Description
As we start implementing the "1.1" baseline criteria with our pilot projects, we should spend some time thinking about how we will update and maintain the baseline criteria going forward. I propose the following process (to be added as md file in repo once tex is agreed upon):
1.) Normal text fixes to the criteria will be accepted via PR and reviewed by the baseline project maintainers. Allowed changes are corrections to spelling/typos, grammar corrections, or enhancements to the supplementary text supporting the criteria including - Objective, Implementation, Control Mappings, and Scorecard/Insights values. At least two project maintainers must review and approve these changes.
2.) Substantive changes to Criteria including changes to text that alters the originally stated meaning, new Criteria proposals, or removal of Criteria will be documented in GitHub PR(s) and reviewed annually by the Baseline project maintainers. these changes may reflect changes to global cybersecurity regulations and frameworks or changes in norms around application/project security practices. Any such substantive changes must be approved by a majority of the project's maintainers.
3.) Any changes to the Baseline will be reflected within the Compliance Matrix, with new requirements flagged where the Baseline Criteria are appropriate.
4.) Downstream stakeholders will be notified via the project's mailing list on the changes and updates.