Requirements

G1: Know Your FOSS Responsibilities

1.1 A written FOSS policy exists that governs FOSS license compliance of the Supplied Software distribution. The policy must be internally communicated.

Verification Artifact(s):

☐ 1.1.1 A documented FOSS policy exists.

☐ 1.1.2 A documented procedure exists that makes all Software Staff aware of the existence of the FOSS policy (e.g., via training, internal wiki, or other practical communication method).

Rationale:

Ensure steps were taken to create, record and make Software Staff aware of the existence of a FOSS policy. Although no requirements are provided here on what should be included in the policy, other sections may impose requirements on the policy.

1.2 Mandatory FOSS training for all Software Staff exists such that:

  • The training, as a minimum, covers the following topics:
    • The FOSS policy and where to find a copy;
    • Basics of Intellectual Property law pertaining to FOSS and FOSS licenses;
    • FOSS licensing concepts (including the concepts of permissive and copyleft licenses);
    • FOSS project licensing models;
    • Software Staff roles and responsibilities pertaining to FOSS compliance specifically and the FOSS policy in general; and
    • Process for identifying, recording and/or tracking of FOSS components contained in Supplied Software.
  • Software Staff must have completed FOSS training within the last 24 months (to be considered current). A test may be used to allow Software Staff to satisfy the training requirement.

Verification Artifact(s):

☐ 1.2.1 FOSS course materials covering the above topics exists (e.g., slide decks, online course, or other training materials).

☐ 1.2.2 Method of tracking the completion of the course for all Software Staff.

☐ 1.2.3 At least 85% of all Software Staff are current, as per definition in above section.

Rationale:

Ensure the Software Staff have recently attended FOSS training and that a core set of relevant FOSS topics are covered. The intent is to ensure a core base level set of topics are covered but a typical training program would likely be more comprehensive than what is required here.

1.3 A process exists for reviewing the Identified Licenses to determine the obligations, restrictions and rights granted by each license.

Verification Artifact(s): ☐ 1.3.1 A documented procedure exists to review and document the obligations, restrictions and rights granted by each Identified License governing the Supplied Software.

Rationale:

To ensure a process exists for reviewing and identifying the license obligations for each Identified License for the various use cases.

results matching ""

    No results matching ""