[Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request

[camaleon2016]

Problem Statement

S2C2F requires 4k in funding to pay the JDF contracted ISO Editor to help form the correct language in the S2C2F Specification in preparation for ISO PAS submission.

Who does this affect?

Without this necessary step the spec will not be in proper form for PAS submission and will not be balloted.

Have there been previous attempts to resolve the problem?

No. S2C2F is requesting funding through the OpenSSF for the first time and as a first course of action.

Why should it be tackled now and by this TI?

S2C2F Project is ready and has been accepted by the JDF to begin the process for PAS submission

Give an idea of what is required to make the funding initiative happen

Funding will cover the JDF contracted ISO Editors work in total.

What is going to be needed to deliver this funding initiative?

The JDF contracted ISO Editor is all that is required.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

NO.

Give a summary of the requirements that contextualize the costs of the funding initiative

4k will cover the JDF contracted ISO Editor requested 3-5k requirement for proper formatting of the S2C2F spec into a ballotable ISO Standard

Who is responsible for doing the work of this funding initiative?

JDF contracted ISO Editor. Contact in the JDF is Seth Newbury seth@jointdevelopment.org

Who is accountable for doing the work of this funding initiative?

Jay White, Adrian Diglio, Tom Bedford

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

JDF - Seth Newbury, Jory Burson

Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?

S2C2F Project under the SUpply Chain Integrity WG

What license is this funding initiative being used under?

Community Specification License 1.0

Code of Conduct

• I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

Balloting is currently TBD, but we are anticipating finalizing the process by Jan 2025. 4k in funding will only be used to pay the JDF contracted ISO Editor to prepare the spec for entering the PAS Balloting process.

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

JDF issues the contract.

[SecurityCRob]

The TAC will review this at our next meeting (28May). I encourage everyone to review & comment beforehand

[SecurityCRob]

@camaleon2016 @adriandiglio can you add a bit of context here as to why making s2c2f an ISO standard is beneficial. What will achieving that enable for the group and consumers of the framework? If this is NOT funded, what is at risk?

[camaleon2016]

We'll add more context today. Jay Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: CRob ***@***.***> Sent: Friday, May 17, 2024 5:51:39 AM To: ossf/tac ***@***.***> Cc: Mention ***@***.***>; Author ***@***.***> Subject: Re: [ossf/tac] S2C2F PAS Submission Funding Request (Issue #328) @camaleon2016<https://github.com/camaleon2016> @adriandiglio<https://github.com/adriandiglio> can you add a bit of context here as to why making s2c2f an IOS standard is beneficial. What will achieving that enable for the group and consumers of the framework? If this is NOT funded, what is at risk? — Reply to this email directly, view it on GitHub<#328 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYSMSZVKFOE34MYHY5IH6BTZCX4NZBFKMF2HI4TJMJ2XIZLTS6BKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI2DQOBUGQ2TMNBUHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRUHA4DINJQHA3DONNENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWVDKOBXGMZDSNZUHEZ2I3TBNVS2S2DBONPWYYLCMVWIFJLWMFWHKZNKGY3DKNZSHE4DSNJSURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHFUCUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2SMRXHAYTQNJZHAZYFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDEOJYG42DMOBZG2BKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGQ4DQNBUGU3DINBYQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRUHA4DINJQHA3DONMCUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJYG4ZTEOJXGQ4THAVEOR4XAZNFNRQWEZLMUV3GC3DVMWVDMNRVG4ZDSOBZGUZKO5DSNFTWOZLSUZRXEZLBORSQ>. You are receiving this email because you were mentioned. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[torgo]

This seems like a reasonable use of TAC funding to me and in line with our discussions. 👍🏻

[steiza]

I would love for @camaleon2016 / @omkhar to summarize here what they mentioned at today's TAC meeting about how ISO standardization helps with OpenSSF's engagement with EU public sector on the Cyber Resilience Act (and possibly other public / private sector conversations?)

That said, this seems like a good way for the OpenSSF to start exploring turning community specifications into standards, and seeing what opportunities that unlocks. +1 from me.

[omkhar]

@steiza sure things!

In standards land, there are broadly two kinds of standards:
( from our good friend Wikipedia)

In law and government, de jure (/deɪ ˈdʒʊəri, di -, - ˈjʊər-/, Latin: [deː ˈjuːre]; lit. 'by law') describes practices that are legally recognized, regardless of whether the practice exists in reality.[1] In contrast, de facto ('in fact') describes situations that exist in reality, even if not formally recognized.

De jure standards typically bear a mark or recognition that the standard has been through an official standardization process. Ex: ISO/IEC 27001:2013 went through the JTC1 standardization process. De facto standards (S2C2F as an example)
don't have a current mark nor has it been through the standardization process, even though it may be used extensively.

The goal of putting a de facto standard through the de jure process is two fold:

1. When recognized as a de jure standard, we can more easily apply it to regulatory or governance standardization efforts like the EU CRA. If the standards body see that S2C2F is an ISO recognized standard, it makes it much easier to adopt.
2. Commercially, when transacting with governments or regulatory agencies, declaring that a particular product/procedure/method is conformant with an international standard allows you to attest conformance with a requirement.

Overall, I think it's a Good Thing (tm) and something which we may wish to consider for other OpenSSF work (ex SLSA) if the TAC should choose.

[SecurityCRob]

Is this ask for $4000 or "$3000-$5000"? or both?

[camaleon2016]

3k-5k. 4k was in case the number had to be static. Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: CRob ***@***.***> Sent: Thursday, June 6, 2024 6:48:26 AM To: ossf/tac ***@***.***> Cc: Author ***@***.***>; Comment ***@***.***> Subject: Re: [ossf/tac] [Technical Initiative Funding Request] - S2C2F PAS Submission Funding Request (Issue #328) Is this ask for $4000 or "$3000-$5000"? or both? — Reply to this email directly, view it on GitHub<#328 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYSMSZUJGPR56DHARGTP2YDZGBSCXBFKMF2HI4TJMJ2XIZLTS6BKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVI2DQOBUGQ2TMNBUHCSG4YLNMWUWQYLTL5WGCYTFNSBKK5TBNR2WLKRUHA4DINJQHA3DONNENZQW2ZNJNBQXGX3MMFRGK3ECUV3GC3DVMWVDKOBXGMZDSNZUHEZ2I3TBNVS2S2DBONPWYYLCMVWIFJLWMFWHKZNKGY3DKNZSHE4DSNJSURXGC3LFVFUGC427NRQWEZLMVRZXKYTKMVRXIX3UPFYGLLCJONZXKZKDN5WW2ZLOOSTHI33QNFRXHFUCUR2HS4DFVJZGK4DPONUXI33SPGSXMYLMOVS2SMRXHAYTQNJZHAZYFJDUPFYGLJLJONZXKZNFOZQWY5LFVIZDEOJYG42DMOBZG2BKI5DZOBS2K3DBMJSWZJLWMFWHKZNKGQ4DQNBUGU3DINBYQKSHI6LQMWSWYYLCMVWKK5TBNR2WLKRUHA4DINJQHA3DONMCUR2HS4DFUVWGCYTFNSSXMYLMOVS2UNJYG4ZTEOJXGQ4THAVEOR4XAZNFNRQWEZLMUV3GC3DVMWVDMNRVG4ZDSOBZGUZKO5DSNFTWOZLSUZRXEZLBORSQ>. You are receiving this email because you authored the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[sevansdell]

I will be out for the TAC meeting, but don't have any additional questions, and support this TI funding request. If this comment of support could be counted as a vote if needed, please use it.

[marcelamelara]

Having this reviewed this ask, it's not a huge $ amount for an outcome that seems overall beneficial and may pave the trail for other OpenSSF specs. Can @camaleon2016 or @adriandiglio please comment on the impact to the project if the funding request isn't approved in Q2?

[marcelamelara]

Since we're getting close to the decision deadline, and I'm still on the fence about supporting this request in Q2, my vote is to defer this request.