Positioning SIG: Assess additional frameworks in relation to SLSA

[melba-lopez]

Objective: Assess additional frameworks raised in the 7/26 SLSA Positioning SIG meeting.

Outcomes:

• Identify common criteria for assessing various frameworks
• Assessing the following frameworks/standards in relation to SLSA in addition to NIST SSDF v1.1 | | NIST 800-53r5 | EO14028 | NIST SP800-161r1
  - [ ] SLSA vs SCITT (formerly SCIM)
  - [ ] SLSA vs SPDX efforts (brought up by Brandon in last SLSA bi-weekly meeting)
  - [ ] SLSA vs CIS Supply Chain Security Benchmark
  - [ ] SLSA vs. CD foundation architecture
  - [ ] SLSA vs. CNCF Supply Chain Security Best Practices/Secure Software Factory Ref Arch
  - [ ] SLSA vs SCVS

[melba-lopez]

(Brandon) Define the objectives of evaluating

Should SLSA increase/decrease scope?
How does SLSA work with other frameworks? (informing/assisting organizations on what frameworks to choose)
Is there overlap in SLSA with other frameworks?
Is there deficiencies/out of scope SLSA items with relation to other frameworks?
Map to the specs (SLSA spec - source l1 = SSDF control PW1.X)
Capture use cases/personas to address target audience and how they would use SLSA vs other frameworks.