Positioning SIG: Assess additional frameworks in relation to SLSA

Objective: Assess additional frameworks raised in the 7/26 SLSA Positioning SIG meeting.

Outcomes:

• Identify common criteria for assessing various frameworks
• Assessing the following frameworks/standards in relation to SLSA in addition to NIST SSDF v1.1 | | NIST 800-53r5 | EO14028 | NIST SP800-161r1 - [ ] SLSA vs SCITT (formerly SCIM) - [ ] SLSA vs SPDX efforts (brought up by Brandon in last SLSA bi-weekly meeting) - [ ] SLSA vs CIS Supply Chain Security Benchmark - [ ] SLSA vs. CD foundation architecture - [ ] SLSA vs. CNCF Supply Chain Security Best Practices/Secure Software Factory Ref Arch - [ ] SLSA vs SCVS

(Brandon) Define the objectives of evaluating

Should SLSA increase/decrease scope? How does SLSA work with other frameworks? (informing/assisting organizations on what frameworks to choose) Is there overlap in SLSA with other frameworks? Is there deficiencies/out of scope SLSA items with relation to other frameworks? Map to the specs (SLSA spec - source l1 = SSDF control PW1.X) Capture use cases/personas to address target audience and how they would use SLSA vs other frameworks.