Skip to content

Proposed Baseline Maintenance Process #86

Closed
@SecurityCRob

Description

@SecurityCRob

As we start implementing the "1.1" baseline criteria with our pilot projects, we should spend some time thinking about how we will update and maintain the baseline criteria going forward. I propose the following process (to be added as md file in repo once tex is agreed upon):

1.) Normal text fixes to the criteria will be accepted via PR and reviewed by the baseline project maintainers. Allowed changes are corrections to spelling/typos, grammar corrections, or enhancements to the supplementary text supporting the criteria including - Objective, Implementation, Control Mappings, and Scorecard/Insights values. At least two project maintainers must review and approve these changes.
2.) Substantive changes to Criteria including changes to text that alters the originally stated meaning, new Criteria proposals, or removal of Criteria will be documented in GitHub PR(s) and reviewed annually by the Baseline project maintainers. these changes may reflect changes to global cybersecurity regulations and frameworks or changes in norms around application/project security practices. Any such substantive changes must be approved by a majority of the project's maintainers.
3.) Any changes to the Baseline will be reflected within the Compliance Matrix, with new requirements flagged where the Baseline Criteria are appropriate.
4.) Downstream stakeholders will be notified via the project's mailing list on the changes and updates.

Metadata

Metadata

Labels

documentationImprovements or additions to documentationenhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions