Codify policy for email address and commit signing

[hillaryj]

We have a number of preferences for how the core dev team members use GitHub. This issue is to determine how we want to decide and codify these best-practices so they're well-documented and available.

Should we require dev team members to:

• Commit under their CISA or Trio email address?
  • Require this to be publicly available, or just to specify setting up the no-reply address for commit signing?
• Sign commits with a GPG key?
  • Possibly already codified in PR #35 with the inclusion of the FISMA-Ready Github guide, which we may want to fork and modify
  • Additional resource on setting up openPGP

Note: Specifically, this policy is for core dev team only, not external contributors, and should be written in a way not to discourage anyone from participating and using our GitHub resources