functions, and interactions within the
system.
**[OSPS-VM-04.02](#osps-vm-0402)**: While active, any vulnerabilities in the
-software components not affecting the project MUST be accounted for
+software components not affecting the [project] MUST be accounted for
in a VEX document, augmenting the vulnerability report with
non-exploitability details.
-**[OSPS-VM-05.01](#osps-vm-0501)**: While active, the [project documentation] MUST include a policy that
+**[OSPS-VM-05.01](#osps-vm-0501)**: While active, the [project] documentation MUST include a policy that
defines a threshold for remediation of [SCA] findings related to
vulnerabilities and [licenses].
-**[OSPS-VM-05.02](#osps-vm-0502)**: While active, the [project documentation] MUST include a policy to
+**[OSPS-VM-05.02](#osps-vm-0502)**: While active, the [project] documentation MUST include a policy to
address [SCA] violations prior to any [release].
-**[OSPS-VM-05.03](#osps-vm-0503)**: While active, all [changes] to the project&#39;s [codebase] MUST be
+**[OSPS-VM-05.03](#osps-vm-0503)**: While active, all [changes] to the [project]&#39;s codebase MUST be
automatically evaluated against a documented policy for malicious
dependencies and [known vulnerabilities] in dependencies, then blocked
in the event of violations, except when declared and suppressed as
non-exploitable.
-**[OSPS-VM-06.01](#osps-vm-0601)**: While active, the [project documentation] MUST include a policy that
+**[OSPS-VM-06.01](#osps-vm-0601)**: While active, the [project] documentation MUST include a policy that
defines a threshold for remediation of SAST findings.
-**[OSPS-VM-06.02](#osps-vm-0602)**: While active, all [changes] to the project&#39;s [codebase] MUST be
+**[OSPS-VM-06.02](#osps-vm-0602)**: While active, all [changes] to the [project]&#39;s codebase MUST be
automatically evaluated against a documented policy for security
weaknesses and blocked in the event of violations except when declared
and suppressed as non-exploitable.
@@ -277,7 +298,7 @@
-### OSPS-AC-01 - The project&#39;s [version control system] MUST require multi-factor authentication for [collaborators] modifying the project [repository] settings or accessing sensitive data.
+### OSPS-AC-01 - The [project]&#39;s [version control system] MUST require multi-factor authentication for [users] modifying the [project] [repository] settings or accessing [sensitive data].
Reduce the risk of account compromise or insider threats by requiring
multi-factor authentication for collaborators modifying the project
@@ -288,7 +309,7 @@
#### OSPS-AC-01.01
-**Requirement:** When a user attempts to access a sensitive resource in the project&#39;s [version control system], the system MUST require the user to complete a [multi-factor authentication] process.
+**Requirement:** When a [user] attempts to read or modify a [sensitive resource] in the [project]&#39;s authoritative [repository], the system MUST require the [user] to complete a [multi-factor authentication] process.
**Recommendation:** Enforce multi-factor authentication for the project&#39;s version
control system, requiring collaborators to provide a second form of
@@ -296,6 +317,7 @@
settings. Passkeys are acceptable for this control.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -305,20 +327,22 @@
#### External Framework Mappings
- - **[BPB]**: CC-G-1
-
- - **[CRA]**: 1.2d, 1.2e, 1.2f
-
- - **[SSDF]**: PO3.2, PS1
-
- - **[CSF]**: PR.A-02
-
- - **[OCRE]**: 486-813, 124-564, 347-352, 333-858, 152-725, 201-246
+
+ - **[BPB]**: {CC-G-1 0 }
+ - **[CRA]**: {1.2d 0 }, {1.2e 0 }, {1.2f 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PS.1 0 }, {PS.2 0 }
+ - **[CSF]**: {PR.A-02 0 }, {PR.A-05 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {347-352 0 }, {333-858 0 }, {152-725 0 }, {201-246 0 }
+ - **PSSCRM**: {G2.6 0 }, {P3.3 0 }, {E1.2 0 }, {E1.3 0 }, {E1.4 0 }, {E3.1 0 }
+ - **[SAMM]**: {Operations -Environment Management -Configuration Hardening Lvl1 0 }
+ - **[PCIDSS]**: {2.2.1 0 }, {8.2.1 0 }, {8.3.1 0 }
+ - **UKSSCOP**: {2.1 0 }
+ - **[800-161]**: {AC-4(21) 0 }, {AC-17 0 }, {CM-5 0 }, {CM-6 0 }, {IA-2 0 }, {IA-5 0 }, {1.2e 0 }, {1.2f 0 }
---
-### OSPS-AC-02 - The project&#39;s [version control system] MUST restrict [collaborator] permissions to the lowest available privileges by default.
+### OSPS-AC-02 - The [project]&#39;s [version control system] MUST restrict [collaborator] permissions to the lowest available privileges by default.
Reduce the risk of unauthorized access to the project&#39;s repository by
limiting the permissions granted to new collaborators.
@@ -336,6 +360,7 @@
additional permissions only when necessary.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -345,18 +370,20 @@
#### External Framework Mappings
- - **[CRA]**: 1.2f
-
- - **[SSDF]**: PO3.2, PS1
-
- - **[CSF]**: PR:AA-02
-
- - **[OCRE]**: 486-813, 124-564, 802-056, 368-633, 152-725
+
+ - **[CRA]**: {1.2f 0 }
+ - **[SSDF]**: {PO.2 0 }, {PO.3.2 0 }, {PS.1 0 }, {PS.2 0 }
+ - **[CSF]**: {PR.AA-02 0 }, {PR.AA-05 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {802-056 0 }, {368-633 0 }, {152-725 0 }
+ - **PSSCRM**: {P2.3 0 }, {E1.2 0 }, {E3.3 0 }
+ - **[PCIDSS]**: {2.2.1 0 }
+ - **UKSSCOP**: {2.1 0 }
+ - **[800-161]**: {AC-2 0 }, {AC-3 0 }, {AC-4(21) 0 }, {AC-5 0 }, {AC-6 0 }, {CM-5 0 }, {CM-7 0 }
---
-### OSPS-AC-03 - The project&#39;s [version control system] MUST prevent unintentional modification of the [primary branch].
+### OSPS-AC-03 - The [project]&#39;s [version control system] MUST prevent unintentional modification of the [primary branch].
Reduce the risk of accidental changes or deletion of the primary branch
of the project&#39;s repository by preventing unintentional modification.
@@ -366,7 +393,7 @@
#### OSPS-AC-03.01
-**Requirement:** When a direct [commit] is attempted on the project&#39;s [primary branch], an enforcement mechanism MUST prevent the [change] from being applied.
+**Requirement:** When a direct [commit] is attempted on the [project]&#39;s [primary branch], an enforcement mechanism MUST prevent the [change] from being applied.
**Recommendation:** If the VCS is centralized, set branch protection on the primary branch
in the project&#39;s VCS. Alternatively, use a decentralized approach,
@@ -375,6 +402,7 @@
specific separate act.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -384,12 +412,13 @@
#### OSPS-AC-03.02
-**Requirement:** When an attempt is made to delete the project&#39;s [primary branch], the [version control system] MUST treat this as a sensitive activity and require explicit confirmation of intent.
+**Requirement:** When an attempt is made to delete the [project]&#39;s [primary branch], the [version control system] MUST treat this as a sensitive activity and require explicit confirmation of intent.
**Recommendation:** Set branch protection on the primary branch in the project&#39;s version
control system to prevent deletion.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -399,18 +428,21 @@
#### External Framework Mappings
- - **[CRA]**: 1.2f
-
- - **[SSDF]**: PO3.2, PS1
-
- - **[CSF]**: PR.A-02
-
- - **[OCRE]**: 486-813, 124-564, 123-124, 152-725
+
+ - **[CRA]**: {1.2f 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PS.1 0 }, {PS.2 0 }
+ - **[CSF]**: {PR.A-02 0 }, {PR.A-05 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {152-725 0 }
+ - **Scorecard**: {Branch-Protection 0 }
+ - **PSSCRM**: {P3.2 0 }, {P3.5 0 }, {E1.5 0 }, {E3.1 0 }
+ - **[PCIDSS]**: {2.2.1 0 }
+ - **UKSSCOP**: {2.1 0 }, {2.2 0 }
+ - **[800-161]**: {AC-3 0 }, {AC-5 0 }, {CM-3 0 }, {CM-3(2) 0 }, {CM-5 0 }
---
-### OSPS-AC-04 - The project&#39;s permissions in [CI/CD pipelines] MUST follow the principle of least privilege.
+### OSPS-AC-04 - The [project]&#39;s permissions in [CI/CD pipelines] MUST follow the principle of least privilege.
Reduce the risk of unauthorized access to the project&#39;s build and release
processes by limiting the permissions granted to steps within the CI/CD
@@ -421,13 +453,14 @@
#### OSPS-AC-04.01
-**Requirement:** When a CI/CD task is executed with no permissions specified, the project&#39;s [version control system] MUST default to the lowest available permissions for all activities in the pipeline.
+**Requirement:** When a CI/CD task is executed with no permissions specified, the CI/CD system MUST default the task&#39;s permissions to the lowest permissions granted in the pipeline.
**Recommendation:** Configure the project&#39;s settings to assign the lowest available
permissions to new pipelines by default, granting additional
permissions only when necessary for specific tasks.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -436,7 +469,7 @@
#### OSPS-AC-04.02
-**Requirement:** When a job is assigned permissions in a [CI/CD pipeline], the source code or configuration MUST only assign the minimum privileges necessary for the corresponding activity.
+**Requirement:** When a job is assigned permissions in a [CI/CD pipeline], the source [code] or configuration MUST only assign the minimum privileges necessary for the corresponding activity.
**Recommendation:** Configure the project&#39;s CI/CD pipelines to assign the lowest available
permissions to users and services by default, elevating permissions
@@ -445,6 +478,7 @@
level. If not, set permissions at the top level of the pipeline.
+**Control applies to:**
- Maturity Level 3
@@ -452,13 +486,17 @@
#### External Framework Mappings
- - **[CRA]**: 1.2d, 1.2e, 1.2f
-
- - **[SSDF]**: PO2, PO3.2, PS1
-
- - **[CSF]**: PR.AA-02, PR.AA-05
-
- - **[OCRE]**: 486-813, 124-564, 347-507, 263-284, 123-124
+
+ - **[CRA]**: {1.2d 0 }, {1.2e 0 }, {1.2f 0 }
+ - **[SSDF]**: {PO.2 0 }, {PO.3.2 0 }, {PS.1 0 }, {PS.2 0 }
+ - **[CSF]**: {PR.AA-02 0 }, {PR.AA-05 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {347-507 0 }, {263-284 0 }, {123-124 0 }
+ - **[SLSA]**: {Producer - Choose an appropriate build platform 0 }, {Build platform - Isolation strength - Isolated 0 }
+ - **PSSCRM**: {P3.2 0 }
+ - **[SAMM]**: {Operations -Environment Management -Configuration Hardening Lvl1 0 }
+ - **[PCIDSS]**: {2.2.1 0 }, {8.2.1 0 }
+ - **UKSSCOP**: {2.1 0 }, {2.2 0 }
+ - **[800-161]**: {AC-3(8) 0 }, {AC-4 0 }, {AC-4(6) 0 }, {AC-6 0 }, {AC-20 0 }, {AC-20(1) 0 }, {CM-5 0 }, {CM-7 0 }
---
@@ -476,7 +514,7 @@
-### OSPS-BR-01 - The project&#39;s [build and release pipelines] MUST NOT permit untrusted input that allows access to privileged resources.
+### OSPS-BR-01 - The [project]&#39;s [build and release pipelines] MUST NOT permit untrusted input that allows access to privileged resources.
Reduce the risk of code injection or other security vulnerabilities in the
project&#39;s build and release pipelines by preventing untrusted input from
@@ -491,6 +529,7 @@
**Recommendation:**
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -504,24 +543,30 @@
**Recommendation:**
+**Control applies to:**
+- Maturity Level 1
+- Maturity Level 2
+- Maturity Level 3
#### External Framework Mappings
- - **[CRA]**: 1.2f
-
- - **[SSDF]**: PO3.2, PS1
-
- - **[CSF]**: PR.AA-02
-
- - **[OCRE]**: 486-813, 124-564, 357-352
+
+ - **[CRA]**: {1.2f 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PO.5.2 0 }, {PS.1 0 }, {PS.2 0 }
+ - **[CSF]**: {PR.AA-02 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {357-352 0 }
+ - **[SLSA]**: {Choose an appropriate build platform 0 }
+ - **PSSCRM**: {P2.3 0 }, {P3.2 0 }, {P3.5 0 }, {E2.4 0 }, {E2.5 0 }, {D2.2 0 }
+ - **[PCIDSS]**: {2.2.1 0 }, {6.4.1 0 }
+ - **[800-161]**: {AC-3 0 }, {AC-4 0 }, {AC-4(21) 0 }, {CM-5 0 }, {CM-7 0 }, {SI-7 0 }
---
-### OSPS-BR-02 - All [releases] and [released software assets] MUST be assigned a unique [version identifier] for each [release] intended to be used by users.
+### OSPS-BR-02 - All [releases] and [released software assets] MUST be assigned a unique [version identifier] for each [release] intended to be used by [users].
Ensure that each software asset produced by the project is uniquely
identified, enabling users to track changes and updates to the project
@@ -539,6 +584,7 @@
Examples include SemVer, CalVer, or git commit id.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -554,6 +600,7 @@
scheme. Examples include SemVer, CalVer, or git commit id.
+**Control applies to:**
- Maturity Level 3
@@ -561,18 +608,21 @@
#### External Framework Mappings
- - **[BPB]**: CC-B-5, CC-B-6, CC-B-7
-
- - **[CRA]**: 1.2f
-
- - **[SSDF]**: PO3.2, PS1, PS2, PS3
-
- - **[OCRE]**: 486-813, 124-564
+
+ - **[BPB]**: {CC-B-5 0 }, {CC-B-6 0 }, {CC-B-7 0 }
+ - **[CRA]**: {1.2f 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PS.1 0 }, {PS.2 0 }, {PS.3 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }
+ - **[SLSA]**: {Follow a consistent build process 0 }, {Provenance generation- Exists, Authentic 0 }
+ - **PSSCRM**: {G1.4 0 }, {E1.2 0 }, {E2.1 0 }, {E2.6 0 }
+ - **[PCIDSS]**: {6.4.3 0 }
+ - **UKSSCOP**: {3.1 0 }
+ - **[800-161]**: {IA-4 0 }, {SA-15 0 }, {SI-7 0 }, {SR-4 0 }
---
-### OSPS-BR-03 - All official project URIs MUST be delivered using encrypted channels.
+### OSPS-BR-03 - All official [project] URIs MUST be delivered using encrypted channels.
Protect the confidentiality and integrity of project source code during
development, reducing the risk of eavesdropping or data tampering.
@@ -582,7 +632,7 @@
#### OSPS-BR-03.01
-**Requirement:** When the project lists a URI as an official project channel, that URI MUST be exclusively delivered using encrypted channels.
+**Requirement:** When the [project] lists a URI as an official [project] channel, that URI MUST be exclusively delivered using encrypted channels.
**Recommendation:** Configure the project&#39;s websites and version control systems to use
encrypted channels such as SSH or HTTPS for data transmission.
@@ -590,6 +640,7 @@
only be accessed via encrypted channels.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -599,26 +650,33 @@
#### OSPS-BR-03.02
-**Requirement:** When the project lists a URI as an official distribution channel, that URI MUST be exclusively delivered using encrypted channels.
+**Requirement:** When the [project] lists a URI as an official distribution channel, that URI MUST be exclusively delivered using encrypted channels.
**Recommendation:** Configure the project&#39;s release pipeline to only fetch data from
websites, API responses, and other services which use encrypted
channels such as SSH or HTTPS for data transmission.
+**Control applies to:**
+- Maturity Level 1
+- Maturity Level 2
+- Maturity Level 3
#### External Framework Mappings
- - **[BPB]**: B-B-11
-
- - **[CRA]**: 1.2d, 1.2e, 1.2f, 1.2i, 1.2j, 1.2k
-
- - **[SSDF]**: PO3.2, PS1
-
- - **[OCRE]**: 483-813, 124-564, 263-184
+
+ - **[BPB]**: {B-B-11 0 }
+ - **[CRA]**: {1.2d 0 }, {1.2e 0 }, {1.2f 0 }, {1.2i 0 }, {1.2j 0 }, {1.2k 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PO.5.2 0 }, {PS.1 0 }, {PS.2 0 }
+ - **[OpenCRE]**: {483-813 0 }, {124-564 0 }, {263-184 0 }
+ - **[SLSA]**: {Choose an appropriate build platform 0 }
+ - **PSSCRM**: {E1.1 0 }, {E2.2 0 }, {E2.4 0 }, {E2.5 0 }
+ - **[PCIDSS]**: {2.2.1 0 }, {2.2.7 0 }, {4.2.1 0 }, {4.2.2 0 }, {6.4.1 0 }, {8.3.2 0 }
+ - **UKSSCOP**: {3.1 0 }
+ - **[800-161]**: {AC-4 0 }, {AC-4(21) 0 }
---
@@ -644,6 +702,7 @@
such as &#34;## Changelog&#34;.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -652,13 +711,16 @@
#### External Framework Mappings
- - **[BPB]**: CC-B-8, CC-B-9
-
- - **[CRA]**: 1.2l, 2.2
-
- - **[SSDF]**: PS1, PS2, PS3, PW1.2
-
- - **[OCRE]**: 486-813, 124-564, 745-356
+
+ - **[BPB]**: {CC-B-8 0 }, {CC-B-9 0 }, {Q-B-7 0 }, {A-B-1 0 }, {A-S-1 0 }
+ - **[CRA]**: {1.2d 0 }, {1.2f 0 }, {1.2h 0 }, {1.2j 0 }, {1.2l 0 }, {2.5 0 }
+ - **[SSDF]**: {PS.1 0 }, {PS.2 0 }, {PS.3 0 }, {PW.1.2 0 }
+ - **[OpenCRE]**: {483-813 0 }, {068-486 0 }, {124-564 0 }, {757-271 0 }, {347-352 0 }, {263-184 0 }, {208-355 0 }, {745-356 0 }, {732-148 0 }
+ - **[SLSA]**: {Choose an appropriate build platform 0 }, {Follow a consistent build process 0 }, {Build platform - Isolation strength - isolated 0 }
+ - **PSSCRM**: {G1.4 0 }, {E2.1 0 }, {E2.4 0 }, {E2.5 0 }, {E3.1 0 }, {E3.6 0 }
+ - **[PCIDSS]**: {6.2.1 0 }, {6.4.1 0 }, {6.5.1 0 }, {6.5.2 0 }, {10.2.2 0 }
+ - **UKSSCOP**: {3.1 0 }, {3.5 0 }
+ - **[800-161]**: {AU-2 0 }, {AU-6 0 }, {AU-10 0 }, {CM-5 0 }, {CM-6 0 }, {MA-1 0 }, {MA-8 0 }, {SI-4 0 }, {SI-5 0 }
---
@@ -683,6 +745,7 @@
system.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -691,18 +754,22 @@
#### External Framework Mappings
- - **[BPB]**: Q-B-2
-
- - **[CRA]**: 1.2b, 1.2d, 1.2f, 1.2h, 1.2j, 2.1
-
- - **[SSDF]**: PO3.2, PS1
-
- - **[OCRE]**: 486-813, 124-564, 347-352, 715-334
+
+ - **[BPB]**: {Q-B-2 0 }
+ - **[CRA]**: {1.2b 0 }, {1.2d 0 }, {1.2f 0 }, {1.2h 0 }, {1.2j 0 }, {2.1 0 }, {2.2 0 }, {2.3 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PS.1 0 }, {PS.2 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {347-352 0 }, {715-334 0 }
+ - **[SLSA]**: {Isolation strength - isolated 0 }
+ - **PSSCRM**: {P3.1 0 }, {P3.5 0 }, {E2.2 0 }, {E2.3 0 }, {E2.4 0 }, {E2.5 0 }
+ - **[SAMM]**: {Implementation -Secure Build -Build Process Lvl2 0 }
+ - **[PCIDSS]**: {6.4.3 0 }
+ - **UKSSCOP**: {1.1 0 }, {1.2 0 }
+ - **[800-161]**: {AC-4 0 }, {CM-2 0 }, {CM-7(4) 0 }, {CM-7(5) 0 }, {RA-5 0 }, {SA-15 0 }, {SR-3 0 }
---
-### OSPS-BR-06 - Produce all [released software assets] with signatures and hashes
+### OSPS-BR-06 - Produce all [released software assets] with signatures and hashes.
All released software assets MUST be signed or accounted for in a
signed manifest including each asset&#39;s cryptographic hashes.
@@ -720,6 +787,7 @@
hashes of each asset in a signed manifest or metadata file.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -728,7 +796,57 @@
#### External Framework Mappings
- - **[SSDF]**: PO5.2, PS2.1, PW6.2
+
+ - **[SSDF]**: {PO.5.2 0 }, {PS.2 0 }, {PS.2.1 0 }, {PW.6.2 0 }
+ - **Scorecard**: {Signed-Releases 0 }
+ - **[SLSA]**: {Distribute provenance - Exists 0 }
+ - **PSSCRM**: {P1.2 0 }, {P3.2 0 }, {P3.3 0 }, {E2.1 0 }, {E2.2 0 }, {E2.6 0 }
+ - **[SAMM]**: {Implementation -Secure Deployment -Deployment Process Lvl3 0 }
+ - **[PCIDSS]**: {2.2.1 0 }, {2.2.7 0 }, {3.5.1 0 }, {4.2.1 0 }, {4.2.2 0 }, {6.4.1 0 }, {8.3.2 0 }
+ - **UKSSCOP**: {3.1 0 }
+ - **[800-161]**: {AU-10 0 }, {MP-1 0 }, {SA-15 0 }, {SI-7 0 }, {SI-7(14) 0 }
+
+
+---
+
+### OSPS-BR-07 - The [project] MUST store and manage all secrets and credentials used by the [project] in a secure manner.
+
+Ensure that sensitive data is not disclosed, compromised or misused leading to security vulnerabilities or supply chain compromise.
+
+
+
+
+#### OSPS-BR-07.01
+
+**Requirement:** The [project] MUST prevent the unintentional storage of unencrypted [sensitive data], such as secrets and credentials, in the [version control system].
+
+**Recommendation:** Configure .gitignore or equivalent to exclude files that may contain sensitive information. Use pre-commit hooks and automated scanning tools to detect and prevent the inclusion of sensitive data in commits.
+
+
+**Control applies to:**
+- Maturity Level 1
+
+
+
+
+#### OSPS-BR-07.02
+
+**Requirement:** The [project] MUST define a policy for managing secrets and credentials used by the [project]. The policy should include guidelines for storing, accessing, and rotating secrets and credentials.
+
+**Recommendation:** Document how secrets and credentials are managed and used within the project. This should include details on how secrets are stored (e.g., using a secrets management tool), how access is controlled, and how secrets are rotated or updated. Ensure that sensitive information is not hard-coded in the source code or stored in version control systems.
+
+
+**Control applies to:**
+- Maturity Level 3
+
+
+
+
+#### External Framework Mappings
+
+
+ - **[BPB]**: {S-B-5 0 }
+ - **[SSDF]**: {PO.1.1 0 }, {P0.3.1 0 }, {P0.4.2 0 }, {PO.5.1 0 }, {PW.1.2 0 }, {PW.1.3 0 }, {PW.5.1 0 }
---
@@ -740,12 +858,13 @@
of the project. These controls help ensure that
the project&#39;s documentation is comprehensive,
accurate, and up-to-date, enabling users to
-understand the project&#39;s features and functionality.
+understand the project&#39;s features and functionality, maintenance, support,
+security and release practices.
-### OSPS-DO-01 - The [project documentation] MUST provide user guides for all basic functionality.
+### OSPS-DO-01 - The [project] documentation MUST provide [user] guides for all basic functionality.
Ensure that users have a clear and comprehensive understanding of the
project&#39;s current features in order to prevent damage from misuse or
@@ -756,7 +875,7 @@
#### OSPS-DO-01.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST include user guides for all basic functionality.
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST include [user] guides for all basic functionality.
**Recommendation:** Create user guides or documentation for all basic functionality of the
project, explaining how to install, configure, and use the project&#39;s
@@ -764,6 +883,7 @@
available, include highly-visible warnings.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -773,22 +893,22 @@
#### External Framework Mappings
- - **[BPB]**: B-B-1, B-B-9, B-S-7, B-S-9
-
- - **[CRA]**: 1.2b, 1.2j, 1.2k
-
- - **[SSDF]**: PW1.2
-
- - **[CSF]**: GV.OC-04, GV.OC-05
-
- - **[OC]**: 4.1.4
-
- - **[OCRE]**: 036-275
+
+ - **[BPB]**: {B-B-1 0 }, {B-B-9 0 }, {B-S-7 0 }, {B-S-9 0 }
+ - **[CRA]**: {1.2b 0 }, {1.2j 0 }, {1.2k 0 }
+ - **[SSDF]**: {PW.1.2 0 }
+ - **[CSF]**: {GV.OC-04 0 }, {GV.OC-05 0 }
+ - **ISO-[18974]**: {4.1.4 0 }
+ - **[OpenCRE]**: {036-275 0 }
+ - **PSSCRM**: {G5.1 0 }, {E3.5 0 }
+ - **[PCIDSS]**: {2.1.1 0 }, {2.2.1 0 }, {3.1.1 0 }, {4.1.1 0 }, {5.1.1 0 }, {6.1.1 0 }, {6.2.1 0 }, {7.1.1 0 }, {8.1.1 0 }, {11.1.1 0 }, {12.10.5 0 }
+ - **UKSSCOP**: {4.1 0 }
+ - **[800-161]**: {CM-2 0 }, {PL-2 0 }, {PL-8 0 }, {SA-15 0 }
---
-### OSPS-DO-02 - The project MUST provide a mechanism for reporting [defects].
+### OSPS-DO-02 - The [project] MUST provide a mechanism for reporting [defects].
Enable users and contributors to report defects or issues with the
released software assets, facilitating communication and collaboration on
@@ -799,7 +919,7 @@
#### OSPS-DO-02.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST include a guide for reporting [defects].
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST include a guide for reporting [defects].
**Recommendation:** It is recommended that projects use their VCS default issue tracker.
If an external source is used, ensure that the project documentation
@@ -808,6 +928,7 @@
sets expectations for how defects will be triaged and resolved.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -817,20 +938,21 @@
#### External Framework Mappings
- - **[BPB]**: B-B-3, R-B-1&#43;, R-B-1, R-B-2, R-S-2
-
- - **[CRA]**: 1.2c, 1.2l, 2.1, 2.2, 2.5, 2.6
-
- - **[SSDF]**: PW1.2, RV1.1, RV2.1, RV1.2
-
- - **[CSF]**: RS.MA-02, GV.RM-05
-
- - **[OC]**: 4.2.1
+
+ - **[BPB]**: {B-B-3 0 }, {R-B-1&#43; 0 }, {R-B-1 0 }, {R-B-2 0 }, {R-S-2 0 }
+ - **[CRA]**: {1.2c 0 }, {1.2l 0 }, {2.1 0 }, {2.2 0 }, {2.5 0 }, {2.6 0 }
+ - **[SSDF]**: {PW.1.2 0 }, {RV.1.1 0 }, {RV.2.1 0 }, {RV.1.2 0 }
+ - **[CSF]**: {RS.MA-02 0 }, {GV.RM-05 0 }
+ - **ISO-[18974]**: {4.2.1 0 }
+ - **[SAMM]**: {Implementation -Defect Management -Defect Tracking Lvl1 0 }, {Implementation -Defect Management -Defect Tracking Lvl2 0 }
+ - **[PCIDSS]**: {6.3.2 0 }, {6.3.3 0 }, {6.5.1 0 }, {6.5.2 0 }, {12.10.2 0 }
+ - **UKSSCOP**: {1.1 0 }, {1.3 0 }
+ - **[800-161]**: {IR-6 0 }, {SI-4 0 }, {SI-5 0 }
---
-### OSPS-DO-03 - The [project documentation] MUST contain instructions to verify the integrity and authenticity of the [release] assets, including the expected identity of the person or process authoring the software [release].
+### OSPS-DO-03 - The [project] documentation MUST contain instructions to verify the integrity and authenticity of the [release] assets, including the expected identity of the [person] or process authoring the software [release].
Enable users to verify the authenticity and integrity of the project&#39;s
released software assets, reducing the risk of using tampered or
@@ -841,7 +963,7 @@
#### OSPS-DO-03.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST contain instructions to verify the integrity and authenticity of the [release] assets.
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST contain instructions to verify the integrity and authenticity of the [release] assets.
**Recommendation:** Instructions in the project should contain information about the
technology used, the commands to run, and the expected output.
@@ -851,6 +973,7 @@
integrity of the software.
+**Control applies to:**
- Maturity Level 3
@@ -858,7 +981,7 @@
#### OSPS-DO-03.02
-**Requirement:** When the project has made a [release], the [project documentation] MUST contain instructions to verify the expected identity of the person or process authoring the software [release].
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST contain instructions to verify the expected identity of the [person] or process authoring the software [release].
**Recommendation:** The expected identity may be in the form of key IDs used to sign,
issuer and identity from a sigstore certificate, or other similar
@@ -869,24 +992,28 @@
integrity of the software.
+**Control applies to:**
+- Maturity Level 3
#### External Framework Mappings
- - **[BPB]**: CC-B-8
-
- - **[CRA]**: 1.2d
-
- - **[SSDF]**: PO4.2, PS.2, PS2.1, PS3.1, RV1.3
-
- - **[OCRE]**: 171-222
+
+ - **[BPB]**: {CC-B-8 0 }
+ - **[CRA]**: {1.2d 0 }
+ - **[SSDF]**: {PO.4.2 0 }, {PS.2 0 }, {PS.2.1 0 }, {PS.3.1 0 }, {RV.1.3 0 }
+ - **[OpenCRE]**: {171-222 0 }
+ - **PSSCRM**: {G1.3 0 }, {G2.5 0 }, {P1.2 0 }, {P3.1 0 }, {P3.2 0 }, {P3.3 0 }, {E2.6 0 }
+ - **[PCIDSS]**: {3.1.1 0 }, {3.5.1 0 }, {4.1.1 0 }, {5.1.1 0 }, {6.1.1 0 }, {6.2.1 0 }, {7.1.1 0 }, {8.1.1 0 }, {11.1.1 0 }
+ - **UKSSCOP**: {3.1 0 }
+ - **[800-161]**: {CM-2 0 }, {IR-1 0 }, {MP-1 0 }, {SA-15 0 }, {SI-7 0 }, {SI-7(14) 0 }
---
-### OSPS-DO-04 - The [project documentation] MUST include a descriptive statement about the scope and duration of support.
+### OSPS-DO-04 - The [project] documentation MUST include a descriptive statement about the scope and duration of support.
Provide users with clear expectations regarding the project&#39;s support
lifecycle. This allows downstream consumers to take relevant actions to
@@ -897,13 +1024,18 @@
#### OSPS-DO-04.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST include a descriptive statement about the scope and duration of support for each [release].
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST include a descriptive statement about the scope and duration of support for each [release].
**Recommendation:** In order to communicate the scope and duration of support for the
project&#39;s released software assets, the project should have a
-SUPPORT.md or an OpenEoX file in a well known location.
+SUPPORT.md file, a &#34;Support&#34; section in SECURITY.md, or
+other documentation explaining the support lifecycle,
+including the expected duration of support for each release, the
+types of support provided (e.g., bug fixes, security updates), and
+any relevant policies or procedures for obtaining support.
+**Control applies to:**
- Maturity Level 3
@@ -911,16 +1043,20 @@
#### External Framework Mappings
- - **[BPB]**: R-B-3
-
- - **[SSDF]**: PO4.2, PS3.1, RV1.3
-
- - **[OC]**: 4.1, 4.3.1
+
+ - **[BPB]**: {R-B-3 0 }
+ - **[SSDF]**: {PO.4.2 0 }, {PS.3.1 0 }, {RV.1.3 0 }
+ - **ISO-[18974]**: {4.1 0 }, {4.3.1 0 }
+ - **PSSCRM**: {E1.6 0 }
+ - **[SAMM]**: {Operations -Operational Management -System Decommissioning -Legacy Management Lvl1 0 }
+ - **[PCIDSS]**: {2.1.1 0 }, {3.1.1 0 }, {3.2.1 0 }, {4.1.1 0 }, {5.1.1 0 }, {6.1.1 0 }, {6.3.3 0 }, {7.1.1 0 }, {8.1.1 0 }, {11.1.1 0 }
+ - **UKSSCOP**: {4.1 0 }, {4.2 0 }
+ - **[800-161]**: {PL-1 0 }, {PL-2 0 }, {SI-4 0 }
---
-### OSPS-DO-05 - The [project documentation] MUST provide a descriptive statement when [releases] or versions will no longer receive security updates.
+### OSPS-DO-05 - The [project] documentation MUST provide a descriptive statement when [releases] or versions will no longer receive security updates.
Communicating when the project maintainers will no longer fix defects or
security vulnerabilities is crucial for downstream consumers to find
@@ -931,13 +1067,14 @@
#### OSPS-DO-05.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST provide a descriptive statement when [releases] or versions will no longer receive security updates.
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST provide a descriptive statement when [releases] or versions will no longer receive security updates.
-**Recommendation:** While a machine-readable OpenEoX file is recommended, this may also be
-communicated in a SUPPORT.md or beneath a Support header in the
-primary README.md.
+**Recommendation:** In order to communicate the scope and duration of support for security
+fixes, the project should have a SUPPORT.md or other documentation
+explaining the project&#39;s policy for security updates.
+**Control applies to:**
- Maturity Level 3
@@ -945,16 +1082,20 @@
#### External Framework Mappings
- - **[CRA]**: 1.2c, 2.6
-
- - **[OC]**: 4.1.1, 4.3.1
-
- - **[OCRE]**: 673-475, 053-751
+
+ - **[CRA]**: {1.2c 0 }, {2.6 0 }
+ - **ISO-[18974]**: {4.1.1 0 }, {4.3.1 0 }
+ - **[OpenCRE]**: {673-475 0 }, {053-751 0 }
+ - **PSSCRM**: {E1.6 0 }
+ - **[SAMM]**: {Operations -Operational Management -System Decommissioning -Legacy Management Lvl1 0 }, {Operations -Operational Management -System Decommissioning -Legacy Management Lvl2 0 }
+ - **[PCIDSS]**: {3.1.1 0 }, {3.2.1 0 }, {4.1.1 0 }, {5.1.1 0 }, {6.1.1 0 }, {6.3.2 0 }, {7.1.1 0 }, {8.1.1 0 }, {11.1.1 0 }
+ - **UKSSCOP**: {3.5 0 }, {4.1 0 }
+ - **[800-161]**: {PL-1 0 }, {PL-2 0 }, {SI-4 0 }, {SI-5 0 }
---
-### OSPS-DO-06 - The [project documentation] MUST include a description of how the project selects, obtains, and tracks its dependencies.
+### OSPS-DO-06 - The [project] documentation MUST include a description of how the [project] selects, obtains, and tracks its dependencies.
Provide information about how the project selects, obtains, and tracks
dependencies, libraries, frameworks, etc. to help downstream consumers
@@ -966,12 +1107,14 @@
#### OSPS-DO-06.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST include a description of how the project selects, obtains, and tracks its dependencies.
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST include a description of how the [project] selects, obtains, and tracks its dependencies.
**Recommendation:** It is recommended to publish this information alongside the project&#39;s
technical &amp; design documentation on a publicly viewable resource such
as the source code repository, project website, or other channel.
+
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -980,11 +1123,16 @@
#### External Framework Mappings
- - **[BPB]**: A-S-1
-
- - **[CRA]**: 2.1
-
- - **[OCRE]**: 613-286, 053-751
+
+ - **[BPB]**: {A-S-1 0 }
+ - **[CRA]**: {2.1 0 }
+ - **[OpenCRE]**: {613-286 0 }, {053-751 0 }
+ - **Scorecard**: {Pinned-Dependencies 0 }
+ - **PSSCRM**: {G1.4 0 }, {G2.4 0 }, {P3.1 0 }, {P3.2 0 }, {P3.4 0 }
+ - **[SAMM]**: {Design -Security Requirements -Supplier Security Lvl2 0 }
+ - **[PCIDSS]**: {2.1.1 0 }, {3.1.1 0 }, {4.1.1 0 }, {5.1.1 0 }, {6.1.1 0 }, {6.3.2 0 }, {6.4.3 0 }, {7.1.1 0 }, {8.1.1 0 }, {11.1.1 0 }, {12.5.2 0 }
+ - **UKSSCOP**: {1.2 0 }, {3.3 0 }
+ - **[800-161]**: {CA-7 0 }, {CM-7(5) 0 }, {CM-8 0 }, {PM-30 0 }, {RA-3(1) 0 }, {SA-11 0 }, {SI-4 0 }, {SR-3 0 }, {SR-5 0 }, {SR-6 0 }, {SR-7 0 }
---
@@ -1000,7 +1148,7 @@
-### OSPS-GV-01 - The [project documentation] MUST include the roles and responsibilities for members of the project.
+### OSPS-GV-01 - The [project] documentation MUST include the roles and responsibilities for members of the [project].
Documenting project roles and responsibilities helps project participants,
potential contributors, and downstream consumers have an accurate
@@ -1012,7 +1160,7 @@
#### OSPS-GV-01.01
-**Requirement:** While active, the [project documentation] MUST include a list of project members with access to sensitive resources.
+**Requirement:** While active, the [project] documentation MUST include a list of [project] members with access to [sensitive resources].
**Recommendation:** Document project participants and their roles through such artifacts
as members.md, governance.md, maintainers.md, or similar file within
@@ -1021,6 +1169,7 @@
of maintainers, or more complex depending on the project&#39;s governance.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1029,13 +1178,14 @@
#### OSPS-GV-01.02
-**Requirement:** While active, the [project documentation] MUST include descriptions of the roles and responsibilities for members of the project.
+**Requirement:** While active, the [project] documentation MUST include descriptions of the roles and responsibilities for members of the [project].
**Recommendation:** Document project participants and their roles through such artifacts
as members.md, governance.md, maintainers.md, or similar file within
the source code repository of the project.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1044,14 +1194,17 @@
#### External Framework Mappings
- - **[BPB]**: B-S-3, B-S-4
-
- - **[OCRE]**: 013-021
+
+ - **[BPB]**: {B-S-3 0 }, {B-S-4 0 }
+ - **[OpenCRE]**: {013-021 0 }
+ - **PSSCRM**: {G2.3 0 }, {E3.1 0 }, {E3.3 0 }
+ - **[PCIDSS]**: {2.1.2 0 }, {3.1.1 0 }, {3.1.2 0 }, {4.1.1 0 }, {4.1.2 0 }, {5.1.1 0 }, {5.1.2 0 }, {6.1.1 0 }, {6.1.2 0 }, {6.5.4 0 }, {7.1.1 0 }, {7.1.2 0 }, {8.1.1 0 }, {8.1.2 0 }, {11.1.1 0 }, {11.1.2 0 }, {12.1.3 0 }, {12.5.2 0 }
+ - **[800-161]**: {AC-2 0 }, {AC-3 0 }, {IA-2 0 }, {PL-1 0 }, {PL-4 0 }, {PM-30 0 }
---
-### OSPS-GV-02 - The project MUST have one or more mechanisms for public discussions about proposed [changes] and usage obstacles.
+### OSPS-GV-02 - The [project] MUST have one or more mechanisms for public discussions about proposed [changes] and usage obstacles.
Encourages open communication and collaboration within the project
community, enabling users to provide feedback and discuss proposed changes
@@ -1062,13 +1215,14 @@
#### OSPS-GV-02.01
-**Requirement:** While active, the project MUST have one or more mechanisms for public discussions about proposed [changes] and usage obstacles.
+**Requirement:** While active, the [project] MUST have one or more mechanisms for public discussions about proposed [changes] and usage obstacles.
**Recommendation:** Establish one or more mechanisms for public discussions within the
project, such as mailing lists, instant messaging, or issue trackers,
to facilitate open communication and feedback.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1078,16 +1232,17 @@
#### External Framework Mappings
- - **[BPB]**: B-B-3, B-B-12
-
- - **[CRA]**: 1.2l, 2.3, 2.4, 2.6
-
- - **[SSDF]**: PS3, PW1.2
+
+ - **[BPB]**: {B-B-3 0 }, {B-B-12 0 }
+ - **[CRA]**: {1.2l 0 }, {2.3 0 }, {2.4 0 }, {2.6 0 }
+ - **[SSDF]**: {PS.3 0 }, {PW.1.2 0 }
+ - **[PCIDSS]**: {12.5.2 0 }
+ - **[800-161]**: {AC-21 0 }, {AU-6 0 }, {PL-1 0 }
---
-### OSPS-GV-03 - The [project documentation] MUST include an explanation of the contribution process.
+### OSPS-GV-03 - The [project] documentation MUST include an explanation of the contribution process.
Provide guidance to new contributors on how to participate in the project,
outlining the steps required to submit changes or enhancements to the
@@ -1098,21 +1253,24 @@
#### OSPS-GV-03.01
-**Requirement:** While active, the [project documentation] MUST include an explanation of the contribution process.
+**Requirement:** While active, the [project] documentation MUST include an explanation of the contribution process.
**Recommendation:** Create a CONTRIBUTING.md or CONTRIBUTING/ directory to outline the
contribution process including the steps for submitting changes, and
engaging with the project maintainers.
+**Control applies to:**
- Maturity Level 1
+- Maturity Level 2
+- Maturity Level 3
#### OSPS-GV-03.02
-**Requirement:** While active, the [project documentation] MUST include a guide for code [contributors] that includes requirements for acceptable contributions.
+**Requirement:** While active, the [project] documentation MUST include a guide for [code] [contributors] that includes requirements for acceptable contributions.
**Recommendation:** Extend the CONTRIBUTING.md or CONTRIBUTING/ contents in the project
documentation to outline the requirements for acceptable
@@ -1121,6 +1279,7 @@
this guide is the source of truth for both contributors and approvers.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1129,18 +1288,19 @@
#### External Framework Mappings
- - **[BPB]**: B-B-4, B-S-3, B-B-4&#43;, R-B-1, Q-G-2
-
- - **[CRA]**: 1.2l, 2.4, 2.1, 2.2, 2.5, 2.6
-
- - **[SSDF]**: PW1.2
-
- - **[OC]**: 4.1.2
+
+ - **[BPB]**: {B-B-4 0 }, {B-S-3 0 }, {B-B-4&#43; 0 }, {R-B-1 0 }, {Q-G-2 0 }
+ - **[CRA]**: {1.2l 0 }, {2.4 0 }
+ - **[SSDF]**: {PW.1.2 0 }
+ - **ISO-[18974]**: {4.1.2 0 }
+ - **PSSCRM**: {G2.4 0 }, {P2.2 0 }
+ - **[PCIDSS]**: {2.1.1 0 }, {6.5.4 0 }, {8.2.1 0 }, {12.5.2 0 }
+ - **[800-161]**: {AC-3 0 }, {AC-20 0 }, {PL-1 0 }
---
-### OSPS-GV-04 - The [project documentation] MUST have a policy that code [contributors] are reviewed prior to granting escalated permissions to sensitive resources.
+### OSPS-GV-04 - The [project] documentation MUST have a policy that [code] [contributors] are reviewed prior to granting escalated permissions to sensitive resources.
Ensure that code contributors are vetted and reviewed before being granted
elevated permissions to sensitive resources within the project, reducing
@@ -1151,15 +1311,16 @@
#### OSPS-GV-04.01
-**Requirement:** While active, the [project documentation] MUST have a policy that code [contributors] are reviewed prior to granting escalated permissions to sensitive resources.
+**Requirement:** While active, the [project] documentation MUST have a policy that [code] [collaborators] are reviewed prior to granting escalated permissions to [sensitive resources].
**Recommendation:** Publish an enforceable policy in the project documentation that
-requires code contributors to be reviewed and approved before being
+requires code collaborators to be reviewed and approved before being
granted escalated permissions to sensitive resources, such as merge
approval or access to secrets. It is recommended that vetting includes
establishing a justifiable lineage of identity such as confirming the
contributor&#39;s association with a known trusted organization.
+**Control applies to:**
- Maturity Level 3
@@ -1167,13 +1328,16 @@
#### External Framework Mappings
- - **[CRA]**: 1.2d
-
- - **[SSDF]**: PO2, PO3.2
-
- - **[CSF]**: PR.AA-02, PR.AA-05
-
- - **[OCRE]**: 123-124, 152-725
+
+ - **[BPB]**: {B-B-5 0 }, {B-S-3 0 }, {B-B-4&#43; 0 }, {Q-G-2 0 }
+ - **[CRA]**: {1.2d 0 }, {1.2l 0 }, {2.1 0 }, {2.2 0 }, {2.5 0 }, {2.6 0 }
+ - **[SSDF]**: {PO.2 0 }, {PO.3.2 0 }
+ - **[CSF]**: {PR.AA-02 0 }, {PR.AA-05 0 }
+ - **[OpenCRE]**: {123-124 0 }, {152-725 0 }
+ - **ISO-[18974]**: {4.1.2 0 }
+ - **PSSCRM**: {E3.1 0 }, {E3.3 0 }
+ - **[PCIDSS]**: {2.1.1 0 }, {6.5.4 0 }, {8.2.1 0 }, {8.2.2 0 }
+ - **[800-161]**: {AC-2 0 }, {AC-3 0 }, {AC-4(21) 0 }, {AC-5 0 }, {AC-6 0 }, {AC-20 0 }, {CM-7 0 }, {IR-4(6) 0 }, {PM-30 0 }, {SI-4 0 }
---
@@ -1192,7 +1356,7 @@
-### OSPS-LE-01 - The [version control system] MUST require all code [contributors] to assert that they are legally authorized to make the associated contributions on every [commit].
+### OSPS-LE-01 - The [version control system] MUST require all [code] [contributors] to assert that they are legally authorized to make the associated contributions on every [commit].
Ensure that code contributors are aware of and acknowledge their legal
responsibility for the contributions they make to the project, reducing
@@ -1203,16 +1367,21 @@
#### OSPS-LE-01.01
-**Requirement:** While active, the [version control system] MUST require all code [contributors] to assert that they are legally authorized to make the associated contributions on every [commit].
+**Requirement:** While active, the [version control system] MUST require all [code] [contributors] to assert that they are legally authorized to make the associated contributions on every [commit].
-**Recommendation:** Include a DCO or CLA in the project&#39;s repository, requiring code
+**Recommendation:** Include a DCO in the project&#39;s repository, requiring code
contributors to assert that they are legally authorized to commit the
associated contributions on every commit. Use a status check to ensure
-the assertion is made.
+the assertion is made. A CLA also satisfies this requirement.
Some version control systems, such as GitHub, may include this in the
platform terms of service.
+It is understood that projects with a lengthy history prior to
+adopting OSPS Baseline may not be able to retroactively enforce this
+requirement.
+
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1221,16 +1390,18 @@
#### External Framework Mappings
- - **[BPB]**: B-S-1
-
- - **[CRA]**: 1.2b, 1.2f
-
- - **[SSDF]**: PO3.2, PS1, PW1.2, PW2.1
+
+ - **[BPB]**: {B-S-1 0 }
+ - **[CRA]**: {1.2b 0 }, {1.2f 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PS.1 0 }, {PW.1.2 0 }, {PW.2.1 0 }
+ - **PSSCRM**: {E3.1 0 }
+ - **[PCIDSS]**: {12.8.5 0 }
+ - **[800-161]**: {PL-4 0 }
---
-### OSPS-LE-02 - All [licenses] for the project MUST meet the OSI Open Source Definition or the FSF Free Software Definition.
+### OSPS-LE-02 - All [licenses] for the [project] MUST meet the OSI Open Source Definition or the FSF Free Software Definition.
Ensure that the project&#39;s source code is distributed under a recognized
and legally enforceable open source software license, providing clarity on
@@ -1241,7 +1412,7 @@
#### OSPS-LE-02.01
-**Requirement:** While active, the [license] for the source code MUST meet the OSI Open Source Definition or the FSF Free Software Definition.
+**Requirement:** While active, the [license] for the source [code] MUST meet the OSI Open Source Definition or the FSF Free Software Definition.
**Recommendation:** Add a LICENSE file to the project&#39;s repo with a license that is an
approved license by the Open Source Initiative (OSI), or a free
@@ -1252,6 +1423,7 @@
this control if there are no other encumbrances such as patents.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1272,6 +1444,7 @@
released software assets may be different than the source code.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1281,18 +1454,20 @@
#### External Framework Mappings
- - **[BPB]**: B-B-6, B-B-7
-
- - **[CRA]**: 1.2b
-
- - **[SSDF]**: PO3.2
-
- - **[CSF]**: GV.OC-03
+
+ - **[BPB]**: {B-B-6 0 }, {B-B-7 0 }
+ - **[CRA]**: {1.2b 0 }
+ - **[SSDF]**: {PO.3.2 0 }
+ - **[CSF]**: {GV.OC-03 0 }
+ - **Scorecard**: {License 0 }
+ - **PSSCRM**: {G1.2 0 }
+ - **[PCIDSS]**: {3.2.1 0 }
+ - **[800-161]**: {PL-4 0 }
---
-### OSPS-LE-03 - All [licenses] for the project&#39;s source code MUST be maintained in a standard location within the corresponding [repository].
+### OSPS-LE-03 - All [licenses] for the [project]&#39;s source [code] MUST be maintained in a standard location within the corresponding [repository].
Ensure that the project&#39;s source code and released software assets are
distributed with the appropriate license terms, making it clear to users
@@ -1303,7 +1478,7 @@
#### OSPS-LE-03.01
-**Requirement:** While active, the [license] for the source code MUST be maintained in the corresponding [repository]&#39;s [LICENSE] file, COPYING file, or [LICENSE]/ directory.
+**Requirement:** While active, the [license] for the source [code] MUST be maintained in the corresponding [repository]&#39;s [LICENSE] file, COPYING file, or [LICENSE]/ directory.
**Recommendation:** Include the project&#39;s source code license in the project&#39;s LICENSE
file, COPYING file, or LICENSE/ directory to provide visibility and
@@ -1312,6 +1487,7 @@
includes the license file.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1321,7 +1497,7 @@
#### OSPS-LE-03.02
-**Requirement:** While active, the [license] for the [released software assets] MUST be included in the released source code, or in a [LICENSE] file, COPYING file, or [LICENSE]/ directory alongside the corresponding [release] assets.
+**Requirement:** While active, the [license] for the [released software assets] MUST be included in the released source [code], or in a [LICENSE] file, COPYING file, or [LICENSE]/ directory alongside the corresponding [release] assets.
**Recommendation:** Include the project&#39;s released software assets license in the released
source code, or in a LICENSE file, COPYING file, or LICENSE/ directory
@@ -1330,6 +1506,8 @@
If the project has multiple repositories, ensure that each repository
includes the license file.
+
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1339,11 +1517,14 @@
#### External Framework Mappings
- - **[BPB]**: B-B-6, B-B-7, B-B-8
-
- - **[CRA]**: 1.2b
-
- - **[SSDF]**: PO3.2
+
+ - **[BPB]**: {B-B-8 0 }
+ - **[CRA]**: {1.2b 0 }
+ - **[SSDF]**: {PO.3.2 0 }
+ - **Scorecard**: {License 0 }
+ - **PSSCRM**: {G1.2 0 }
+ - **[PCIDSS]**: {3.2.1 0 }
+ - **[800-161]**: {PL-4 0 }
---
@@ -1362,7 +1543,7 @@
-### OSPS-QA-01 - The project&#39;s source code and [change] history MUST be publicly readable at a static URL.
+### OSPS-QA-01 - The [project]&#39;s source [code] and [change] history MUST be publicly readable at a static URL.
Enable users to access and review the project&#39;s source code and history,
promoting transparency and collaboration within the project community.
@@ -1372,7 +1553,7 @@
#### OSPS-QA-01.01
-**Requirement:** While active, the project&#39;s source code [repository] MUST be publicly readable at a static URL.
+**Requirement:** While active, the [project]&#39;s source [code] [repository] MUST be publicly readable at a static URL.
**Recommendation:** Use a common VCS such as GitHub, GitLab, or Bitbucket. Ensure the
repository is publicly readable. Avoid duplication or mirroring of
@@ -1381,6 +1562,7 @@
repository URL. Ensure the repository is public.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1397,6 +1579,7 @@
in a way that would obscure the author of any commits.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1406,22 +1589,23 @@
#### External Framework Mappings
- - **[BPB]**: CC-B-1, CC-B-2, CC-B-3, R-B-5
-
- - **[CRA]**: 1.2b, 1.2j, 1.2f
-
- - **[SSDF]**: PS1, PS2, PS3, PW1.2, PW2.1
-
- - **[OCRE]**: 486-813, 124-564, 757-271
-
- - **[CSF]**: ID.AM-02, ID.RA-01, ID.RA-08
-
- - **[OC]**: 4.1.4
+
+ - **[BPB]**: {CC-B-1 0 }, {CC-B-2 0 }, {CC-B-3 0 }, {R-B-5 0 }
+ - **[CRA]**: {1.2b 0 }, {1.2f 0 }, {1.2j 0 }
+ - **[SSDF]**: {PS.1 0 }, {PS.2 0 }, {PS.3 0 }, {PW.1.2 0 }, {PW.2.1 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {757-271 0 }
+ - **[CSF]**: {ID.AM-02 0 }, {ID.RA-01 0 }, {ID.RA-08 0 }
+ - **ISO-[18974]**: {4.1.4 0 }
+ - **[SLSA]**: {Build platform - isolation strength - Isolated 0 }
+ - **PSSCRM**: {P3.5 0 }, {E2.2 0 }
+ - **[SAMM]**: {Implementation -Secure Build -Build Process Lvl1 0 }
+ - **[PCIDSS]**: {2.1.1 0 }, {6.2.1 0 }, {6.5.1 0 }, {6.5.2 0 }
+ - **[800-161]**: {RA-5 0 }, {SA-11 0 }, {SA-15 0 }
---
-### OSPS-QA-02 - The project MUST provide a list of dependencies used in the software.
+### OSPS-QA-02 - The [project] MUST provide a list of dependencies used in the software.
Provide transparency and accountability for the project&#39;s dependencies
while enabling users and contributors to understand the software&#39;s direct
@@ -1432,13 +1616,14 @@
#### OSPS-QA-02.01
-**Requirement:** When the package management system supports it, the source code [repository] MUST contain a dependency list that accounts for the direct language dependencies.
+**Requirement:** When the package management system supports it, the source [code] [repository] MUST contain a dependency list that accounts for the direct language dependencies.
-**Recommendation:** This may take the form a package manager or language dependency file
+**Recommendation:** This may take the form of a package manager or language dependency file
that enumerates all direct dependencies such as package.json, Gemfile,
or go.mod.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1448,7 +1633,7 @@
#### OSPS-QA-02.02
-**Requirement:** When the project has made a [release], all compiled released software assets MUST be delivered with a [software bill of materials].
+**Requirement:** When the [project] has made a [release], all compiled released software assets MUST be delivered with a [software bill of materials].
**Recommendation:** It is recommended to auto-generate SBOMs at build time using a tool
that has been vetted for accuracy. This enables users to ingest this
@@ -1456,6 +1641,7 @@
environment.
+**Control applies to:**
- Maturity Level 3
@@ -1463,17 +1649,18 @@
#### External Framework Mappings
- - **[BPB]**: Q-S-8, Q-S-9
-
- - **[CRA]**: 2.1, 2.3
-
- - **[SSDF]**: PO3.3, PS1, PS3.2
-
- - **[CSF]**: ID.M-02
-
- - **[OC]**: 4.1.5, 4.3.1
-
- - **[OCRE]**: 486-813, 124-564, 673-475, 863-521, 613-286
+
+ - **[BPB]**: {Q-S-8 0 }, {Q-S-9 0 }
+ - **[CRA]**: {2.1 0 }, {2.2 0 }, {2.3 0 }
+ - **[SSDF]**: {PO.3.3 0 }, {PS.1 0 }, {PS.2 0 }, {PS.3.2 0 }, {PW.4 0 }
+ - **[CSF]**: {ID.AM.01 0 }, {ID.AM-02 0 }
+ - **ISO-[18974]**: {4.1.5 0 }, {4.3.1 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }, {673-475 0 }, {863-521 0 }, {613-286 0 }
+ - **PSSCRM**: {G1.4 0 }, {G1.5 0 }, {G2.5 0 }, {P3.1 0 }, {P3.2 0 }, {P5.1 0 }, {P5.2 0 }, {E2.1 0 }, {E2.2 0 }
+ - **[SAMM]**: {Implementation -Secure Build -Software Dependencies Lvl1 0 }
+ - **[PCIDSS]**: {6.3.2 0 }, {6.4.3 0 }, {12.5.1 0 }
+ - **UKSSCOP**: {1.2 0 }
+ - **[800-161]**: {CA-7 0 }, {CM-2 0 }, {CM-8 0 }, {PL-8 0 }, {RA-3(1) 0 }, {RA-5 0 }, {SA-11 0 }, {SA-15 0 }, {SR-3 0 }, {SR-4 0 }
---
@@ -1499,6 +1686,7 @@
requirement that approvers may be tempted to bypass.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1507,16 +1695,21 @@
#### External Framework Mappings
- - **[CRA]**: 1.2f, 1.2k
-
- - **[SSDF]**: PO4.1, PS1
-
- - **[CSF]**: ID.IM-02
+
+ - **[CRA]**: {1.2f 0 }, {1.2k 0 }
+ - **[SSDF]**: {PO.4.1 0 }, {PS.1 0 }, {PS.2 0 }, {RV.1.2 0 }
+ - **[CSF]**: {ID.IM-02 0 }
+ - **ISO-[18974]**: {4.1.5 0 }
+ - **[OpenCRE]**: {263-184 0 }, {253-452 0 }
+ - **PSSCRM**: {G2.2 0 }, {G5.3 0 }, {G5.4 0 }, {P3.5 0 }, {P4.1 0 }, {P4.2 0 }
+ - **[SAMM]**: {Implementation -Secure Build -Build Process Lvl3 0 }, {Implementation -Secure Build -Software Dependencies Lvl3 0 }, {Verification -Requirements Testing -Control Verification Lvl1 0 }, {Verification -Requirements Testing -Control Verification Lvl2 0 }, {Verification -Requirements Testing -Control Verification Lvl3 0 }
+ - **[PCIDSS]**: {6.3.1 0 }, {6.3.2 0 }, {6.5.2 0 }
+ - **[800-161]**: {AU-6 0 }, {CM-3 0 }, {CM-6 0 }, {PL-8 0 }, {SA-11 0 }, {SA-15 0 }, {SR-3 0 }
---
-### OSPS-QA-04 - Any additional [subproject] code [repositories] produced by the project and compiled into a [release] MUST enforce security requirements as applicable to the status and intent of the respective [codebase].
+### OSPS-QA-04 - Any additional [subproject] [code] [repositories] produced by the [project] and compiled into a [release] MUST enforce security requirements as applicable to the status and intent of the respective codebase.
Ensure that additional code repositories or subprojects produced by the
project are held to a standard that is clear and appropriate for that
@@ -1527,21 +1720,24 @@
#### OSPS-QA-04.01
-**Requirement:** While active, the [project documentation] MUST contain a list of any [codebases] that are considered [subprojects] or additional [repositories].
+**Requirement:** While active, the [project] documentation MUST contain a list of any codebases that are considered [subprojects].
**Recommendation:** Document any additional subproject code repositories produced by the
project and compiled into a release. This documentation should include
the status and intent of the respective codebase.
+**Control applies to:**
- Maturity Level 1
+- Maturity Level 2
+- Maturity Level 3
#### OSPS-QA-04.02
-**Requirement:** When the project has made a [release] comprising multiple source code [repositories], all [subprojects] MUST enforce security requirements that are as strict or stricter than the primary [codebase].
+**Requirement:** When the [project] has made a [release] comprising multiple source [code] [repositories], all [subprojects] MUST enforce security requirements that are as strict or stricter than the primary codebase.
**Recommendation:** Any additional subproject code repositories produced by the project
and compiled into a release must enforce security requirements as
@@ -1552,6 +1748,7 @@
security issues.
+**Control applies to:**
- Maturity Level 3
@@ -1559,11 +1756,15 @@
#### External Framework Mappings
- - **[CRA]**: 1.2b, 1.2f
-
- - **[SSDF]**: PO3.2, PO4.1, PS1
-
- - **[OCRE]**: 486-813, 124-564
+
+ - **[CRA]**: {1.2b 0 }, {1.2f 0 }
+ - **[SSDF]**: {PO.3.2 0 }, {PO.4.1 0 }, {PS.1 0 }, {PS.2 0 }, {RV.1.2 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }
+ - **[SLSA]**: {Build platform - isolation strength - Isolated 0 }
+ - **Scorecard**: {Binary-Artifacts 0 }
+ - **PSSCRM**: {G2.2 0 }, {G5.4 0 }
+ - **[PCIDSS]**: {6.4.2 0 }
+ - **[800-161]**: {PL-8 0 }, {SA-15 0 }
---
@@ -1588,6 +1789,7 @@
fetched during a specific well-documented pipeline step.
+**Control applies to:**
- Maturity Level 1
- Maturity Level 2
- Maturity Level 3
@@ -1595,28 +1797,48 @@
-#### External Framework Mappings
+#### OSPS-QA-05.02
+
+**Requirement:** While active, the [version control system] MUST NOT contain unreviewable binary artifacts.
+
+**Recommendation:** Do not add any unreviewable binary artifacts to the project&#39;s version
+control system. This includes executable application binaries, library
+files, and similar artifacts. It does not include assets such as
+graphical images, sound or music files, and similar content typically
+stored in a binary format.
+
+
+**Control applies to:**
+- Maturity Level 1
+- Maturity Level 2
+- Maturity Level 3
+
- - **[CRA]**: 1.2b
- - **[SSDF]**: PS1
- - **[OCRE]**: 486-813, 124-564
+#### External Framework Mappings
+
+
+ - **[CRA]**: {1.2b 0 }
+ - **[SSDF]**: {PS.1 0 }, {PS.2 0 }
+ - **[OpenCRE]**: {486-813 0 }, {124-564 0 }
+ - **[PCIDSS]**: {6.4.3 0 }
+ - **[800-161]**: {PL-8 0 }, {SA-15 0 }, {SR-3 0 }
---
-### OSPS-QA-06 - The project MUST use at least one [automated test suite] for the source code [repository].
+### OSPS-QA-06 - The [project] MUST use at least one [automated test suite] for the source [code] [repository].
Ensure that the project uses at least one automated test suite for the
-source code repository which clearly documents when and how tests are run.
+source code repository and clearly documents when and how tests are run.
#### OSPS-QA-06.01
-**Requirement:** Prior to a [commit] being accepted, the project&#39;s [CI/CD pipelines] MUST run at least one [automated test suite] to ensure the [changes] meet expectations.
+**Requirement:** Prior to a [commit] being accepted, the [project]&#39;s [CI/CD pipelines] MUST run at least one [automated test suite] to ensure the [changes] meet expectations.
**Recommendation:** Automated tests should be run prior to every merge into the primary
branch. The test suite should be run in a CI/CD pipeline and the
@@ -1627,6 +1849,7 @@
end-to-end tests.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1635,7 +1858,7 @@
#### OSPS-QA-06.02
-**Requirement:** While active, project&#39;s documentation MUST clearly document when and how tests are run.
+**Requirement:** While active, [project]&#39;s documentation MUST clearly document when and how tests are run.
**Recommendation:** Add a section to the contributing documentation that explains how to
run the tests locally and how to run the tests in the CI/CD pipeline.
@@ -1643,6 +1866,7 @@
interpret the results.
+**Control applies to:**
- Maturity Level 3
@@ -1650,13 +1874,14 @@
#### OSPS-QA-06.03
-**Requirement:** While active, the project&#39;s documentation MUST include a policy that all major [changes] to the software produced by the project should add or update tests of the functionality in an [automated test suite].
+**Requirement:** While active, the [project]&#39;s documentation MUST include a policy that all major [changes] to the software produced by the [project] should add or update tests of the functionality in an [automated test suite].
**Recommendation:** Add a section to the contributing documentation that explains the
policy for adding or updating tests. The policy should explain what
constitutes a major change and what tests should be added or updated.
+**Control applies to:**
- Maturity Level 3
@@ -1664,23 +1889,26 @@
#### External Framework Mappings
- - **[BPB]**: Q-B-4, Q-B-8, Q-B-9, Q-B-10, Q-S-2
-
- - **[CRA]**: 2.3
-
- - **[SSDF]**: PW8.2
-
- - **[OC]**: 4.1.5
-
- - **[OCRE]**: 207-435, 088-377
+
+ - **[BPB]**: {Q-B-4 0 }, {Q-B-8 0 }, {Q-B-9 0 }, {Q-B-10 0 }, {Q-S-2 0 }
+ - **[CRA]**: {2.3 0 }
+ - **[SSDF]**: {PW.8.2 0 }
+ - **[CSF]**: {ID.AM-02 0 }
+ - **ISO-[18974]**: {4.1.5 0 }
+ - **[OpenCRE]**: {207-435 0 }, {088-377 0 }
+ - **Scorecard**: {CI-Tests 0 }
+ - **PSSCRM**: {P4.1 0 }, {P4.2 0 }, {P4.3 0 }, {P4.4 0 }, {E2.4 0 }, {E2.5 0 }
+ - **[SAMM]**: {Verification-Requirements -Testing -Control Verification Lvl1 0 }, {Verification-Requirements -Testing -Control Verification Lvl2 0 }, {Verification-Requirements -Testing -Control Verification Lvl3 0 }, {Verification -Security Testing -Scalable Baseline Lvl3 0 }
+ - **[PCIDSS]**: {6.2.3 0 }, {6.3.1 0 }, {6.3.2 0 }, {6.4.2 0 }
+ - **[800-161]**: {SA-11 0 }, {SA-15 0 }, {SR-3 0 }
---
-### OSPS-QA-07 - The project&#39;s [version control system] MUST require at least one non-author approval of [changes] to the [primary branch].
+### OSPS-QA-07 - The [project]&#39;s [version control system] MUST require at least one non-author human approval of [changes] to the [primary branch].
Ensure that the project&#39;s version control system requires at least one
-non-author approval of changes before merging into the release or primary
+non-author human approval of changes before merging into the release or primary
branch.
@@ -1688,15 +1916,16 @@
#### OSPS-QA-07.01
-**Requirement:** When a [commit] is made to the [primary branch], the project&#39;s version control system MUST require at least one non-author approval of the [changes] before merging.
+**Requirement:** When a [commit] is made to the [primary branch], the [project]&#39;s version control system MUST require at least one non-author human approval of the [changes] before merging.
**Recommendation:** Configure the project&#39;s version control system to require at least one
-non-author approval of changes before merging into the release or
+non-author human approval of changes before merging into the release or
primary branch. This can be achieved by requiring a pull request to be
-reviewed and approved by at least one other contributor before it can
+reviewed and approved by at least one other collaborator before it can
be merged.
+**Control applies to:**
- Maturity Level 3
@@ -1704,7 +1933,12 @@
#### External Framework Mappings
- - **[BPB]**: B-G-3
+
+ - **[BPB]**: {B-G-3 0 }
+ - **Scorecard**: {Code-Review 0 }
+ - **PSSCRM**: {G2.4 0 }, {P3.3 0 }, {P3.5 0 }
+ - **[PCIDSS]**: {6.2.3.1 0 }, {6.4.2 0 }, {6.5.4 0 }
+ - **[800-161]**: {AC-5 0 }, {AU-6 0 }, {PL-8 0 }, {SA-15 0 }, {SR-3 0 }
---
@@ -1719,7 +1953,7 @@
-### OSPS-SA-01 - The [project documentation] MUST provide design documentation demonstrating all actions and actors within the system.
+### OSPS-SA-01 - The [project] documentation MUST provide design documentation demonstrating all actions and actors within the system.
Provide an overview of the project&#39;s design and architecture, illustrating
the interactions and components of the system to help contributors and
@@ -1731,7 +1965,7 @@
#### OSPS-SA-01.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST include design documentation demonstrating all actions and actors within the system.
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST include design documentation demonstrating all actions and actors within the system.
**Recommendation:** Include designs in the project documentation that explains the actions
and actors. Actors include any subsystem or entity that can influence
@@ -1739,6 +1973,7 @@
Ensure this is updated for new features or breaking changes.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1747,20 +1982,22 @@
#### External Framework Mappings
- - **[BPB]**: B-B-1, B-S-7, B-S-8
-
- - **[CRA]**: 1.2a, 1.2b
-
- - **[SSDF]**: PO.1, PO.2, PO3.2
-
- - **[CSF]**: ID.AM-02
-
- - **[OCRE]**: 155-155, 326-704, 068-102, 036-275, 162-655
+
+ - **[BPB]**: {B-B-1 0 }, {B-S-7 0 }, {B-S-8 0 }
+ - **[CRA]**: {1.2a 0 }, {1.2b 0 }
+ - **[SSDF]**: {PO.1 0 }, {PO.2 0 }, {PO.3.2 0 }
+ - **[CSF]**: {ID.AM-02 0 }
+ - **[OpenCRE]**: {155-155 0 }, {326-704 0 }, {068-102 0 }, {036-275 0 }, {162-655 0 }
+ - **PSSCRM**: {G5.1 0 }, {P1.1 0 }, {E3.4 0 }, {E3.7 0 }
+ - **[SAMM]**: {Operations -Operational Management -Data Protection Lvl2 0 }
+ - **[PCIDSS]**: {2.2.1 0 }, {2.2.3 0 }, {2.2.4 0 }, {2.2.5 0 }, {2.2.6 0 }, {3.1.1 0 }, {4.1.1 0 }, {5.1.1 0 }, {6.1.1 0 }, {6.2.1 0 }, {7.1.1 0 }, {8.1.1 0 }, {11.1.1 0 }, {12.3.1 0 }, {12.5.3 0 }
+ - **UKSSCOP**: {1.4 0 }
+ - **[800-161]**: {CM-2 0 }, {PL-8 0 }, {RA-3 0 }, {SA-15 0 }
---
-### OSPS-SA-02 - The [project documentation] MUST include descriptions of all external software interfaces of the [released software assets].
+### OSPS-SA-02 - The [project] documentation MUST include descriptions of all external software interfaces of the [released software assets].
Provide users and developers with an understanding of how to interact with
the project&#39;s software and integrate it with other systems, enabling them
@@ -1771,7 +2008,7 @@
#### OSPS-SA-02.01
-**Requirement:** When the project has made a [release], the [project documentation] MUST include descriptions of all external software interfaces of the [released software assets].
+**Requirement:** When the [project] has made a [release], the [project] documentation MUST include descriptions of all external software interfaces of the [released software assets].
**Recommendation:** Document all software interfaces (APIs) of the released software
assets, explaining how users can interact with the software and what
@@ -1779,6 +2016,7 @@
Ensure this is updated for new features or breaking changes.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1787,22 +2025,21 @@
#### External Framework Mappings
- - **[BPB]**: B-B-10, B-S-7
-
- - **[CRA]**: 1.2a, 1.2b
-
- - **[SSDF]**: PW1.2
-
- - **[CSF]**: GV.OC-05, ID.AM-01
-
- - **[OC]**: 4.1.4
-
- - **[OCRE]**: 155-155, 068-102, 072-713, 820-878
+
+ - **[BPB]**: {B-B-10 0 }, {B-S-7 0 }
+ - **[CRA]**: {1.2a 0 }, {1.2b 0 }
+ - **[SSDF]**: {PW.1.2 0 }
+ - **[CSF]**: {GV.OC-05 0 }, {ID.AM-01 0 }
+ - **ISO-[18974]**: {4.1.4 0 }
+ - **[OpenCRE]**: {155-155 0 }, {068-102 0 }, {072-713 0 }, {820-878 0 }
+ - **PSSCRM**: {E3.4 0 }, {E3.7 0 }
+ - **[PCIDSS]**: {2.2.1 0 }, {2.2.3 0 }, {2.2.4 0 }, {2.2.5 0 }, {2.2.6 0 }, {6.2.1 0 }, {12.3.1 0 }, {12.8.1 0 }
+ - **[800-161]**: {CM-2 0 }, {PL-2 0 }, {PL-8 0 }, {RA-3 0 }, {SA-15 0 }
---
-### OSPS-SA-03 - The project MUST assess the security posture of all software assets.
+### OSPS-SA-03 - The [project] MUST assess the security posture of all software assets.
Provide project maintainers an understanding of how the software can be
misused or broken allows them to plan mitigations to close off the potential
@@ -1813,7 +2050,7 @@
#### OSPS-SA-03.01
-**Requirement:** When the project has made a [release], the project MUST perform a security assessment to understand the most likely and impactful potential security problems that could occur within the software.
+**Requirement:** When the [project] has made a [release], the [project] MUST perform a security assessment to understand the most likely and impactful potential security problems that could occur within the software.
**Recommendation:** Performing a security assessment informs both project members as well
as downstream consumers that the project understands what problems
@@ -1824,6 +2061,7 @@
Ensure this is updated for new features or breaking changes.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1832,9 +2070,9 @@
#### OSPS-SA-03.02
-**Requirement:** When the project has made a [release], the project MUST perform a threat modeling and [attack surface analysis] to understand and protect against attacks on critical code paths, functions, and interactions within the system.
+**Requirement:** When the [project] has made a [release], the [project] MUST perform a threat modeling and [attack surface analysis] to understand and protect against attacks on critical [code] paths, functions, and interactions within the system.
-**Recommendation:** Threat modeling is an activity where the project looks at the
+**Recommendation:** Threat modeling is an activity where the project looks at the
codebase, associated processes and infrastructure, interfaces, key
components and &#34;thinks like a hacker&#34; and brainstorms how the system
be be broken or compromised. Each identified threat is listed out so
@@ -1843,6 +2081,7 @@
Ensure this is updated for new features or breaking changes.
+**Control applies to:**
- Maturity Level 3
@@ -1850,17 +2089,18 @@
#### External Framework Mappings
- - **[BPB]**: B-S-8, B-W-8, S-G-1
-
- - **[CRA]**: 1.1, 1.2j, 1.2k, 2.2
-
- - **[SSDF]**: PO5.1, PW1.1
-
- - **[CSF]**: ID.RA-01, ID.RA-04, ID.RA-05, DE.AE-07
-
- - **[OC]**: 4.1.5
-
- - **[OCRE]**: 068-102, 154-031, 888-770, 307-242, 660-867
+
+ - **[BPB]**: {B-S-8 0 }, {S-G-1 0 }
+ - **[CRA]**: {1.1 0 }, {1.2j 0 }, {1.2k 0 }, {2.2 0 }
+ - **[SSDF]**: {PO.5.1 0 }, {PW.1.1 0 }
+ - **[CSF]**: {ID.RA-01 0 }, {ID.RA-04 0 }, {ID.RA-05 0 }, {DE.AE-07 0 }
+ - **ISO-[18974]**: {4.1.5 0 }
+ - **[OpenCRE]**: {068-102 0 }, {154-031 0 }, {888-770 0 }
+ - **PSSCRM**: {G4.3 0 }, {G5.2 0 }, {P2.1 0 }
+ - **[SAMM]**: {Governance -Create and Promote Lvl1 0 }, {Design -Threat Assessment -Application Risk Profile Lvl1 0 }, {Design -Threat Assessment -Threat Modeling Lvl1 0 }, {Verification -Architecture Assessment -Architecture Mitigation Lvl2 0 }
+ - **[PCIDSS]**: {2.2.4 0 }, {2.2.5 0 }, {2.2.6 0 }, {6.2.1 0 }, {6.2.3.1 0 }, {6.3.2 0 }, {6.4.2 0 }, {11.3.1 0 }, {12.3.1 0 }
+ - **UKSSCOP**: {1.4 0 }, {3.3 0 }
+ - **[800-161]**: {CA-2 0 }, {CA-2(3) 0 }, {PM-30 0 }, {RA-3 0 }, {SA-11 0 }, {SA-15 0 }, {SA-15(3) 0 }, {SA-15(8) 0 }, {SI-3 0 }, {SR-3 0 }, {SR-3(3) 0 }, {SR-6 0 }, {SR-7 0 }
---
@@ -1877,10 +2117,10 @@
-### OSPS-VM-01 - The [project documentation] MUST include a policy for coordinated [vulnerability reporting], with a clear timeframe for response.
+### OSPS-VM-01 - The [project] documentation MUST include a policy for coordinated vulnerability disclosure, with a clear timeframe for response.
Establish a process for reporting and addressing vulnerabilities in the
-project, ensuring that security issues are handled promptly and
+project, ensuring that security issues are handled promptly and
transparently.
@@ -1888,14 +2128,15 @@
#### OSPS-VM-01.01
-**Requirement:** While active, the [project documentation] MUST include a policy for coordinated [vulnerability reporting], with a clear timeframe for response.
+**Requirement:** While active, the [project] documentation MUST include a policy for [coordinated vulnerability disclosure] ([CVD]), with a clear timeframe for response.
**Recommendation:** Create a SECURITY.md file at the root of the directory, outlining the
-project&#39;s policy for coordinated vulnerability reporting. Include a
-method for reporting vulnerabilities. Set expectations for the how the
+project&#39;s policy for coordinated vulnerability disclosure. Include a
+method for reporting vulnerabilities. Set expectations for how the
project will respond and address reported issues.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1904,22 +2145,24 @@
#### External Framework Mappings
- - **[BPB]**: R-B-6, R-B-8, R-S-2, S-B-14, S-B-15
-
- - **[CRA]**: 2.1, 2.3, 2.6, 2.7, 2.8
-
- - **[SSDF]**: RV1.3
-
- - **[CSF]**: GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08
-
- - **[OC]**: 4.1.5, 4.2.1, 4.3.2
-
- - **[OCRE]**: 887-750
+
+ - **[BPB]**: {R-B-6 0 }, {R-B-8 0 }, {R-S-2 0 }, {S-B-14 0 }, {S-B-15 0 }
+ - **[CRA]**: {2.1 0 }, {2.2 0 }, {2.3 0 }, {2.6 0 }, {2.7 0 }, {2.8 0 }
+ - **[SSDF]**: {RV.1.3 0 }
+ - **[CSF]**: {GV.PO-01 0 }, {GV.PO-02 0 }, {ID.RA-01 0 }, {ID.RA-08 0 }
+ - **ISO-[18974]**: {4.1.5 0 }, {4.2.1 0 }, {4.3.2 0 }
+ - **[OpenCRE]**: {887-750 0 }
+ - **Scorecard**: {Security-Policy 0 }
+ - **PSSCRM**: {D1.1 0 }, {D1.2 0 }, {D1.3 0 }, {D1.5 0 }
+ - **[SAMM]**: {Governance -Create and Promote Lvl2 0 }, {Governance -Policy &amp; Compliance -Policy &amp; Standards Lvl1 0 }, {Implementation -Defect Management -Defect Tracking Lvl1 0 }, {Implementation -Defect Management -Defect Tracking Lvl2 0 }, {Implementation -Defect Management -Defect Tracking Lvl3 0 }, {Operations -Incident Management -Incident Response Lvl1 0 }, {Operations -Incident Management -Incident Response Lvl2 0 }, {Operations -Incident Management -Incident Response Lvl3 0 }
+ - **[PCIDSS]**: {2.1.1 0 }, {3.1.1 0 }, {4.1.1 0 }, {5.1.1 0 }, {6.1.1 0 }, {6.3.1 0 }, {6.3.2 0 }, {7.1.1 0 }, {8.1.1 0 }, {11.1.1 0 }, {11.2.1 0 }, {12.1.1 0 }, {12.1.3 0 }
+ - **UKSSCOP**: {3.2 0 }, {3.4 0 }, {3.5 0 }
+ - **[800-161]**: {IR-1 0 }, {IR-4 0 }, {IR-6 0 }, {IR-7(1) 0 }, {IR-8 0 }, {SI-2 0 }
---
-### OSPS-VM-02 - The project MUST publish contacts and process for reporting vulnerabilities.
+### OSPS-VM-02 - The [project] MUST publish contacts and process for reporting vulnerabilities.
Reports from researchers and users are an important source for identifying
vulnerabilities in a project. People with vulnerabilities to report should
@@ -1931,12 +2174,13 @@
#### OSPS-VM-02.01
-**Requirement:** While active, the [project documentation] MUST contain security contacts.
+**Requirement:** While active, the [project] documentation MUST contain security contacts.
**Recommendation:** Create a security.md (or similarly-named) file that contains security
contacts for the project.
+**Control applies to:**
- Maturity Level 1
@@ -1944,25 +2188,26 @@
#### External Framework Mappings
- - **[BPB]**: B-S-8
-
- - **[CRA]**: 2.5
-
- - **[SSDF]**: RV1.3
-
- - **[CSF]**: GV.PO-01, GV.PO-02, ID.RA-01
-
- - **[OC]**: 4.1.1, 4.1.3, 4.1.5, 4.2.2
-
- - **[OCRE]**: 464-513
+
+ - **[BPB]**: {B-S-8 0 }
+ - **[CRA]**: {2.5 0 }
+ - **[SSDF]**: {RV.1.3 0 }
+ - **[CSF]**: {GV.PO-01 0 }, {GV.PO-02 0 }, {ID.RA-01 0 }
+ - **ISO-[18974]**: {4.1.1 0 }, {4.1.3 0 }, {4.1.5 0 }, {4.2.2 0 }
+ - **[OpenCRE]**: {464-513 0 }
+ - **Scorecard**: {Security-Policy 0 }
+ - **[SAMM]**: {Governance -Policy&amp;Compliance -Policy&amp;Standards Lvl2 0 }
+ - **[PCIDSS]**: {6.3.3 0 }, {12.1.1 0 }, {12.10.2 0 }
+ - **UKSSCOP**: {3.2 0 }
+ - **[800-161]**: {IR-1 0 }, {IR-4 0 }, {IR-6 0 }, {IR-8 0 }
---
-### OSPS-VM-03 - The project MUST provide a means for reporting security vulnerabilities privately to the security contacts within the project.
+### OSPS-VM-03 - The [project] MUST provide a means for reporting security vulnerabilities privately to the security contacts within the [project].
Security vulnerabilities should not be shared with the public until such
-time the project has been provided time to analyze and prepare
+time the project has been provided time to analyze and prepare
remediations to protect users of the project.
@@ -1970,14 +2215,15 @@
#### OSPS-VM-03.01
-**Requirement:** While active, the [project documentation] MUST provide a means for reporting security vulnerabilities privately to the security contacts within the project.
+**Requirement:** While active, the [project] documentation MUST provide a means for [private vulnerability reporting] directly to the security contacts within the [project].
**Recommendation:** Provide a means for security researchers to report vulnerabilities
privately to the project. This may be a dedicated email address, a
-web form, VSC specialized tools, email addresses for security
+web form, VCS specialized tools, email addresses for security
contacts, or other methods.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -1986,14 +2232,19 @@
#### External Framework Mappings
- - **[CRA]**: 1.2a, 1.2b, 2.1, 2.4, 2.6
-
- - **[OCRE]**: 308-514
+
+ - **[BPB]**: {R-B-7 0 }
+ - **[CRA]**: {2.5 0 }, {2.6 0 }
+ - **[OpenCRE]**: {308-514 0 }
+ - **[SAMM]**: {Operations -Incident Management -Incident Response Lvl3 0 }
+ - **[PCIDSS]**: {6.3.1 0 }, {6.3.3 0 }, {12.10.2 0 }
+ - **UKSSCOP**: {3.2 0 }
+ - **[800-161]**: {IR-6 0 }
---
-### OSPS-VM-04 - The project MUST publicly publish data about discovered vulnerabilities.
+### OSPS-VM-04 - The [project] MUST publicly publish data about discovered vulnerabilities.
Consumers of the project must be informed about known vulnerabilities
found within the project.
@@ -2003,7 +2254,7 @@
#### OSPS-VM-04.01
-**Requirement:** While active, the [project documentation] MUST publicly publish data about discovered vulnerabilities.
+**Requirement:** While active, the [project] documentation MUST publicly publish data about discovered vulnerabilities.
**Recommendation:** Provide information about known vulnerabilities in a predictable
public channel, such as a CVE entry, blog post, or other medium.
@@ -2012,6 +2263,7 @@
instructions for mitigation or remediation.
+**Control applies to:**
- Maturity Level 2
- Maturity Level 3
@@ -2020,14 +2272,15 @@
#### OSPS-VM-04.02
-**Requirement:** While active, any vulnerabilities in the software components not affecting the project MUST be accounted for in a VEX document, augmenting the vulnerability report with non-exploitability details.
+**Requirement:** While active, any vulnerabilities in the software components not affecting the [project] MUST be accounted for in a VEX document, augmenting the vulnerability report with non-exploitability details.
-**Recommendation:** Establish a VEX feed communicating the exploitability status of
+**Recommendation:** Establish a VEX feed communicating the exploitability status of
known vulnerabilities, including assessment details or any
mitigations in place preventing vulnerable code from being
executed.
+**Control applies to:**
- Maturity Level 3
@@ -2035,12 +2288,20 @@
#### External Framework Mappings
- - **[CRA]**: 1.2a, 1.2b, 2.1, 2.4, 2.6
+
+ - **[CRA]**: {1.2a 0 }, {1.2b 0 }, {2.1 0 }, {2.4 0 }, {2.6 0 }
+ - **[SSDF]**: {PO.4.1 0 }, {RV.2.1 0 }, {RV.2.2 0 }
+ - **[CSF]**: {ID.RA-01 0 }
+ - **ISO-[18974]**: {4.1.5 0 }
+ - **PSSCRM**: {G2.2 0 }, {D1.1 0 }
+ - **[PCIDSS]**: {6.2.3 0 }, {6.3.1 0 }, {6.3.2 0 }, {6.3.3 0 }, {11.3.1 0 }
+ - **UKSSCOP**: {3.4 0 }, {3.5 0 }, {4.3 0 }
+ - **[800-161]**: {CA-7 0 }, {CM-3 0 }, {CM-8 0 }, {IR-5 0 }, {SI-2 0 }, {SI-4 0 }, {SI-5 0 }
---
-### OSPS-VM-05 - The project MUST enforce a policy for addressing [SCA] findings.
+### OSPS-VM-05 - The [project] MUST enforce a policy for addressing [SCA] findings.
Ensure that the project clearly communicates the threshold for remediation
of SCA findings, including vulnerabilities and license issues in software
@@ -2055,7 +2316,7 @@
#### OSPS-VM-05.01
-**Requirement:** While active, the [project documentation] MUST include a policy that defines a threshold for remediation of [SCA] findings related to vulnerabilities and [licenses].
+**Requirement:** While active, the [project] documentation MUST include a policy that defines a threshold for remediation of [SCA] findings related to vulnerabilities and [licenses].
**Recommendation:** Document a policy in the project that defines a threshold for
remediation of SCA findings related to vulnerabilities and licenses.
@@ -2063,6 +2324,7 @@
these findings.
+**Control applies to:**
- Maturity Level 3
@@ -2070,13 +2332,14 @@
#### OSPS-VM-05.02
-**Requirement:** While active, the [project documentation] MUST include a policy to address [SCA] violations prior to any [release].
+**Requirement:** While active, the [project] documentation MUST include a policy to address [SCA] violations prior to any [release].
**Recommendation:** Document a policy in the project to address applicable Software
Composition Analysis results before any release, and add status checks
that verify compliance with that policy prior to release.
+**Control applies to:**
- Maturity Level 3
@@ -2084,7 +2347,7 @@
#### OSPS-VM-05.03
-**Requirement:** While active, all [changes] to the project&#39;s [codebase] MUST be automatically evaluated against a documented policy for malicious dependencies and [known vulnerabilities] in dependencies, then blocked in the event of violations, except when declared and suppressed as non-exploitable.
+**Requirement:** While active, all [changes] to the [project]&#39;s codebase MUST be automatically evaluated against a documented policy for malicious dependencies and [known vulnerabilities] in dependencies, then blocked in the event of violations, except when declared and suppressed as non-exploitable.
**Recommendation:** Create a status check in the project&#39;s version control system that
runs a Software Composition Analysis tool on all changes
@@ -2092,6 +2355,7 @@
can be merged.
+**Control applies to:**
- Maturity Level 3
@@ -2099,22 +2363,24 @@
#### External Framework Mappings
- - **[BPB]**: Q-B-12, Q-S-9, S-B-14, S-B-15, A-B-3, A-B-8
-
- - **[CRA]**: 1.2a, 1.2b, 1.2c, 2.1, 2.2, 2.3
-
- - **[SSDF]**: PO.4, PW1.2, PW8.1, RV2.1, RV 2.2
-
- - **[CSF]**: GV.RM-05, GV.RM-06, GV.PO-01, GV.PO-02, ID.RA-01, ID.RA-08, ID.IM-02
-
- - **[OC]**: 4.1.5, 4.2.1, 4.3.2
-
- - **[OCRE]**: 124-564, 832-555, 611-158, 207-435, 088-377
+
+ - **[BPB]**: {B-S-8 0 }, {Q-B-12 0 }, {Q-S-9 0 }, {S-B-14 0 }, {S-B-15 0 }, {A-B-1 0 }, {A-B-3 0 }, {A-B-8 0 }, {A-S-1 0 }
+ - **[CRA]**: {1.2a 0 }, {1.2b 0 }, {1.2c 0 }, {2.1 0 }, {2.2 0 }, {2.3 0 }, {2.4 0 }
+ - **[SSDF]**: {PO.4 0 }, {PW.1.2 0 }, {PW.8.1 0 }, {RV.1.2 0 }, {RV.1.3 0 }, {RV.2.1 0 }, {RV.2.2 0 }
+ - **[CSF]**: {GV.RM-05 0 }, {GV.RM-06 0 }, {GV.PO-01 0 }, {GV.PO-02 0 }, {ID.RA-01 0 }, {ID.RA-08 0 }, {ID.IM-02 0 }
+ - **ISO-[18974]**: {4.1.5 0 }, {4.2.1 0 }, {4.2.2 0 }, {4.3.2 0 }
+ - **[OpenCRE]**: {155-155 0 }, {124-564 0 }, {757-271 0 }, {464-513 0 }, {611-158 0 }, {207-435 0 }, {088-377 0 }
+ - **Scorecard**: {Security-Policy 0 }, {Vulnerabilities 0 }
+ - **PSSCRM**: {G5.4 0 }, {P4.1 0 }, {P4.2 0 }, {P4.3 0 }, {P4.4 0 }, {P4.5 0 }
+ - **[SAMM]**: {Implementation -Secure Build-Build Process Lvl3 0 }, {Implementation -Software Dependencies Lvl3 0 }, {Verification -Security Testing -Scalable Baseline Lvl1 0 }, {Verification -Security Testing -Scalable Baseline Lvl3 0 }
+ - **[PCIDSS]**: {6.2.3 0 }, {6.3.1 0 }, {6.3.2 0 }, {6.4.1 0 }, {6.4.2 0 }
+ - **UKSSCOP**: {1.2 0 }, {3.3 0 }
+ - **[800-161]**: {CA-7 0 }, {RA-5 0 }, {SA-11 0 }, {SI-2 0 }, {SI-3 0 }
---
-### OSPS-VM-06 - The [project documentation] MUST enforce a policy that defines a threshold for remediation of SAST findings.
+### OSPS-VM-06 - The [project] documentation MUST enforce a policy that defines a threshold for remediation of SAST findings.
Identify and address defects and security weaknesses in the project&#39;s
codebase early in the development process, reducing the risk of shipping
@@ -2125,7 +2391,7 @@
#### OSPS-VM-06.01
-**Requirement:** While active, the [project documentation] MUST include a policy that defines a threshold for remediation of SAST findings.
+**Requirement:** While active, the [project] documentation MUST include a policy that defines a threshold for remediation of SAST findings.
**Recommendation:** Document a policy in the project that defines a threshold for
remediation of Static Application Security Testing (SAST) findings.
@@ -2133,6 +2399,7 @@
these findings.
+**Control applies to:**
- Maturity Level 3
@@ -2140,7 +2407,7 @@
#### OSPS-VM-06.02
-**Requirement:** While active, all [changes] to the project&#39;s [codebase] MUST be automatically evaluated against a documented policy for security weaknesses and blocked in the event of violations except when declared and suppressed as non-exploitable.
+**Requirement:** While active, all [changes] to the [project]&#39;s codebase MUST be automatically evaluated against a documented policy for security weaknesses and blocked in the event of violations except when declared and suppressed as non-exploitable.
**Recommendation:** Create a status check in the project&#39;s version control system that
runs a Static Application Security Testing (SAST) tool on all changes
@@ -2148,6 +2415,7 @@
can be merged.
+**Control applies to:**
- Maturity Level 3
@@ -2155,6 +2423,20 @@
#### External Framework Mappings
+
+ - **[BPB]**: {B-S-8 0 }, {Q-B-12 0 }, {Q-S-9 0 }, {S-B-14 0 }, {S-B-15 0 }, {A-B-1 0 }, {A-B-3 0 }, {A-B-8 0 }, {A-S-1 0 }
+ - **[CRA]**: {1.2a 0 }, {1.2b 0 }, {1.2c 0 }, {2.1 0 }, {2.2 0 }, {2.3 0 }, {2.4 0 }
+ - **[SSDF]**: {PO.4 0 }, {PW.1.2 0 }, {PW.8.1 0 }, {RV.1.2 0 }, {RV.1.3 0 }, {RV.2.1 0 }, {RV 2.2 0 }
+ - **[CSF]**: {GV.RM-05 0 }, {GV.RM-06 0 }, {GV.PO-01 0 }, {GV.PO-02 0 }, {ID.RA-01 0 }, {ID.RA-08 0 }, {ID.IM-02 0 }
+ - **ISO-[18974]**: {4.1.5 0 }, {4.2.1 0 }, {4.2.2 0 }, {4.3.2 0 }
+ - **[OpenCRE]**: {155-155 0 }, {124-564 0 }, {757-271 0 }, {464-513 0 }, {611-158 0 }, {207-435 0 }, {088-377 0 }
+ - **Scorecard**: {Security-Policy 0 }, {Vulnerabilities 0 }, {SAST 0 }
+ - **PSSCRM**: {G5.4 0 }, {P4.1 0 }, {P4.2 0 }, {P4.3 0 }, {P4.4 0 }, {P4.5 0 }
+ - **[SAMM]**: {Implementation -Secure Build-Build Process Lvl3 0 }, {Implementation -Software Dependencies Lvl3 0 }, {Verification -Security Testing -Scalable Baseline Lvl1 0 }, {Verification -Security Testing -Scalable Baseline Lvl3 0 }
+ - **[PCIDSS]**: {6.2.3 0 }, {6.3.1 0 }, {6.3.2 0 }, {6.4.1 0 }, {6.4.2 0 }, {6.5.2 0 }
+ - **UKSSCOP**: {1.3 0 }, {1.4 0 }
+ - **[800-161]**: {CA-7 0 }, {RA-5 0 }, {SA-11 0 }, {SI-2 0 }, {SI-3 0 }
+
---
@@ -2162,13 +2444,20 @@
Controls within this document may map to the following external frameworks:
-- [OpenSSF Best Practices Badge (BPB): 2024](https://github.com/coreinfrastructure/best-practices-badge/blob/main/criteria/criteria.yml)
-- [NIST Cybersecurity Framework (CSF): 2.0](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf)
-- [Cyber Resilience Act (CRA): 20.11.2024](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#tit_1)
-- [Software Security Development Framework (SSDF): 1.1](https://csrc.nist.gov/pubs/sp/800/218/final)
-- [ISO/IEC 18974 (OC): 1.0 - 2023-12](https://openchainproject.org/security-assurance)
-- [Open Cybersecurity Reference Architecture (OCRE): 2024](https://github.com/OWASP/OpenCRE)
-- [Supply Chain Levels for Software Artifacts (SLSA): 1.0](https://github.com/slsa-framework/slsa)
+| ID | Title | Version | Description |
+|----|-------|---------|-------------|
+| BPB | [OpenSSF Best Practices Badge](https://github.com/coreinfrastructure/best-practices-badge/blob/main/criteria/criteria.yml) | 2024 | The Open Source Security Foundation (OpenSSF) Best Practices Badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. The OpenSSF Best Practices Badge is inspired by the many badges available to projects on GitHub. Consumers of the badge can quickly assess which FLOSS projects are following best practices and, as a result, are more likely to produce higher-quality secure software. |
+| CSF | [NIST Cybersecurity Framework](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf) | 2 | The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. |
+| CRA | [Cyber Resilience Act](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#tit_1) | 20.11.2024 | Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (Text with EEA relevance) |
+| SSDF | [Secure Software Development Framework](https://csrc.nist.gov/pubs/sp/800/218/final) | 1.1 | The Secure Software Development Framework (SSDF) is a set of fundamental, sound, and secure software development practices based on established secure software development practice documents from organizations such as BSA, OWASP, and SAFECode. Few software development life cycle (SDLC) models explicitly address software security in detail, so practices like those in the SSDF need to be added to and integrated with each SDLC implementation. Following the SSDF practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent recurrences. Also, because the SSDF provides a common language for describing secure software development practices, software producers and acquirers can use it to foster their communications for procurement processes and other management activities. |
+| OC | [ISO/IEC 18974](https://openchainproject.org/security-assurance) | 1.0 - 2023-12 | ISO/IEC 18974 helps organizations check open source for known security vulnerability issues like CVEs, GitHub dependency alerts or package manager alerts. ISO/IEC 18974 identifies: The key places to have security processes, How to assign roles and responsibilities, And how to ensure sustainability of the processes. ISO/IEC 18974 is lightweight, easy to read and is supported by our global community with free reference material and conformance resources. |
+| OCRE | [Open Cybersecurity Reference Architecture](https://github.com/OWASP/OpenCRE) | 2024 | OpenCRE stands for Open Common Requirement enumeration. It is an interactive content linking platform for uniting security standards and guidelines. It offers easy and robust access to relevant information when designing, developing, testing and procuring secure software. |
+| SLSA | [Supply Chain Levels for Software Artifacts](https://github.com/slsa-framework/slsa) | 1 | SLSA (pronounced &#34;salsa&#34;) is a security framework from source to service, giving anyone working with software a common language for increasing levels of software security and supply chain integrity. It’s how you get from safe enough to being as resilient as possible, at any link in the chain. |
+| PSSCRM | [Proactive Software Supply Chain Risk Management Framework](https://arxiv.org/pdf/2404.12300) | 1 | The Proactive-Software Supply Chain Risk Management (P-SSCRM) Framework is designed to help you understand and plan a secure software supply chain risk management initiative. P-SSCRM was created through a process of understanding and analyzing real-world data from nine industry-leading software supply chain risk management initiatives as well as through the analysis and unification of ten government and industry documents, frameworks, and standards. Although individual methodologies and standards differ, many initiatives and standards share common ground. P-SSCRM describes this common ground and presents a model for understanding, quantifying, and developing a secure software supply chain risk management program and determining where your organization’s existing efforts stand when contrasted with other real-world software supply chain risk management initiatives. |
+| SAMM | [OWASP Software Assurance Maturity Model](https://owaspsamm.org/model/) | 2 | The mission of OWASP Software Assurance Maturity Model (SAMM) is to be the prime maturity model for software assurance that provides an effective and measurable way for all types of organizations to analyze and improve their software security posture. OWASP SAMM supports the complete software lifecycle, including development and acquisition, and is technology and process agnostic. It is intentionally built to be evolutive and risk-driven in nature. |
+| PCIDSS | [Payment Card Industry Data Security Standard](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf) | 4.0.1 | PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data – with requirements for software developers and manufacturers of applications and devices used in those transactions. The Council is responsible for managing the security standards, while compliance with the PCI set of standards is enforced by the founding members of the Council: American Express, Discover Financial Services, JCB, MasterCard and Visa Inc. The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you accept or process payment cards, PCI DSS applies to you. |
+| 800-161 | [NIST Special Publication 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf) | r1-upd1 | This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services. |
+| UKSSCOP | [United Kingdom National Cyber Security Centre Software Security Code of Practice](https://www.ncsc.gov.uk/guidance/software-security-code-of-practice-assurance-principles-claims) | 2025-05-07 | The Software Code of Practice has been created by DSIT and the National Cyber Security Centre (NCSC), the UK’s technical authority for cyber security, and is co-sealed by the Canadian Centre for Cyber Security (CCCS). The Code reflects the government’s ongoing focus on codifying minimum standards for technology providers to reduce cyber risk. It is aimed at professionals who are responsible for overseeing the development of ‘commodity’ software, including technical, compliance, and risk experts. For those organisations that require a higher level of assurance in the resilience of their connected products and technology, consider using the NCSC’s Cyber Resilience Testing scheme. |
---
@@ -2176,6 +2465,13 @@
## Lexicon
+### Administrator
+
+Any human who can modify settings on the target resource.
+
+
+
+
### Arbitrary Code
Code provided by an external source that is
@@ -2237,6 +2533,14 @@
+### Code
+
+A set of deterministic instructions that a
+computer can execute to perform specific tasks.
+
+
+
+
### Change
Any alteration of the project&#39;s codebase,
@@ -2267,44 +2571,28 @@
-### Contributor
-
-Entities who commit code or documentation to
-the project. Code contributors include
-collaborators or external participants who
-submit changes.
+### Contributor License Agreement
-In the context of the Open Source Project
-Security Baseline, code contributors does not
-address non-code contributions such as
-designing, triaging, reviewing, or testing.
+A legal agreement used to assign some of a contributor&#39;s
+rights covered by copyright laws to a project. This is
+often used to enable a project to make future changes to
+a work&#39;s license without requiring the assent of every
+contributor.
-### Codebase
+### Contributor
-The collection of source code and related
-assets that make up the project. The codebase
-includes all files necessary to build and
-test the software. Lives in the repository,
-sometimes alongside documentation and CI/CD
-pipelines. The contents of the codebase are
-the primary deliverable in a release.
+Any entity that has made a change to the contents of a repository.
### Collaborator
-A user with a role on the project&#39;s version
-control system who can approve changes or
-manage the repository settings. Collaborators
-may have varying permission levels based on
-their role in the project. This does not
-include contributors whose changes only
-originate through a request from a repository
-fork.
+Any entity who has any level of permissions issued by administrators
+of the repository.
@@ -2320,6 +2608,24 @@
+### Coordinated Vulnerability Disclosure
+
+A process of gathering information from vulnerability finders, coordinating
+the sharing of that information between relevant stakeholders, and
+disclosing the existence of software vulnerabilities and their mitigations
+to various stakeholders including the public.
+
+
+
+**References:**
+
+ - https://certcc.github.io/CERT-Guide-to-CVD/
+
+ - https://www.first.org/global/sigs/vulnerability-coordination/multiparty/guidelines-v1-1
+
+ - https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/about-coordinated-disclosure-of-security-vulnerabilities
+
+
### Cyber Resilience Act
Regulation (EU) 2024/2847 (Cyber Resilience Act, CRA).
@@ -2363,6 +2669,20 @@
+### Developer Certificate of Origin
+
+An assertion made by a contributor that they have the
+legal right to make a specific contribution to a
+project. This is often indicated by using the
+`--signoff` option to `git commit`.
+
+
+
+**References:**
+
+ - https://developercertificate.org/
+
+
### OpenEoX
An initiative aimed at standardizing the way
@@ -2420,6 +2740,14 @@
+### Maintainer
+
+A human collaborator who is able to authorize
+changes to the contents of a repository.
+
+
+
+
### Multi-factor Authentication
An authentication method that requires two or
@@ -2431,6 +2759,19 @@
+### NIST Special Publication 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
+
+Provides guidance to organizations on identifying,
+assessing, and mitigating cybersecurity risks throughout
+the supply chain at all levels of their organizations.
+
+
+
+**References:**
+
+ - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-upd1.pdf
+
+
### OpenChain
A Linux Foundation project that oversee two ISO/IEC standards to better understand and manage software supply chains.
@@ -2446,7 +2787,7 @@
### OpenCRE
-An OWASP project that converts cybersecurity requirements into a hierchical, machine-readable format.
+An OWASP project that converts cybersecurity requirements into a hierarchical, machine-readable format.
@@ -2457,6 +2798,35 @@
- https://zeljkoobrenovic.github.io/opencre-explorer/
+### OpenSSF Scorecard
+
+An OpenSSF project that helps users assesses open
+source projects for security risks through a series
+of automated checks. It was created by OSS developers
+to help improve the health of critical projects
+that the community depends on.
+
+
+
+**References:**
+
+ - https://github.com/ossf/scorecard
+
+ - https://scorecard.dev/
+
+
+### Payment Card Industry Data Security Standard
+
+PCI DSS provides a baseline of technical and operational
+requirements designed to protect payment account data.
+
+
+
+**References:**
+
+ - https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0_1.pdf
+
+
### Primary Branch
The main development branch in the version
@@ -2472,6 +2842,46 @@
+### Private Vulnerability Reporting
+
+The process of privately reporting a
+vulnerability to the project maintainers or
+security team before disclosing it publicly.
+This allows the project to address the issue
+before it becomes widely known.
+
+
+
+**References:**
+
+ - https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
+
+
+### Proactive Software Supply Chain Risk Management Framework
+
+A holistic framework that an organization can use to
+proactively mitigate software supply chain risk through
+guided adoption of tasks; and that supports assessment,
+scoring, and comparison against industry peers,
+standards, and guidelines. The P-SSCRM contextualizes and
+quantifies the tasks contained across multiple standards
+and frameworks to those carried out by various kinds of organizations.
+
+
+
+**References:**
+
+ - https://arxiv.org/pdf/2404.12300
+
+
+### Project
+
+A group of people and resources that coordinate to
+produce a release.
+
+
+
+
### Project Documentation
Written materials related to the project,
@@ -2486,6 +2896,47 @@
+### Proactive Software Supply Chain Risk Management Framework
+
+A maturity model for software assurance that provides an
+effective and measurable way for all types of organizations
+to analyze and improve their software security posture.
+OWASP SAMM supports the complete software lifecycle, including
+development and acquisition, and is technology and process agnostic.
+It is intentionally built to be evolutive and risk-driven in nature.
+
+
+
+**References:**
+
+ - https://owaspsamm.org/model/
+
+
+### Sensitive Data
+
+Information that, if disclosed to unauthorized
+parties, would lead to unauthorized access,
+data exfiltration, financial loss, or other
+undesirable outcomes. This includes secrets
+(like passwords, access tokens, etc.),
+financial account information, personally
+identifiable information (PII), and data about
+embargoed vulnerabilities.
+
+
+
+
+### Sensitive Resource
+
+Resources that, if compromised, would provide a
+vector for further compromising software build
+and delivery or for disclosing sensitive data to
+unauthorized parties. This includes build systems,
+image repositories, and data storage.
+
+
+
+
### Software Provenance
Information about the origin and history of
@@ -2499,13 +2950,11 @@
### Release
-- _(verb)_ The process of making a version
-controlled bundle of assets available to
-users, such as through a package registry.
-- _(noun)_ A version-controlled bundle of
-code, documentation, and other assets made
-available to users. A release often includes
-release notes that describe the changes.
+- _(verb)_ The process of making a
+version-controlled bundle of assets available
+to users, such as through a package registry.
+- _(noun)_ A version-controlled bundle of
+assets made available to users.
@@ -2521,20 +2970,18 @@
### Repository
-A storage location managed by a version
-control system where the project&#39;s code,
-documentation, and other resources are
-stored. It tracks changes, manages
-collaborator permissions, and includes
-configuration options such as branch
-protection and access controls.
+A storage location managed by a version control
+system where the project&#39;s code, documentation,
+and other resources are stored.
### Secure Software Development Framework
-The NIST Secure Software Development Framework (SP 800-218) is a broadly reviewed and collaborative set of fundamental secure software development practices.
+The NIST Secure Software Development Framework (SP 800-218) is a
+broadly reviewed and collaborative set of fundamental secure software
+development practices.
@@ -2602,7 +3049,7 @@
### Supply-chain Levels for Software Artifacts
-An OpenSSF project that sets guidelines for securing software supply chain infrastrucutre and artifact integrity.
+An OpenSSF project that sets guidelines for securing software supply chain infrastructure and artifact integrity.
@@ -2653,13 +3100,23 @@
+### User
+
+A human making use of project resources, such as
+the software, documentation, or other community
+resources. This includes both end-users and
+contributors.
+
+
+
+
### Version Control System
-A tool that tracks changes to files over time
-and facilitates collaboration among
-contributors. Examples of version control
-systems include Git, Subversion, and
-Mercurial.
+A tool that facilitates collaboration among
+contributors by tracking changes, managing
+collaborator permissions, and providing configuration
+options. Examples of version control systems include
+Git, Subversion, and Mercurial.
@@ -2675,6 +3132,12 @@
vulnerabilities.
+
+**References:**
+
+ - https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability
+
+
---
## Acknowledgments
@@ -2687,6 +3150,7 @@
- Fintech Open Source Foundation (FINOS)
- [OSPS Baseline contributors](https://github.com/ossf/security-baseline/graphs/contributors)
+[Administrator]: #administrator
[Arbitrary Code]: #arbitrary-code
[Attack Surface Analysis]: #attack-surface-analysis
[Automated Test Suite]: #automated-test-suite
@@ -2695,18 +3159,21 @@
[OpenSSF Best Practices Badge]: #best-practices-badge
[Build and Release Pipeline]: #build-and-release-pipeline
[Build and Release Pipelines]: #build-and-release-pipeline
+[Code]: #code
[Change]: #change
[changes]: #change
[CI/CD Pipeline]: #ci/cd-pipeline
[CI/CD pipelines]: #ci/cd-pipeline
+[Contributor License Agreement]: #contributor-license-agreement
+[CLA]: #contributor-license-agreement
[Contributor]: #contributor
[contributors]: #contributor
-[Codebase]: #codebase
-[codebases]: #codebase
[Collaborator]: #collaborator
[collaborators]: #collaborator
[Commit]: #commit
[commits]: #commit
+[Coordinated Vulnerability Disclosure]: #coordinated-vulnerability-disclosure
+[CVD]: #coordinated-vulnerability-disclosure
[Cyber Resilience Act]: #cyber-resilience-act
[CRA]: #cyber-resilience-act
[Cybersecurity Framework]: #cybersecurity-framework
@@ -2714,6 +3181,8 @@
[NIST Cybersecurity Framework]: #cybersecurity-framework
[Defect]: #defect
[defects]: #defect
+[Developer Certificate of Origin]: #developer-certificate-of-origin
+[DCO]: #developer-certificate-of-origin
[OpenEoX]: #openeox
[Exploitable Vulnerabilities]: #exploitable-vulnerabilities
[Exploitable Vulnerability]: #exploitable-vulnerabilities
@@ -2721,16 +3190,34 @@
[licenses]: #license
[Known Vulnerabilities]: #known-vulnerabilities
[Known Vulnerability]: #known-vulnerabilities
+[Maintainer]: #maintainer
[Multi-factor Authentication]: #multi-factor-authentication
[MFA]: #multi-factor-authentication
+[NIST Special Publication 800-161 - Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations]: #nist-special-publication-800-161---cybersecurity-supply-chain-risk-management-practices-for-systems-and-organizations
+[800-161]: #nist-special-publication-800-161---cybersecurity-supply-chain-risk-management-practices-for-systems-and-organizations
[OpenChain]: #openchain
-[OC]: #openchain
+[18974]: #openchain
[ISO/IEC 5230]: #openchain
[ISO/IEC 18974]: #openchain
[OpenCRE]: #opencre
-[OCRE]: #opencre
+[OpenCRE]: #opencre
+[OpenSSF Scorecard]: #openssf-scorecard
+[ScrCrd]: #openssf-scorecard
+[Payment Card Industry Data Security Standard]: #payment-card-industry-data-security-standard
+[PCIDSS]: #payment-card-industry-data-security-standard
[Primary Branch]: #primary-branch
+[Private Vulnerability Reporting]: #private-vulnerability-reporting
+[Private Vulnerability Disclosure]: #private-vulnerability-reporting
+[Private Security Vulnerability Reporting]: #private-vulnerability-reporting
+[Proactive Software Supply Chain Risk Management Framework]: #proactive-software-supply-chain-risk-management-framework
+[P-SSCRM]: #proactive-software-supply-chain-risk-management-framework
+[Project]: #project
[Project Documentation]: #project-documentation
+[Proactive Software Supply Chain Risk Management Framework]: #proactive-software-supply-chain-risk-management-framework
+[SAMM]: #proactive-software-supply-chain-risk-management-framework
+[Sensitive Data]: #sensitive-data
+[Sensitive Resource]: #sensitive-resource
+[sensitive resources]: #sensitive-resource
[Software Provenance]: #software-provenance
[Provenance]: #software-provenance
[Release]: #release
@@ -2758,7 +3245,10 @@
[Supply-chain Levels for Software Artifacts]: #supply-chain-levels-for-software-artifacts
[Threat Modeling]: #threat-modeling
[Version Identifier]: #version-identifier
+[User]: #user
+[Person]: #user
+[users]: #user
[Version Control System]: #version-control-system
[VCS]: #version-control-system
[Vulnerability Reporting]: #vulnerability-reporting
-[Coordinated Vulnerability Reporting]: #vulnerability-reporting
+[Coordinated Vulnerability Disclosure]: #vulnerability-reporting
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment