Versions Compared

Old Version 28

changes.mady.by.user Tony Hansen

Saved on

compared with

New Version 29

changes.mady.by.user Rajeev Mehta

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are 3 levels of CII badging:

  • Passing
  • Silver
  • Gold

For ONAP, 4 levels of compliance have been defined:

...

Level

Example Details/Criteria

Passing

The project website MUST succinctly describe what the software does (what problem does it solve?).
The project MUST use at least one automated test suite that is publicly released as FLOSS (this test suite may be
maintained as a separate FLOSS project).

Silver

The project MUST document what the user can and cannot expect in terms of security from the software produced
by the project. The project MUST identify the security requirements that the software is intended to meet and an
assurance case that justifies why these requirements are met.

The assurance case MUST include: a description of the threat model, clear identification of trust boundaries, and evidence that common security weaknesses have been
countered

Gold

The project MUST have at least 50% of all proposed modifications reviewed before release by a person other than
the author, to determine if it is a worthwhile modification and free of known issues which would argue against its
inclusion.

Badge Specific Adherence requirements

Each of the Badging level is associated with compliance requirements which in turn may vary from being e.g. absolute to being as varied  as recommendatory in nature.

The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" in the Badging guideline documents are to be interpreted as described in RFC 2119

  • The term MUST is an absolute requirement, and MUST NOT is an absolute prohibition.
  • The term SHOULD indicates a criterion that is normally required, but there may exist valid reasons in particular circumstances to ignore it. However, the full implications must be understood and carefully weighed before choosing a different course.
  • The term SUGGESTED is used instead of SHOULD when the criterion must be considered, but valid reasons to not do so are even more common than for SHOULD.
  • Often a criterion is stated as something that SHOULD be done, or is SUGGESTED, because it may be difficult to implement or the costs to do so may be high.
  • The term MAY provides one way something can be done, e.g., to make it clear that the described implementation is acceptable.
  • To obtain a badge, all MUST and MUST NOT criteria must be met, all SHOULD criteria must be met OR the rationale for not implementing the criterion must be documented, and all SUGGESTED criteria have to be considered (rated as met or unmet). In some cases a URL may be required as part of the criterion's justification.

R2 Beijing Requirements

For the Beijing release, the compliance requirement is Level 1 (at least 70% of the project are on passing level, and all non-passing projects at >80% towards passing).

...