A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Welcome to Version 3 of the OpenChain Capability Model | |||||||||||||||||||||||||
2 | ||||||||||||||||||||||||||
3 | Introduction | |||||||||||||||||||||||||
4 | This capability model refers to ISO 5230:2020, the international standard for open source licence compliance it was developed by Orcro Limited as a simplified tool to help organizations assess and develop a roadmap for their open source licence compliance capabilities. | |||||||||||||||||||||||||
5 | ||||||||||||||||||||||||||
6 | In this model, "OpenChain" refers to ISO 5230:2020, and not any other OpenChain standards or projects. The "Specification" referes to the corresponding specification. | |||||||||||||||||||||||||
7 | ||||||||||||||||||||||||||
8 | ||||||||||||||||||||||||||
9 | The Model - Structure and Layout | |||||||||||||||||||||||||
10 | ||||||||||||||||||||||||||
11 | See the tab "Capability Model". Like the OpenChain Template Open Source Policy, this model adopts the terminology, layout and structure of the OpenChain Specification. | |||||||||||||||||||||||||
12 | ||||||||||||||||||||||||||
13 | Column A contains the paragraph numbers from the OpenChain specification published as ISO 5230:2020. | |||||||||||||||||||||||||
14 | Column B Contains the complete text of the specification, tabulated against the relevant paragraph numbers | |||||||||||||||||||||||||
15 | Column C Indicates what category the paragraph falls into: H = heading RQ = requirement RT= rationale VM = verification materials | |||||||||||||||||||||||||
16 | Columns D-J contain the text of the capability model, describing scenarios against each VM paragraph in the OpenChain specification. | |||||||||||||||||||||||||
17 | ||||||||||||||||||||||||||
18 | The Purpose of Capability Model | |||||||||||||||||||||||||
19 | OpenChain's role is to increase trust in the supply chain. Trust is the counterpart of risk: you trust someone because you perceive there activities to be low risk, because they take verifiable steps to lower risk. Accordingly, OpenChain can also be used as a risk management tool. The capability model is intended to allow organizations to assess their capabilities, and hence risk, against the requirements of the OpenChain Specification, in a more granular way than a simple binary compliant/noncompliant assessment. This enables organizations to more finely assess their capabilities (and hence risk), and to develop a roadmap to help them to increase their levels of capability, and therefore trust, and decrease risk. The OpenChain Specification itself contains criteria for assessing compliance: the verification materials paragraphs ("VM", in column C). The Capability Model provides a more finely graduated assessment of each of the Verification Materials requirements by providing a scale of capability, from CAP0 (which means that the organization has not considered this capability at all, either consciously, or as part of a related activitiy), through to CAP5, which is the maximum score, suggesting that an organization fulfils that capability in an actively measured, managed and optimized way, in alignment with that organization's overall strategies. CAP3 is the point at which an organization can validly claim OpenChain conformance. It is important to realize that not every organization needs to strive to attain CAP5 across all OpenChain requirements. There are sound business and organizational reasons why an organization may not want to exceed CAP3 (the minimum level of OpenChain conformance) across al requirements. The way in which an organization uses this tool, and the goals which it wishes to attain, will vary from organization to organization. | |||||||||||||||||||||||||
20 | ||||||||||||||||||||||||||
21 | The Capability Model Text | |||||||||||||||||||||||||
22 | Against each requirement, there is model text relating to each potential capability level, from CAP0 to CAP5. To use the tool, consider, in respect of your organization or compliance program, which of the levels of CAP text most closely describes your organization or program. If you meet CAP3 in all categories, then congratulations! Your program/organization will be able to self-certify as OpenChain conformant. | |||||||||||||||||||||||||
23 | The text is not definitive, and is intended as a guide. Some of the cells contain text in red, which is intended to provide an example of what an organization might be doing in order to attain that level of conformance, but as ever, with OpenChain, this is not intended to be an instruction on how exactly to attain that level of capability. | |||||||||||||||||||||||||
24 | The CAP levels are a continuum. You may find it easier to assess your organization against whole-number CAP levels, but it can be useful to consider intermediate stages. One example is CAP2.5, which shows a program which has been defined, but not yet implemented. This is provided in the Model as an example. We call this "OpenChain Readiness" . | |||||||||||||||||||||||||
25 | ||||||||||||||||||||||||||
26 | ||||||||||||||||||||||||||
27 | Roadmap | |||||||||||||||||||||||||
28 | The Capability Model is currently open for public consultation. Please contact andrew.katz@orcro.co.uk with any questions, comments of suggestions you may have, or raise any issues on GitHub (URL to be provided...) | |||||||||||||||||||||||||
29 | We plan a process of continuous improvement, with a series of public awareness events taking place at or around FOSDEM, FOSS Backstage, UK State of Open and the Open Compliance Summit in Japan in December 2025. | |||||||||||||||||||||||||
30 | The Capability Model is also under discussion as part of the OpenChain Project's Education and Specification activities, so please feel free to join the conversation there. You can find relevant meetings at https://openchainproject.org/participate. | |||||||||||||||||||||||||
31 | If it's found useful, we will continue to develop the Capability Model to cover other OpenChain standards and activities, such as OpenChain ISO/IEC 18974 (The industry standard for open source security assurance programs). We are also working on a number of statistical parameters which can be used to parameterize the relative importance of each capability, both in comparison with other capabilities, and also to help determine how much effort is generally required to move from the CAP level of a particular requirement to the next. | |||||||||||||||||||||||||
32 | ||||||||||||||||||||||||||
33 | Credits and Licensing | |||||||||||||||||||||||||
34 | The model was developed by Orcro Limited (orcro.co.uk), based on a comprehensive capability model created by Stephen Pollard and refined by Andrew Katz with the assistance of Alex Murphy. A great deal of fine tuning and additional work was carried out by Sascha Pudenz and David Patrick Adam of Deloiite, as well as Martin Yagi and Jari Koivisto. Thanks also to the participants of the OpenChain Education Workgroup who have provided extremely helpful commentary and input, and to Shane Coughlan of the OpenChain project. | |||||||||||||||||||||||||
35 | ||||||||||||||||||||||||||
36 | The Model is licensed under CC0, but we request (but do not require) that the above credits are retained in any redistribution. | |||||||||||||||||||||||||
37 | ||||||||||||||||||||||||||
38 | ||||||||||||||||||||||||||
39 | ||||||||||||||||||||||||||
40 | ||||||||||||||||||||||||||
41 | ||||||||||||||||||||||||||
42 | ||||||||||||||||||||||||||
43 | ||||||||||||||||||||||||||
44 | ||||||||||||||||||||||||||
45 | ||||||||||||||||||||||||||
46 | ||||||||||||||||||||||||||
47 | ||||||||||||||||||||||||||
48 | ||||||||||||||||||||||||||
49 | ||||||||||||||||||||||||||
50 | ||||||||||||||||||||||||||
51 | ||||||||||||||||||||||||||
52 | ||||||||||||||||||||||||||
53 | ||||||||||||||||||||||||||
54 | ||||||||||||||||||||||||||
55 | ||||||||||||||||||||||||||
56 | ||||||||||||||||||||||||||
57 | ||||||||||||||||||||||||||
58 | ||||||||||||||||||||||||||
59 | ||||||||||||||||||||||||||
60 | ||||||||||||||||||||||||||
61 | ||||||||||||||||||||||||||
62 | ||||||||||||||||||||||||||
63 | ||||||||||||||||||||||||||
64 | ||||||||||||||||||||||||||
65 | ||||||||||||||||||||||||||
66 | ||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||
68 | ||||||||||||||||||||||||||
69 | ||||||||||||||||||||||||||
70 | ||||||||||||||||||||||||||
71 | ||||||||||||||||||||||||||
72 | ||||||||||||||||||||||||||
73 | ||||||||||||||||||||||||||
74 | ||||||||||||||||||||||||||
75 | ||||||||||||||||||||||||||
76 | ||||||||||||||||||||||||||
77 | ||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||
79 | ||||||||||||||||||||||||||
80 | ||||||||||||||||||||||||||
81 | ||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||
83 | ||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||
86 | ||||||||||||||||||||||||||
87 | ||||||||||||||||||||||||||
88 | ||||||||||||||||||||||||||
89 | ||||||||||||||||||||||||||
90 | ||||||||||||||||||||||||||
91 | ||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||
94 | ||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||
97 | ||||||||||||||||||||||||||
98 | ||||||||||||||||||||||||||
99 | ||||||||||||||||||||||||||
100 |