1---
 2layout: page
 3title: Create A Logical Model for GRC Engineering Activities
 4---
 5
 6- **ADR:** 0001
 7- **Proposal Author(s):** @eddie-knight
 8- **Status:** Accepted; Modified by [ADR-0009](./0009-sensitive-activities) (layer numbers)
 9
10## Context
11
12During the writing of the CNCF's [Automated Governance Maturity Model (AGMM)](https://www.cncf.io/blog/2025/05/05/announcing-the-automated-governance-maturity-model/), the authors of that document came to a key observation: to build a _Secure Software Factory_ or a fully automated governance program, maturity can be measured in at least four different areas: "Policy, Evaluation, Enforcement, and Audit."
13
14Both the FINOS _Common Cloud Controls (CCC)_ and OpenSSF's _Open Source Project Security Baseline (OSPSB)_ projects began using the language from the AGMM, with the addition of two more areas to describe the difference between documents that give high-level recommendations alongside those which create technology-specific objectives. It was observed that these six different areas build upon eachother, similar to how the OSI Model describes the layers of digital networking.
15
16## Action
17
18Create a community-defined model in a version-controlled project that can be extended with supplemental resources such as schemas and SDKs.
19
20## Consequences
21
22Positive: Can be updated and extended over time
23Negative: Requires up-front commitment from a core maintainer group
24
25## Alternatives Considered
26
27An alternative would be to write a white paper following on the AGMM, but this would rule out the possibility of community maintenance and extension with supplemental resources for automation acceleration.