diff --git a/.github/ISSUE_TEMPLATE/minutes_all-hands-comms.md b/.github/ISSUE_TEMPLATE/minutes_all-hands-comms.md
index 6183558f..514c83a9 100644
--- a/.github/ISSUE_TEMPLATE/minutes_all-hands-comms.md
+++ b/.github/ISSUE_TEMPLATE/minutes_all-hands-comms.md
@@ -23,7 +23,7 @@ MM/DD/YYYY - 12:00 ET / 17:00 UK
## Meeting notices
- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
diff --git a/.github/ISSUE_TEMPLATE/minutes_community-structure.md b/.github/ISSUE_TEMPLATE/minutes_community-structure.md
index d3c2d052..2a9a9e64 100644
--- a/.github/ISSUE_TEMPLATE/minutes_community-structure.md
+++ b/.github/ISSUE_TEMPLATE/minutes_community-structure.md
@@ -21,7 +21,7 @@ MM/DD/YYYY - 12:00 ET / 17:00 UK
## Meeting notices
- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
diff --git a/.github/ISSUE_TEMPLATE/minutes_delivery.md b/.github/ISSUE_TEMPLATE/minutes_delivery.md
index be74991d..1affa699 100644
--- a/.github/ISSUE_TEMPLATE/minutes_delivery.md
+++ b/.github/ISSUE_TEMPLATE/minutes_delivery.md
@@ -21,7 +21,7 @@ MM/DD/YYYY - 11:30 ET / 16:30 UK
## Meeting notices
- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
diff --git a/.github/ISSUE_TEMPLATE/minutes_duplication-reduction.md b/.github/ISSUE_TEMPLATE/minutes_duplication-reduction.md
index 7051d23a..600cd447 100644
--- a/.github/ISSUE_TEMPLATE/minutes_duplication-reduction.md
+++ b/.github/ISSUE_TEMPLATE/minutes_duplication-reduction.md
@@ -21,7 +21,7 @@ MM/DD/YYYY - 12:30 ET / 17:30 UK
## Meeting notices
- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
diff --git a/.github/ISSUE_TEMPLATE/minutes_security.md b/.github/ISSUE_TEMPLATE/minutes_security.md
index 52834bc6..0a9c72c9 100644
--- a/.github/ISSUE_TEMPLATE/minutes_security.md
+++ b/.github/ISSUE_TEMPLATE/minutes_security.md
@@ -21,7 +21,7 @@ MM/DD/YYYY - 11:00 ET / 16:00 UK
## Meeting notices
- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
diff --git a/.github/ISSUE_TEMPLATE/minutes_taxonomy.md b/.github/ISSUE_TEMPLATE/minutes_taxonomy.md
index 7c044b6e..b9a46ea6 100644
--- a/.github/ISSUE_TEMPLATE/minutes_taxonomy.md
+++ b/.github/ISSUE_TEMPLATE/minutes_taxonomy.md
@@ -21,7 +21,7 @@ MM/DD/YYYY - 11:30 ET / 16:30 UK
## Meeting notices
- FINOS **Project leads** are responsible for observing the FINOS guidelines for [running project meetings](https://community.finos.org/docs/governance/meeting-procedures/). Project maintainers can find additional resources in the [FINOS Maintainers Cheatsheet](https://community.finos.org/docs/finos-maintainers-cheatsheet).
-- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/antitrust-policy/), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
+- **All participants** in FINOS project meetings are subject to the [LF Antitrust Policy](https://www.linuxfoundation.org/legal/antitrust-policy), the [FINOS Community Code of Conduct](https://community.finos.org/docs/governance/code-of-conduct) and all other [FINOS policies](https://community.finos.org/docs/governance/#policies).
- FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.
- FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.
diff --git a/.github/ISSUE_TEMPLATE/release_proposal.md b/.github/ISSUE_TEMPLATE/release_proposal.md
index 19ed066c..a8fd6017 100644
--- a/.github/ISSUE_TEMPLATE/release_proposal.md
+++ b/.github/ISSUE_TEMPLATE/release_proposal.md
@@ -23,7 +23,7 @@ assignees: "damienjburks"
- [ ] Modify the `metadata.yaml` files to include the latest release details. This can be accomplished in an automated form by running the following command:
```text
- cd delivery-tooling
+ cd delivery-toolkit
go run . release-notes -t /services/storage/object
```
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
new file mode 100644
index 00000000..fa583658
--- /dev/null
+++ b/.github/workflows/pr-title.yaml
@@ -0,0 +1,30 @@
+## Reference: https://github.com/amannn/action-semantic-pull-request
+---
+name: "Lint PR Title"
+on:
+ # pull_request_target event is required for autolabeler to support all PRs including forks
+ pull_request_target:
+ types: [opened, reopened, edited, synchronize]
+jobs:
+ lint_pr_title:
+ permissions:
+ contents: read
+ pull-requests: read
+ statuses: write
+ uses: jmeridth/reusable-workflows/.github/workflows/pr-title.yaml@d788c4f6994c7b37134a9f592fe5db42fd7a0957
+ with:
+ types: |
+ add
+ change
+ remove
+ scopes: |
+ ci
+ docs
+ feature
+ threat
+ control
+ category
+ family
+ requireScope: true
+ secrets:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index eed1c4f0..87ef6041 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
runs-on: ubuntu-latest
defaults:
run:
- working-directory: ./delivery-tooling
+ working-directory: ./delivery-toolkit
steps:
- uses: actions/checkout@v4
name: Build
@@ -65,7 +65,7 @@ jobs:
uses: actions/upload-artifact@v4.4.0
with:
name: ccc-catalogs
- path: ./delivery-tooling/artifacts/*
+ path: ./delivery-toolkit/artifacts/*
if-no-files-found: error
retention-days: 1 # Maximum Retention
diff --git a/.github/workflows/sonatype_scan.yaml b/.github/workflows/sonatype_scan.yaml
index 3d2e10ee..4e0aa212 100644
--- a/.github/workflows/sonatype_scan.yaml
+++ b/.github/workflows/sonatype_scan.yaml
@@ -9,7 +9,7 @@ on:
env:
SonatypeUrl: "https://finos.sonatype.app/platform/"
SonatypeAppId: "ccc-delivery"
- SonatypeScanTarget: "delivery-tooling/"
+ SonatypeScanTarget: "delivery-toolkit/"
ExcludeDirectory: ""
jobs:
diff --git a/.gitignore b/.gitignore
index cdc67bc0..bca159a7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,5 +3,5 @@ build/oscal-cli
# VS Code
.DS_Store
# Delivery Tooling
-delivery-tooling/artifacts
+delivery-toolkit/artifacts
.env/
\ No newline at end of file
diff --git a/.prettierignore b/.prettierignore
index d74cda5b..f31b1f48 100644
--- a/.prettierignore
+++ b/.prettierignore
@@ -1 +1 @@
-delivery-tooling/*
\ No newline at end of file
+delivery-toolkit/*
\ No newline at end of file
diff --git a/.vscode/common-controls.code-snippets b/.vscode/common-controls.code-snippets
index 63995863..467db55c 100644
--- a/.vscode/common-controls.code-snippets
+++ b/.vscode/common-controls.code-snippets
@@ -1,66 +1,90 @@
{
- "Prevent unencrypted requests": {
- "scope": "yaml",
- "prefix": "CC1, CC Prevent unencrypted requests",
- "body": [
- "- CCC.C01 # Prevent unencrypted requests control"
- ],
- "description": "Common Control Prevent unencrypted requests"
- },
- "Ensure data encryption at rest": {
- "scope": "yaml",
- "prefix": "CC2, CC Ensure data encryption at rest",
- "body": [
- "- CCC.C02 # Ensure data encryption at rest for all stored data"
- ],
- "description": "Common Control Ensure data encryption at rest"
- },
- "Implement multi-factor authentication": {
- "scope": "yaml",
- "prefix": "CC3, CC Implement MFA for access",
- "body": [
- "- CCC.C03 # Implement multi-factor authentication (MFA) for access"
- ],
- "description": "Common Control Implement multi-factor authentication (MFA) for access"
- },
- "Log all access and changes": {
- "scope": "yaml",
- "prefix": "CC4, CC Log all access and changes",
- "body": [
- "- CCC.C04 # Log all access and changes"
- ],
- "description": "Common Control Log all access and changes"
- },
- "Prevent access from untrusted entities": {
- "scope": "yaml",
- "prefix": "CC5, CC Prevent access from untrusted entities",
- "body": [
- "- CCC.C05 # Prevent access from untrusted entities"
- ],
- "description": "Common Control Prevent access from untrusted entities control"
- },
- "Prevent deployment in restricted regions": {
- "scope": "yaml",
- "prefix": "CC6, CC Prevent deployment in restricted regions",
- "body": [
- "- CCC.C06 # Prevent deployment in restricted regions"
- ],
- "description": "Common Control Prevent deployment in restricted regions"
- },
- "Alert on non-human enumeration": {
- "scope": "yaml",
- "prefix": "CC7, CC Alert on non-human enumeration",
- "body": [
- "- CCC.C07 # Alert on non-human enumeration"
- ],
- "description": "Common Control Alert on non-human enumeration"
- },
- "Enable multi-zone or multi-region data replication": {
- "scope": "yaml",
- "prefix": "CC8, CC Enable multi-zone or multi-region data replication",
- "body": [
- "- CCC.C08 # Enable multi-zone or multi-region data replication"
- ],
- "description": "Common Control Enable multi-zone or multi-region data replication"
- }
- }
+ "Prevent Unencrypted Requests": {
+ "scope": "yaml",
+ "prefix": "CC1, CC Prevent Unencrypted Requests",
+ "body": [
+ "- CCC.C01 # Prevent Unencrypted Requests"
+ ],
+ "description": "Common Control Prevent Unencrypted Requests"
+ },
+ "Ensure Data Encryption at Rest for All Stored Data": {
+ "scope": "yaml",
+ "prefix": "CC2, CC Ensure Data Encryption at Rest for All Stored Data",
+ "body": [
+ "- CCC.C02 # Ensure Data Encryption at Rest for All Stored Data"
+ ],
+ "description": "Common Control Ensure Data Encryption at Rest for All Stored Data"
+ },
+ "Implement Multi-factor Authentication (MFA) for Access": {
+ "scope": "yaml",
+ "prefix": "CC3, CC Implement Multi-factor Authentication (MFA) for Access",
+ "body": [
+ "- CCC.C03 # Implement Multi-factor Authentication (MFA) for Access"
+ ],
+ "description": "Common Control Implement Multi-factor Authentication (MFA) for Access"
+ },
+ "Log All Access and Changes": {
+ "scope": "yaml",
+ "prefix": "CC4, CC Log All Access and Changes",
+ "body": [
+ "- CCC.C04 # Log All Access and Changes"
+ ],
+ "description": "Common Control Log All Access and Changes"
+ },
+ "Prevent Access from Untrusted Entities": {
+ "scope": "yaml",
+ "prefix": "CC5, CC Prevent Access from Untrusted Entities",
+ "body": [
+ "- CCC.C05 # Prevent Access from Untrusted Entities"
+ ],
+ "description": "Common Control Prevent Access from Untrusted Entities"
+ },
+ "Prevent Deployment in Restricted Regions": {
+ "scope": "yaml",
+ "prefix": "CC6, CC Prevent Deployment in Restricted Regions",
+ "body": [
+ "- CCC.C06 # Prevent Deployment in Restricted Regions"
+ ],
+ "description": "Common Control Prevent Deployment in Restricted Regions"
+ },
+ "Alert on Unusual Enumeration Activity": {
+ "scope": "yaml",
+ "prefix": "CC7, CC Alert on Unusual Enumeration Activity",
+ "body": [
+ "- CCC.C07 # Alert on Unusual Enumeration Activity"
+ ],
+ "description": "Common Control Alert on Unusual Enumeration Activity"
+ },
+ "Enable Multi-zone or Multi-region Data Replication": {
+ "scope": "yaml",
+ "prefix": "CC8, CC Enable Multi-zone or Multi-region Data Replication",
+ "body": [
+ "- CCC.C08 # Enable Multi-zone or Multi-region Data Replication"
+ ],
+ "description": "Common Control Enable Multi-zone or Multi-region Data Replication"
+ },
+ "Prevent Tampering, Deletion, or Unauthorized Access to Access Logs": {
+ "scope": "yaml",
+ "prefix": "CC9, CC Prevent Tampering, Deletion, or Unauthorized Access to Access Logs",
+ "body": [
+ "- CCC.C09 # Prevent Tampering, Deletion, or Unauthorized Access to Access Logs"
+ ],
+ "description": "Common Control Prevent Tampering, Deletion, or Unauthorized Access to Access Logs"
+ },
+ "Prevent Data Replication to Destinations Outside of Defined Trust Perimeter": {
+ "scope": "yaml",
+ "prefix": "CC10, CC Prevent Data Replication to Destinations Outside of Defined Trust Perimeter",
+ "body": [
+ "- CCC.C10 # Prevent Data Replication to Destinations Outside of Defined Trust Perimeter"
+ ],
+ "description": "Common Control Prevent Data Replication to Destinations Outside of Defined Trust Perimeter"
+ },
+ "Enforce Key Management Policies": {
+ "scope": "yaml",
+ "prefix": "CC11, CC Enforce Key Management Policies",
+ "body": [
+ "- CCC.C11 # Enforce Key Management Policies"
+ ],
+ "description": "Common Control Enforce Key Management Policies"
+ },
+}
\ No newline at end of file
diff --git a/.vscode/common-features.code-snippets b/.vscode/common-features.code-snippets
index 47febc9f..7d14e391 100644
--- a/.vscode/common-features.code-snippets
+++ b/.vscode/common-features.code-snippets
@@ -119,13 +119,13 @@
],
"description": "Common Feature Cost Management"
},
- "BudgetingAlerting": {
+ "Budgeting": {
"scope": "yaml",
- "prefix": "CF16, CF BudgetingAlerting",
+ "prefix": "CF16, CF Budgeting",
"body": [
- "- CCC.F16 # BudgetingAlerting"
+ "- CCC.F16 # Budgeting"
],
- "description": "Common Feature BudgetingAlerting"
+ "description": "Common Feature Budgeting"
},
"Alerting": {
"scope": "yaml",
@@ -143,13 +143,13 @@
],
"description": "Common Feature Versioning"
},
- "On-Demand Scaling": {
+ "On-demand Scaling": {
"scope": "yaml",
- "prefix": "CF19, CF On-Demand Scaling",
+ "prefix": "CF19, CF On-demand Scaling",
"body": [
- "- CCC.F19 # On-Demand Scaling"
+ "- CCC.F19 # On-demand Scaling"
],
- "description": "Common Feature On-Demand Scaling"
+ "description": "Common Feature On-demand Scaling"
},
"Tagging": {
"scope": "yaml",
@@ -184,5 +184,5 @@
"- CCC.F23 # Network Access Rules"
],
"description": "Common Feature Network Access Rules"
- }
+ },
}
\ No newline at end of file
diff --git a/.vscode/common-threats.code-snippets b/.vscode/common-threats.code-snippets
index 2d4a3a45..51fcb5de 100644
--- a/.vscode/common-threats.code-snippets
+++ b/.vscode/common-threats.code-snippets
@@ -1,51 +1,51 @@
{
- "Access control is misconfigured": {
+ "Access Control is Misconfigured": {
"scope": "yaml",
- "prefix": "CT1, CT Access control is misconfigured",
+ "prefix": "CT1, CT Access Control is Misconfigured",
"body": [
- "- CCC.TH01 # Access control is misconfigured"
+ "- CCC.TH01 # Access Control is Misconfigured"
],
- "description": "Common Threat Access control is misconfigured"
+ "description": "Common Threat Access Control is Misconfigured"
},
- "Data is intercepted in transit": {
+ "Data is Intercepted in Transit": {
"scope": "yaml",
- "prefix": "CT2, CT Data is intercepted in transit",
+ "prefix": "CT2, CT Data is Intercepted in Transit",
"body": [
- "- CCC.TH02 # Data is intercepted in transit"
+ "- CCC.TH02 # Data is Intercepted in Transit"
],
- "description": "Common Threat Data is intercepted in transit"
+ "description": "Common Threat Data is Intercepted in Transit"
},
- "Deployment region network is untrusted": {
+ "Deployment Region Network is Untrusted": {
"scope": "yaml",
- "prefix": "CT3, CT Deployment region network is untrusted",
+ "prefix": "CT3, CT Deployment Region Network is Untrusted",
"body": [
- "- CCC.TH03 # Deployment region network is untrusted"
+ "- CCC.TH03 # Deployment Region Network is Untrusted"
],
- "description": "Common Threat Deployment region network is untrusted"
+ "description": "Common Threat Deployment Region Network is Untrusted"
},
- "Resource is replicated to untrusted or external locations": {
+ "Data is Replicated to Untrusted or External Locations": {
"scope": "yaml",
- "prefix": "CT4, CT Resource is replicated to untrusted or external locations",
+ "prefix": "CT4, CT Data is Replicated to Untrusted or External Locations",
"body": [
- "- CCC.TH04 # Resource is replicated to untrusted or external locations"
+ "- CCC.TH04 # Data is Replicated to Untrusted or External Locations"
],
- "description": "Common Threat Resource is replicated to untrusted or external locations"
+ "description": "Common Threat Data is Replicated to Untrusted or External Locations"
},
- "Data is corrupted during replication": {
+ "Data is Corrupted During Replication": {
"scope": "yaml",
- "prefix": "CT5, CT Data is corrupted during replication",
+ "prefix": "CT5, CT Data is Corrupted During Replication",
"body": [
- "- CCC.TH05 # Data is corrupted during replication"
+ "- CCC.TH05 # Data is Corrupted During Replication"
],
- "description": "Common Threat Data is corrupted during replication"
+ "description": "Common Threat Data is Corrupted During Replication"
},
- "Data is lost or corrupted": {
+ "Data is Lost or Corrupted": {
"scope": "yaml",
- "prefix": "CT6, CT Data is lost or corrupted",
+ "prefix": "CT6, CT Data is Lost or Corrupted",
"body": [
- "- CCC.TH06 # Data is lost or corrupted"
+ "- CCC.TH06 # Data is Lost or Corrupted"
],
- "description": "Common Threat Data is lost or corrupted"
+ "description": "Common Threat Data is Lost or Corrupted"
},
"Logs are Tampered With or Deleted": {
"scope": "yaml",
@@ -87,28 +87,36 @@
],
"description": "Common Threat Event Notifications are Incorrectly Triggered"
},
- "Resource constraints are exhaustedResource Tags Are Manipulated": {
+ "Resource Constraints are Exhausted": {
"scope": "yaml",
- "prefix": "CT12, CT Resource constraints are exhaustedResource Tags Are Manipulated",
+ "prefix": "CT12, CT Resource Constraints are Exhausted",
"body": [
- "- CCC.TH12 # Resource constraints are exhaustedResource Tags Are Manipulated"
+ "- CCC.TH12 # Resource Constraints are Exhausted"
],
- "description": "Common Threat Resource constraints are exhaustedResource Tags Are Manipulated"
+ "description": "Common Threat Resource Constraints are Exhausted"
},
- "Resource Tags Are Manipulated": {
+ "Resource Tags are Manipulated": {
"scope": "yaml",
- "prefix": "CT13, CT Resource Tags Are Manipulated",
+ "prefix": "CT13, CT Resource Tags are Manipulated",
"body": [
- "- CCC.TH13 # Resource Tags Are Manipulated"
+ "- CCC.TH13 # Resource Tags are Manipulated"
],
- "description": "Common Threat Resource Tags Are Manipulated"
+ "description": "Common Threat Resource Tags are Manipulated"
},
- "Older Resource Versions Are Exploited": {
+ "Older Resource Versions are Exploited": {
"scope": "yaml",
- "prefix": "CT14, CT Older Resource Versions Are Exploited",
+ "prefix": "CT14, CT Older Resource Versions are Exploited",
"body": [
- "- CCC.TH14 # Older Resource Versions Are Exploited"
+ "- CCC.TH14 # Older Resource Versions are Exploited"
],
- "description": "Common Threat Older Resource Versions Are Exploited"
+ "description": "Common Threat Older Resource Versions are Exploited"
+ },
+ "Automated Enumeration and Reconnaissance by Non-human Entities": {
+ "scope": "yaml",
+ "prefix": "CT14, CT Automated Enumeration and Reconnaissance by Non-human Entities",
+ "body": [
+ "- CCC.TH14 # Automated Enumeration and Reconnaissance by Non-human Entities"
+ ],
+ "description": "Common Threat Automated Enumeration and Reconnaissance by Non-human Entities"
},
}
\ No newline at end of file
diff --git a/delivery-tooling/logos/logo_wall.svg b/delivery-tooling/logos/logo_wall.svg
deleted file mode 100644
index daf5ecb8..00000000
--- a/delivery-tooling/logos/logo_wall.svg
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/delivery-tooling/catalog-compiler.go b/delivery-toolkit/catalog-compiler.go
similarity index 81%
rename from delivery-tooling/catalog-compiler.go
rename to delivery-toolkit/catalog-compiler.go
index 5aa7a85e..e88d5d3b 100644
--- a/delivery-tooling/catalog-compiler.go
+++ b/delivery-toolkit/catalog-compiler.go
@@ -1,10 +1,12 @@
package main
import (
+ "bytes"
"fmt"
"log"
"os"
"path/filepath"
+ "strings"
"github.com/spf13/viper"
"gopkg.in/yaml.v3"
@@ -30,6 +32,7 @@ type Control struct {
NISTCSF string `yaml:"nist_csf"`
ControlMappings map[string]interface{} `yaml:"control_mappings"`
TestRequirements []TestRequirements `yaml:"test_requirements"`
+ Link string
}
type TestRequirements struct {
@@ -57,7 +60,7 @@ type ReleaseDetails struct {
ThreatModelURL string `yaml:"threat_model_url"`
ThreatModelAuthor string `yaml:"threat_model_author"`
RedTeam string `yaml:"red_team"`
- RedTeamExercizeURL string `yaml:"red_team_exercize_url"`
+ RedTeamExerciseURL string `yaml:"red_team_exercise_url"`
ReleaseManager ReleaseManager `yaml:"release_manager"`
ChangeLog []string `yaml:"change_log"`
Contributors []Contributors `yaml:"contributors"`
@@ -86,6 +89,7 @@ type Feature struct {
ID string `yaml:"id"`
Title string `yaml:"title"`
Description string `yaml:"description"`
+ Link string
}
// ThreatSet is a struct that represents the threats.yaml file
@@ -100,6 +104,7 @@ type Threat struct {
Description string `yaml:"description"`
Features []string `yaml:"features"`
MITRETechnique []string `yaml:"mitre_technique"`
+ Link string
}
func formatList(items []string) string {
@@ -159,6 +164,33 @@ func unmarshalData(dataName string, dataSet interface{}) {
}
}
+func createLink(id string, title string) string {
+ var buffer bytes.Buffer
+
+ buffer.WriteString(strings.ToLower(strings.ReplaceAll(id, ".", "")))
+ buffer.WriteString("---")
+ buffer.WriteString(strings.ToLower(strings.ReplaceAll(strings.ReplaceAll(title, ",", ""), " ", "-")))
+ return buffer.String()
+}
+
+func addFeatureLink(features []Feature) {
+ for index, element := range features {
+ features[index].Link = createLink(element.ID, element.Title)
+ }
+}
+
+func addThreatLink(threats []Threat) {
+ for index, element := range threats {
+ threats[index].Link = createLink(element.ID, element.Title)
+ }
+}
+
+func addControlLink(controls []Control) {
+ for index, element := range controls {
+ controls[index].Link = createLink(element.ID, element.Title)
+ }
+}
+
func readAndCompileCatalog() (data CompiledCatalog) {
// read controls.yaml, features.yaml, threats.yaml, and metadata.yaml from dir path
controlsData := ControlSet{}
@@ -178,6 +210,13 @@ func readAndCompileCatalog() (data CompiledCatalog) {
commonThreatsData := ThreatSet{}
unmarshalData("common-threats", &commonThreatsData)
+ addFeatureLink(featuresData.SpecificFeatures)
+ addFeatureLink(commonFeaturesData.SpecificFeatures)
+ addThreatLink(threatsData.SpecificThreats)
+ addThreatLink(commonThreatsData.SpecificThreats)
+ addControlLink(controlsData.SpecificControls)
+ addControlLink(commonControlsData.SpecificControls)
+
return CompiledCatalog{
Metadata: metadata,
Controls: append(commonControlsData.SpecificControls, controlsData.SpecificControls...),
diff --git a/delivery-tooling/gen-markdown.go b/delivery-toolkit/gen-markdown.go
similarity index 100%
rename from delivery-tooling/gen-markdown.go
rename to delivery-toolkit/gen-markdown.go
diff --git a/delivery-tooling/gen-release-notes.go b/delivery-toolkit/gen-release-notes.go
similarity index 100%
rename from delivery-tooling/gen-release-notes.go
rename to delivery-toolkit/gen-release-notes.go
diff --git a/delivery-tooling/gen-yaml.go b/delivery-toolkit/gen-yaml.go
similarity index 100%
rename from delivery-tooling/gen-yaml.go
rename to delivery-toolkit/gen-yaml.go
diff --git a/delivery-tooling/go.mod b/delivery-toolkit/go.mod
similarity index 100%
rename from delivery-tooling/go.mod
rename to delivery-toolkit/go.mod
diff --git a/delivery-tooling/go.sum b/delivery-toolkit/go.sum
similarity index 100%
rename from delivery-tooling/go.sum
rename to delivery-toolkit/go.sum
diff --git a/delivery-toolkit/logos/logo_wall.svg b/delivery-toolkit/logos/logo_wall.svg
new file mode 100644
index 00000000..d197a919
--- /dev/null
+++ b/delivery-toolkit/logos/logo_wall.svg
@@ -0,0 +1 @@
+
diff --git a/delivery-tooling/main.go b/delivery-toolkit/main.go
similarity index 98%
rename from delivery-tooling/main.go
rename to delivery-toolkit/main.go
index e4294fb3..a192c4dd 100644
--- a/delivery-tooling/main.go
+++ b/delivery-toolkit/main.go
@@ -35,7 +35,7 @@ var (
},
Run: func(cmd *cobra.Command, args []string) {
fmt.Println(divider)
- fmt.Println("Welcome to the CCC Delivery Tooling CLI v" + Version)
+ fmt.Println("Welcome to the CCC Delivery Toolkit CLI v" + Version)
fmt.Print(logo)
fmt.Println(divider)
fmt.Println("You appear to be exploring!")
diff --git a/delivery-tooling/templates/catalog.md b/delivery-toolkit/templates/catalog.md
similarity index 88%
rename from delivery-tooling/templates/catalog.md
rename to delivery-toolkit/templates/catalog.md
index c3b82513..be962dde 100644
--- a/delivery-tooling/templates/catalog.md
+++ b/delivery-toolkit/templates/catalog.md
@@ -7,7 +7,7 @@
## Release Notes
-> _{{ .LatestReleaseDetails.ReleaseManager.Summary }}_
+> {{ .LatestReleaseDetails.ReleaseManager.Summary }}
Release Manager - **{{ .LatestReleaseDetails.ReleaseManager.Name }}, {{ .LatestReleaseDetails.ReleaseManager.Company }}** ([{{ .LatestReleaseDetails.ReleaseManager.GithubId }}](https://github.com/{{ .LatestReleaseDetails.ReleaseManager.GithubId }}))
@@ -21,7 +21,7 @@ Release Manager - **{{ .LatestReleaseDetails.ReleaseManager.Name }}, {{ .LatestR
|Feature ID|Feature Title|
|----|----|
{{- range .Features }}
-|{{ .ID }}|{{ .Title }}|
+|[{{ .ID }}](#{{ .Link }})|{{ .Title }}|
{{- end }}
---
@@ -36,7 +36,7 @@ Release Manager - **{{ .LatestReleaseDetails.ReleaseManager.Name }}, {{ .LatestR
|Threat ID|Threat Title|
|----|----|
{{- range .Threats }}
-|{{ .ID }}|{{ .Title }}|
+|[{{ .ID }}](#{{ .Link }})|{{ .Title }}|
{{- end }}
---
@@ -49,9 +49,9 @@ Release Manager - **{{ .LatestReleaseDetails.ReleaseManager.Name }}, {{ .LatestR
- {{ . }}
{{- end }}
-**Related MITRE ATT&CK Values:**
+**Related MITRE ATT&CK Techniques:**
{{ range .MITRETechnique }}
-- {{ . }}
+- [{{ . }}](https://attack.mitre.org/techniques/{{ . }})
{{- end }}
{{ end }}
@@ -60,7 +60,7 @@ Release Manager - **{{ .LatestReleaseDetails.ReleaseManager.Name }}, {{ .LatestR
|Control ID|Control Title|
|----|----|
{{- range .Controls }}
-|{{ .ID }}|{{ .Title }}|
+|[{{ .ID }}](#{{ .Link }})|{{ .Title }}|
{{- end }}
---
diff --git a/delivery-tooling/templates/release-notes.md b/delivery-toolkit/templates/release-notes.md
similarity index 93%
rename from delivery-tooling/templates/release-notes.md
rename to delivery-toolkit/templates/release-notes.md
index 8031b61f..960ed269 100644
--- a/delivery-tooling/templates/release-notes.md
+++ b/delivery-toolkit/templates/release-notes.md
@@ -1,5 +1,5 @@
-# {{ .Metadata.Title }} Release Details - v{{ .LatestReleaseDetails.Version }} ({{ .Metadata.ID }})
+# {{ .Metadata.Title }} - v{{ .LatestReleaseDetails.Version }} ({{ .Metadata.ID }})
## Summary
{{ .LatestReleaseDetails.ReleaseManager.Summary }}
diff --git a/delivery-tooling/update-metadata.go b/delivery-toolkit/update-metadata.go
similarity index 91%
rename from delivery-tooling/update-metadata.go
rename to delivery-toolkit/update-metadata.go
index 3be014c7..943baaa0 100644
--- a/delivery-tooling/update-metadata.go
+++ b/delivery-toolkit/update-metadata.go
@@ -16,8 +16,8 @@ import (
)
var (
- MetadataFilepath string
BuildDirectoryPath string
+ MetadataFilePath string
// baseCmd represents the base command when called without any subcommands
updateMetadataCmd = &cobra.Command{
@@ -37,14 +37,14 @@ var (
servicesDir := viper.GetString("services-dir")
buildTarget := viper.GetString("build-target")
- buildDirectoryPath := filepath.Join(servicesDir, buildTarget)
- MetadataFilepath = filepath.Join(buildDirectoryPath, "metadata.yaml")
+ BuildDirectoryPath = filepath.Join(servicesDir, buildTarget)
+ MetadataFilePath = filepath.Join(BuildDirectoryPath, "metadata.yaml")
err := updateMetadata()
if err != nil {
fmt.Println(err)
} else {
- fmt.Printf("Metadata has been updated successfully: %s\n", MetadataFilepath)
+ fmt.Printf("Metadata has been updated successfully: %s\n", MetadataFilePath)
}
},
}
@@ -70,12 +70,11 @@ func updateMetadata() (err error) {
// Create a new GitHub client
client := github.NewClient(tc)
- // Prepare the options to filter commits by the specified path (directory)
+ // Fetch the list of commits from the repository
+ cleanedPath := strings.Replace(filepath.ToSlash(BuildDirectoryPath), "../", "", 1)
opts := &github.CommitsListOptions{
- Path: BuildDirectoryPath,
+ Path: cleanedPath,
}
-
- // Fetch the list of commits from the repository
commits, _, err := client.Repositories.ListCommits(ctx, repoOwner, repoName, opts)
if err != nil {
log.Fatalf("Error fetching commits: %v", err)
@@ -137,7 +136,7 @@ func updateMetadata() (err error) {
log.Fatalf("Error marshaling YAML: %v", err)
}
- err = os.WriteFile(MetadataFilepath, metadataData, os.FileMode(0666))
+ err = os.WriteFile(MetadataFilePath, metadataData, os.FileMode(0666))
if err != nil {
log.Fatalf("Error writing to the YAML file: %v", err)
}
@@ -148,7 +147,7 @@ func updateMetadata() (err error) {
func getMetadataYaml() Metadata {
// Read the YAML file
- yamlFile, err := os.ReadFile(MetadataFilepath)
+ yamlFile, err := os.ReadFile(MetadataFilePath)
if err != nil {
log.Fatalf("Error reading YAML file: %v", err)
}
diff --git a/delivery-tooling/utils.go b/delivery-toolkit/utils.go
similarity index 100%
rename from delivery-tooling/utils.go
rename to delivery-toolkit/utils.go
diff --git a/docs/community-guidelines/README.md b/docs/community-guidelines/README.md
index 1accdf9c..019e555c 100644
--- a/docs/community-guidelines/README.md
+++ b/docs/community-guidelines/README.md
@@ -4,19 +4,5 @@ Guidelines are formal recommendations to the community provided as structured ou
This directory will contain all guidelines recommended.
-## Adding or Modifying a Guideline
-
-- Changes can be suggested by anyone by raising a PR and notifying the Community Structure [WG] using the mailing list for consideration.
-- Then the members of the Community Structure [WG] should discuss this issue in their [WG] meetings and approve the PR for it to become a recommendation.
-
-## Upgrading a Recommendation to become a Policy
-
-In order for a guideline to become a policy a [SC], they must be put forward for a [vote] by a [SC] member sponsor.
-
-1. A pull request should be made by the [SC] sponsor to move the guideline into the [Policies] directory.
-2. The [SC] sponsor should call a [SC] [vote] and if approved by the majority the PR can be merged and the recommendation is now a policy.
-
-[Policies]: ../community-policies
-[vote]: ../governance/steering/charter.md#voting
[SC]: ../governance/community-structure.md#steering-committee
[WG]: ../governance/community-structure.md#working-groups
diff --git a/docs/community-guidelines/adding-modifying-guidelines.md b/docs/community-guidelines/adding-modifying-guidelines.md
new file mode 100644
index 00000000..d4a67053
--- /dev/null
+++ b/docs/community-guidelines/adding-modifying-guidelines.md
@@ -0,0 +1,9 @@
+# Adding or Modifying Community Guidelines
+
+This document is a [community guideline].
+
+- New community guidelines or changes to existing ones can be suggested by anyone by raising a PR and notifying the [Community Structure WG] using the mailing list for consideration.
+- Then the members of the [Community Structure WG] should discuss this issue in their WG meetings and approve the PR for it to become a recommendation.
+
+[community guideline]: ./README.md
+[Community Structure WG]: ../governance/community-structure.md#working-groups
diff --git a/docs/community-guidelines/content-standards-and-practices/control-definitions.md b/docs/community-guidelines/content-standards-and-practices/control-definitions.md
index 2b418ef0..fc86fcd0 100644
--- a/docs/community-guidelines/content-standards-and-practices/control-definitions.md
+++ b/docs/community-guidelines/content-standards-and-practices/control-definitions.md
@@ -8,7 +8,7 @@ Each service category in the CCC Taxonomy should have its own set of control def
To streamline maintenance, the CCC project maintains a list of [common controls].
-Each service category’s `controls.yaml` file references these by listing their IDs under the top-level `common_controls` value. During the release pipeline, our [delivery tooling] compiles these common controls into the final document alongside any specific controls. In the final output, both types of controls are presented consistently, with the unique identifier being the only difference.
+Each service category’s `controls.yaml` file references these by listing their IDs under the top-level `common_controls` value. During the release pipeline, our [Delivery Toolkit] compiles these common controls into the final document alongside any specific controls. In the final output, both types of controls are presented consistently, with the unique identifier being the only difference.
### Common Controls
@@ -56,6 +56,70 @@ A control family refers to a group of related security controls that are organiz
The list of control families is maintained in the [common controls] data.
[common controls]: /services/common-controls.yaml
-[delivery tooling]: /delivery-tooling
+[Delivery Toolkit]: /delivery-toolkit
[threats]: ./threat-definitions.md
[ref]: https://www.cisa.gov/sites/default/files/2023-02/tlp-2-0-user-guide_508c.pdf
+
+## Style Guide for Test Requirements
+
+### Structure
+
+Test requirements must follow a **"When-Then-MUST/MUST NOT"** structure to ensure they are **actionable, specific, measurable, and verifiable**:
+
+1. **When**: Describe the triggering condition or scenario under which the test is applied.
+2. **Then**: Specify the expected outcome of the test in a clear and measurable manner.
+3. Use **MUST** or **MUST NOT** to define mandatory conditions.
+
+This approach ensures that test requirements are actionable by providing clear instructions for verification, making them easy to implement and audit.
+
+> **Note:** The **Then** statement does not need to be explicitly written if the expected outcome is clearly implied by the **When** condition and the use of **MUST** or **MUST NOT**.
+
+### Examples
+
+#### Good Example
+
+```yaml
+test_requirements:
+ - id: CCC.VPC.C01.TR01
+ text: |
+ When a subscription is created, the subscription MUST NOT
+ contain default network resources.
+ tlp_levels:
+ - tlp_amber
+ - tlp_red
+```
+
+#### Why It’s Good
+
+- Clearly describes the triggering condition ("When a subscription is created").
+- Specifies the measurable outcome ("MUST NOT contain default network resources").
+- Provides clear verification criteria, making it actionable and easy to test.
+- Aligns with the control objective by verifying a critical security configuration.
+
+#### Bad Example
+
+```yaml
+test_requirements:
+ - id: CCC.VPC.C01.TR01
+ text: |
+ A subscription MUST NOT have default networks.
+ tlp_levels:
+ - tlp_amber
+ - tlp_red
+```
+
+#### Issues
+
+- Missing the "When-Then" structure.
+- Ambiguous context for the condition.
+- Lacks specificity about how to verify the requirement.
+- Does not align directly with the control objective or provide measurable verification.
+
+### Best Practices
+
+1. **Actionable Requirements**: Define test requirements that are specific, measurable, and verifiable.
+2. **Clarity and Specificity**: Ensure test requirements clearly articulate the triggering condition and expected outcome.
+3. **When-Then Structure**: Clearly define the triggering condition (_When_) and expected result (_Then_) for clarity.
+4. **Mandatory Language**: Use **MUST** or **MUST NOT** to convey non-negotiable requirements.
+5. **Avoid Ambiguity**: Avoid vague terms like "should" or "could."
+6. **Alignment with Control Objective**: Ensure test requirements align with and verify the control objective effectively.
diff --git a/docs/community-guidelines/content-standards-and-practices/feature-definitions.md b/docs/community-guidelines/content-standards-and-practices/feature-definitions.md
index 0a2f4ee6..8620de54 100644
--- a/docs/community-guidelines/content-standards-and-practices/feature-definitions.md
+++ b/docs/community-guidelines/content-standards-and-practices/feature-definitions.md
@@ -8,7 +8,7 @@ Each feature definition should be created for a service in the CCC Taxonomy, wit
To streamline maintenance, the CCC project maintains a list of [common features].
-Each service category’s `features.yaml` file references common features by listing their IDs under the top-level `common_features` value. During the release pipeline, our [delivery tooling] compiles these common features into the final document alongside any specific features. In the final output, both types of features are presented consistently, with the unique identifier being the only difference.
+Each service category’s `features.yaml` file references common features by listing their IDs under the top-level `common_features` value. During the release pipeline, our [Delivery Toolkit] compiles these common features into the final document alongside any specific features. In the final output, both types of features are presented consistently, with the unique identifier being the only difference.
### Common Features
@@ -47,4 +47,4 @@ Although a review from the [Communications WG] is optional, it may be useful if
[common features]: /services/common-features.yaml
[Communications WG]: ../../governance/working-groups/communications/charter.md
-[delivery tooling]: /delivery-tooling
+[Delivery Toolkit]: /delivery-toolkit
diff --git a/docs/community-guidelines/content-standards-and-practices/threat-definitions.md b/docs/community-guidelines/content-standards-and-practices/threat-definitions.md
index a4878a89..c4c4618c 100644
--- a/docs/community-guidelines/content-standards-and-practices/threat-definitions.md
+++ b/docs/community-guidelines/content-standards-and-practices/threat-definitions.md
@@ -8,7 +8,7 @@ Each threat definition corresponds to a service in the CCC Taxonomy, with every
To streamline maintenance, the CCC project maintains a list of [common threats].
-Each service category’s `threats.yaml` file references these common threats by listing their IDs under the top-level `common_threats` value. During the release pipeline, our [delivery tooling] compiles these common threats into the final document alongside any service-specific threats. In the final output, both types of threats are presented consistently, with the unique identifier being the only difference.
+Each service category’s `threats.yaml` file references these common threats by listing their IDs under the top-level `common_threats` value. During the release pipeline, our [Delivery Toolkit] compiles these common threats into the final document alongside any service-specific threats. In the final output, both types of threats are presented consistently, with the unique identifier being the only difference.
### Common Threats
@@ -28,16 +28,54 @@ When creating or updating a `threats.yaml` file for a service category, follow t
2. **Define Specific Threats**: If a threat is unique to the service category, document it in the `threats` section of the `threats.yaml` file.
3. **Consider Generalization**: If a specific threat could apply to at least three other service categories, evaluate whether it can be generalized and added to the [common threats] list.
-## Threat Definition Format
+## Threat Definition Style
To maintain consistency, all threats—whether common or specific—must follow the same format, style, and tone. Each threat should adhere to the [threats template] before release.
+### Definition of a Threat
+
+According to **NIST SP 800-30 Rev. 1**, a threat is defined as:
+
+> **"Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service."**
+
+This definition emphasizes that a threat focuses on potential adverse impacts, not necessarily malicious intent.
+
+### Neutral Approach to Threat Descriptions
+
+#### Key Differences
+
+| **Aspect** | **Good Example** | **Bad Example** |
+| ---------------------- | ------------------------------------------------------------ | --------------------------------------------------------- |
+| **Neutral Tone** | Describes the condition neutrally. | Attributes the issue to an "attacker," assuming intent. |
+| **Focus on Condition** | Focuses on what went wrong and potential consequences. | Assumes exploitation and focuses on malicious actions. |
+| **Objectivity** | Leaves room for non-malicious scenarios (e.g., human error). | Frames the issue exclusively as a malicious exploitation. |
+
+#### Examples
+
+**Good Example**:
+**Title**: Access Control is Misconfigured
+**Description**:
+Misconfigured access controls may grant excessive privileges or fail to restrict unauthorized access to sensitive resources. This could result in unintended data exposure or unauthorized actions being performed within the system.
+
+**Bad Example**:
+**Title**: Access Control is Misconfigured
+**Description**:
+An attacker can exploit misconfigured access controls to gain excessive privileges or unauthorized access to sensitive resources. This could lead to data breaches or malicious actions within the system.
+
+### Best Practices
+
+1. **Neutral Tone**: Describe threats in a neutral, objective manner without assuming malicious intent or attributing actions to an attacker.
+2. **Focus on Conditions and Consequences**: Highlight the misconfiguration, condition, or situation that might result in an undesirable outcome, not the actor causing it.
+3. **Avoid Redundancy**: Ensure that new threats are distinct from existing ones and do not overlap unnecessarily.
+4. **Clarity and Precision**: Use clear language that conveys the nature and impact of the threat effectively to a broad audience.
+5. **Consistent Formatting**: Follow the specified structure and guidelines for all entries to maintain uniformity.
+
### Threat Definition Values
When creating a new threat definition, use the following values:
- **Threat ID** (`id`): A unique identifier for the threat, following the format `.TH<#>`.
-- **Threat Title** (`title`): A short name or title that succinctly describes the threat.
+- **Threat Title** (`title`): A short name or title using Title Case that succinctly describes the threat.
- **Threat Description** (`description`): A detailed description of the threat, including its nature and potential impact.
- **Feature IDs** (`features`): A list of IDs for the corresponding CCC features that this threat is associated with.
- **MITRE ATT&CK Technique** (`mitre_technique`): The unique identifier for the most relevant MITRE ATT&CK Technique.
@@ -51,5 +89,5 @@ This structure ensures that threats are standardized and can be consistently ide
[common threats]: /services/common-threats.yaml
[Communications WG]: ../../governance/working-groups/communications/charter.md
-[delivery tooling]: /delivery-tooling
+[Delivery Toolkit]: /delivery-toolkit
[threats template]: ../../resources/templates/threats.yaml
diff --git a/docs/community-guidelines/guidelines-to-policies.md b/docs/community-guidelines/guidelines-to-policies.md
new file mode 100644
index 00000000..bb2bad0b
--- /dev/null
+++ b/docs/community-guidelines/guidelines-to-policies.md
@@ -0,0 +1,18 @@
+# Upgrading a Recommendation to become a Policy
+
+This document is a [community guideline].
+
+In order for a community guideline to become a community policy, the guideline must pass a [SC] [vote]. A [vote] can be called for by a [SC] member sponsor or the [Community Structure WG] Lead.
+
+1. A pull request should be made by the [SC] member sponsor or [Community Structure WG] Lead to move the guideline into the [Policies] directory.
+2. The [SC] member sponsor or [Community Structure WG] Lead should call a [SC] [vote] and, if approved by the majority, the PR can be merged and the recommendation is now a policy.
+3. The vote will be initiated on the pull request using [GitVote], enabling [SC] members to cast their votes directly on the associated pull request.
+4. The voting period will remain open for 7 days.
+5. A majority vote is required for the proposal to pass.
+
+[community guideline]: ./README.md
+[Policies]: ../community-policies
+[vote]: ../governance/steering/charter.md#voting
+[SC]: ../governance/community-structure.md#steering-committee
+[Community Structure WG]: ../governance/community-structure.md#working-groups
+[GitVote]: https://github.com/cncf/gitvote
diff --git a/docs/governance/community-guidelines/releases/cmb/README.md b/docs/community-guidelines/releases/cmb/README.md
similarity index 97%
rename from docs/governance/community-guidelines/releases/cmb/README.md
rename to docs/community-guidelines/releases/cmb/README.md
index cbb7317a..1543f1fa 100644
--- a/docs/governance/community-guidelines/releases/cmb/README.md
+++ b/docs/community-guidelines/releases/cmb/README.md
@@ -85,6 +85,6 @@ Appointments shall be permanently revoked in the following cases:
- Repeat abandonment of a stated commitment
- Undermining the process, such as deliberately circumventing or disregarding documented norms
-[Security WG]: ../../../working-groups/security/charter.md
-[Delivery WG]: ../../../working-groups/delivery/charter.md
+[Security WG]: /docs/governance/working-groups/security/charter.md
+[Delivery WG]: /docs/governance/working-groups/delivery/charter.md
[community guideline]: ./README.md
diff --git a/docs/governance/community-guidelines/releases/cmb/feedback-guide.md b/docs/community-guidelines/releases/cmb/feedback-guide.md
similarity index 83%
rename from docs/governance/community-guidelines/releases/cmb/feedback-guide.md
rename to docs/community-guidelines/releases/cmb/feedback-guide.md
index 938013af..a5c3fc6d 100644
--- a/docs/governance/community-guidelines/releases/cmb/feedback-guide.md
+++ b/docs/community-guidelines/releases/cmb/feedback-guide.md
@@ -6,14 +6,14 @@ This is a simple guide for CMB members on how to properly provide feedback withi
1. Navigate to the Discussions Section in GitHub for this project:
- 
+ 
1. Find an active discussion that's associated with the release you would like to contribute to. You can find it here: [Active Discussions for CMB](https://github.com/finos/common-cloud-controls/discussions/categories/change-management-board-cmb?discussions_q=is%3Aopen+category%3A%22Change+Management+Board+%28CMB%29%22)
- 
+ 
1. If your issue is unique, please create a new thread in the discussion post by leaving a comment. Otherwise, feel free to leave a comment inside of the thread on the discussion.
- 
+ 
1. Double check to ensure you put your comment in the right place before hitting the green button!
diff --git a/docs/governance/community-guidelines/releases/cmb/member-responsibilities.md b/docs/community-guidelines/releases/cmb/member-responsibilities.md
similarity index 100%
rename from docs/governance/community-guidelines/releases/cmb/member-responsibilities.md
rename to docs/community-guidelines/releases/cmb/member-responsibilities.md
diff --git a/docs/governance/community-guidelines/releases/cmb/imgs/image-1.png b/docs/community-guidelines/releases/imgs/image-1.png
similarity index 100%
rename from docs/governance/community-guidelines/releases/cmb/imgs/image-1.png
rename to docs/community-guidelines/releases/imgs/image-1.png
diff --git a/docs/governance/community-guidelines/releases/cmb/imgs/image-2.png b/docs/community-guidelines/releases/imgs/image-2.png
similarity index 100%
rename from docs/governance/community-guidelines/releases/cmb/imgs/image-2.png
rename to docs/community-guidelines/releases/imgs/image-2.png
diff --git a/docs/governance/community-guidelines/releases/cmb/imgs/image-3.png b/docs/community-guidelines/releases/imgs/image-3.png
similarity index 100%
rename from docs/governance/community-guidelines/releases/cmb/imgs/image-3.png
rename to docs/community-guidelines/releases/imgs/image-3.png
diff --git a/docs/governance/steering/charter.md b/docs/governance/steering/charter.md
index c7ab951b..911dc53c 100644
--- a/docs/governance/steering/charter.md
+++ b/docs/governance/steering/charter.md
@@ -178,6 +178,7 @@ This document was adapted from the Kubernetes Steering Committee Charter [afb385
[Eligible voters]: elections.md#eligibility-for-voting
[Inclusive Open Source Community Orientation]: https://training.linuxfoundation.org/training/inclusive-open-source-community-orientation-lfc102/
[afb3858]: https://github.com/kubernetes/steering/blob/afb3858/charter.md
+[community groups]: ../community-structure.md#working-groups