At this level, an organization has established some practices for managing open source software. The organization has some visibility into open source use and there are limited controls in place to manage open source software and to ensure compliance with licenses.
The Open Source Program Office (OSPO)
At this stage, the organisation might have an Open Source Program Office (OSPO) or something equivalent by a different name. IBM refers to an Open Source Steering Committee (OSSC), for example.
According to the TODO Group's maturity model:
In general, an organization forms an OSPO when it realizes that its people are consuming open source products and code across nearly all engineering and development departments and functions. This usage is typically internal, not part of products or services to customers or users.
Further Reading
The OW2 Open Source Good Governance Initiative refers to this level as the "Trust Goal". It talks about license compliance tools and processes and provides links to many of these tools:
[This level] is about the secure and responsible use of OSS. It covers in particular compliance and dependency management policies. It is about aiming for the state of the art in implementing the right processes.
The TODO Group refers to this level as "Providing OSS Compliance,
Inventory, and Developer Education".
OSMM Level 2 Expected Activities
Compliant Open Source Consumption
Using open source within regulated organisations must be done in accordance with the policies and procedures in place to control risks and adhere to regulation. In this article we will look at:
Software Inventory
Software inventory is a precondition to most of the activities involved in OSMM level 2. The first step to licence compliance or supply chain security is to understand what software is in your estate.
License Compliance Management
There are several key points that a large enterprise should consider to ensure compliance with open-source license obligations:
Open Source Supply Chain Security
In this article we are going to look at the growing issue of software supply chain attacks via some examples and then look at the emerging field of open source supply chain security: what it is, current best practices, the institutional landscape and emerging legislation.
Creating an Open Source Policy
THIS IS A PLACEHOLDER
Creating an Open Source Program Office (OSPO)
An Open Source Program Office (OSPO) is designed to be the center of competency for an organization's open source operations and structure as defined by the TODO group.
Open Source Consumption Training
This guide is intended to help OSPOs of all maturity levels build an open source training course that is created with purpose to deliver impact. Whether your OSPO recently launched or is looking into re-doing the firms open source training, this guide will provide ideas and content that can be implemented to a comprehensive open source training course.