Programmatic Help with Standardization

[hepwori]

A number of WGs have interest in formal standardization efforts.

One good example reviewed in this the TAC call earlier today was S2C2F:

1. S2C2F is working with LF's OpenChain on alignment within ISO 18974.
2. S2C2F itself would like to become an ISO standard, and is starting to engage LF's JDF (https://jointdevelopment.org/) to work through the PAS process.

De jure standardization is complex, nuanced, political, specialized, and time consuming. Rather than requiring each WG, and OpenSSF collaborators in general, to become familiar with operating ISO's machinery — the TAC might instead explore setting up some kind of advisory or consultative center of expertise for WGs to leverage.

As a WG chair I'd love to be able to be able to lean on such a group to navigate the process end to end. In this model, SCI WG would bring supply chain expertise, the standards task force would bring standardization expertise, and between us we'd land some supply chain standards.

[sevansdell]

Standards get used by regulators to drive change. Relationships with public policy teams and regulators to drive better security through standards is part of the OpenSSF Mission, Vision, Values https://openssf.org/about/ in the Strategy section: "Advocacy and policy: Advocate for policies and practices that promote OSS security, working with governments, industry bodies, and other relevant organizations." In our last TAC meeting, I recall hearing the GM articulate that S2C2F becoming a standard could help with the implementation of the Cyber Resiliency Act (CRA).

My question is if all WG could leverage the LF JDF, and when one-time technical writing needs come up during that process, do individual TI funding requests? Perhaps TAC could take the action item to document that process out on our github as a value for Incubating and Graduated projects?