For 2023, the staff team is going to focus its work on two aspects of the OpenSSF: the foundation’s inner workings and efficiencies, and a higher level of work that affects the goals it would like to achieve as the OpenSSF evolves.
Reflecting internally onto ourselves, we, OpenSSF, are struggling on many fronts, including the budgeting, the Governing Board communications, securing financial sources, general team cohesion and other aspects of a healthy, smooth-running organization. We need to make OpenSSF structurally sound, and set-up for the future.
Many issues have inserted themselves into the various processes and layers of the foundation around the topic of decision making. We see this appear with proposals by working groups, waiting on TAC’s review and participation. We also see this with budget and finance decisions needing to be made around events, sponsoring and funding. We need to look at creating the right organizational structure to ensure the right decision makers have the right information, well-prioritized and in a timely manner. Good decisions must be clearly founded, documented, communicated to stakeholders, and made real through operational behavior.
- KR-1: The TAC has effective program management support, and is efficient with its processes
- KR-2: The DevRel, B&F and Governing committee are meeting regularly, with efficient (80%+ positive Customer Satisfaction (CSAT) scores) agendas and output.
- KR-3: Each functional body (SIGs, WGs, Committees) has a clear mission, clear membership, and understanding of how to make decisions (including when to bring issues up to the TAC)
- KR-4: The OpenSSF staff understands where its hiring gaps are, and has a well-functioning pipeline in place before 2024.
- KR-5: The Governing Board (GB) makes effective decisions in each GB meeting, followed by clear communication to TAC and relevant stakeholders. Decisions are tracked, and the TAC always receives public GB decisions.
The OpenSSF has 31 GB members, over 100 corporate member companies, ~200 contributors, and vast experience and commitment to a wide array of possible solutions to securing the open source supply chain. In order to make excellent use of our limited heartbeats, attention, and money, we must have a strong direction. This direction must be easily communicated to a wide set of audiences that number in the millions of human beings. It must help us see where we build, where we adopt, and where we partner with other organizations pursuing aligned global objectives (such as the CNCF, CDF, OWASP, Eclipse, for-profit companies, training organizations, and NGOs). We can differentiate ourselves by building useful software that fills missing links in secure toolchains, and by operating to fund government and corporate-sponsored plans through collective action in open source communities.
- KR-1: The Sterling Toolchain (STC) is strongly defined, endorsed by the OpenSSF TAC, the staff and its members.
- KR-2: (to be re-scoped once KR-1 is done) The STC is usable by OSS maintainers for at least 1 language community and demonstrates measurable improvement in security
- KR-3: We have a standard of assessment for “A-P-C-A” or awareness, perception, consideration, and adoption of these security advances in target language communities.
- KR-1: An accurate and honest report on the progress of the various MP streams is presented quarterly to the GB as input to their planning, pledges, and contribution.
- KR-2: The Mobilization Plan is kept up to date, and has a clear path forward for 2024+, and that process involves the governance committee
- KR-3: For each MP stream that is resourced and launched, we have plans in place, approved, and are actively developed within the portfolio of the OpenSSF, with the right prioritization
Without a strong direction, a strong brand is unimportant. Building on clarity of mission to secure open source software repositories through the Sterling Toolchain project (STC), and “big tent” alignment to multiple funding sources and stakeholders through the Mobilization Plan (MP), the OpenSSF can establish a brand as an effective platform for organizing and communicating the work of the open source security movement. If we are exceptionally successful, related foundations and projects will move closer to the OpenSSF as the center of momentum for the worldwide movement.
- KR-1: Governing Board, TAC, and Committees are well-operated, pre-reads provided early, and programmatic support to elevate members’ efficiency
- KR-2: Events we attend and organize are planned according to a well-defined process driven by the Marketing Committee and leveraging many member organizations
- KR-3: Marketing processes are outcome-oriented, understood, and easy to utilize
- KR-4: Intellectual property rights are well-managed for visibility, throughput, and defense of contributors, members, and users
- KR-5: Brand identity is clear, published, and upheld. Existing materials that do not reflect new guidelines are updated.
- KR-6: The process for creating a new OpenSSF project or SIG (whether or not it’s based on existing work) is clearly documented and applied as documented.
- KR-1: Membership pipeline development and conversion is predictable, including conversion of Mobilization Plan pledges into impact
- KR-2: Excellent outcomes from OpenSSF-branded events, measured by brand awareness, increased community engagement, and increased membership.
- KR-3: Regular and consistent communication about the foundation and projects are driven based on measurable target outcomes for awareness and perception
- KR-4: Voice of the Customer (end-user organizations including enterprises and governments) are elevated through the OpenSSF as a communication platform