#21 - Added control family description to Using SCVS. Changed the use…

… of taxonomy to 'set'
OWASP · Jun 11, 2020 · 52ca2bd · 52ca2bd
1 parent baef989
commit 52ca2bd
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -38,5 +38,5 @@ over time.
 
 ### SCVS has the following goals:
 
-* Develop a common taxonomy of activities, controls, and best-practices that can reduce risk in a software supply chain
+* Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain
 * Devise a path to baseline and mature software supply chain vigilance
diff --git a/en/0x01-Frontispiece.md b/en/0x01-Frontispiece.md
@@ -2,7 +2,7 @@
 
 ## About the Standard
 
-The Software Component Verification Standard is a grouping of controls, separated by domain, which can be used by architects, developers, security, legal, and compliance to define, build, and verify the integrity of their software supply chain.
+The Software Component Verification Standard is a grouping of controls, separated by control family, which can be used by architects, developers, security, legal, and compliance to define, build, and verify the integrity of their software supply chain.
 
 ## Copyright and License
 

diff --git a/en/0x03-Using-SCVS.md b/en/0x03-Using-SCVS.md
@@ -2,9 +2,20 @@
 
 SCVS has the following goals:
 
-* Develop a common taxonomy of activities, controls, and best-practices that can reduce risk in a software supply chain
+* Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain
 * Identify a baseline and path to mature software supply chain vigilance
 
+## Control Families
+There are six control families that contain multiple controls that apply to different aspects of component verification
+or processes where component verification occurs. The control families are:
+
+* V1: Inventory
+* V2: Software Bill of Materials (SBOM)
+* V3: Build Environment
+* V4: Package Management
+* V5: Component Analysis
+* V6: Pedigree and Provenance
+
 ## Software Component Verification Levels
 
 The Software Component Verification Standard defines three verification levels. Higher levels include additional controls.
@@ -15,7 +26,6 @@ The Software Component Verification Standard defines three verification levels.
 
 ![maturity](./images/maturity.png)
 
-
 ### Level 1
 SCVS level 1 lays the groundwork from which to build upon. This level focuses on implementing best practices such as:
 - creating software bill-of-materials with complete and accurate inventory
@@ -77,7 +87,7 @@ vulnerabilities within a specified time period.
 ## Applying SCVS
 
 The Software Component Verification Standard places emphasis on controls that can be implemented or verified
-through automation. The domains and their controls are not specific to a single development team. They represent
+through automation. The control families are not specific to a single development team. They represent
 stakeholders across an organization, including software developers, security and risk managers, and procurement
 departments. Active participation of all stakeholders is necessary to measure and improve cyber posture. 
 Once an organization has determined the current maturity baseline, it can determine goals and timelines to improve maturity

diff --git a/en/0x80-Guidance-Open_Source_Policy.md b/en/0x80-Guidance-Open_Source_Policy.md
@@ -1,7 +1,7 @@
 # Guidance: Open Source Policy
 
 The following points should be viewed as suggestions based on the success and best practices of organizations 
-employing them. They are not part of the SCVS taxonomy.
+employing them. They are not part of SCVS.
 
 - All organizations that use open source software should have an open source policy
 - The open source policy is supported and enforced by cross-functional stakeholders