PS DEV

Session Description

The Education Workgroup of the Linux Foundation’s OpenChain project has developed a capability model that enables an organisation’s leadership to assess how good they are at managing FOSS risk and compliance across complex supply chains. This model was developed to help people and organisations share and learn from best practice techniques rapidly.

It enables organisations to take a quick snapshot across all their open source operations and decide where they need to focus next to strengthen their governance and capabilities. It can be used to develop a road map for improvements. It is based upon the industry proven ISO standard 5230:2020 (OpenChain standard for a quality open source compliance program).

The model looks at three main layers of organisational capability; governance and strategy, enablement and performance management, and technical delivery. The model has been used in practice with large and small organisations, and tested across a wide range of technologies and open source projects.

This talk introduces the version 1.0 of the model, which is free to use, modify, remix and adopt and is released under a CC0 licence. While the model is already proving useful to businesses who have adopted it during the testing phase, we have a number of ideas about how it can be improved and extended.

Accordingly, we are looking for consultation and contribution from others. We are looking for wider collaboration to develop focussed heat maps that demonstrate how to solve particular challenges: for example AIBOMs, .CRA compliance, security and vulnerability management and assessment and toolchain automation.