Dr-wood
commented
6 months ago @shanecoughlan I reviewed the code in the 3.3.2 contains a modified version of the text that appears to have modified the words related to obtaining Customer Agreement as a requirement to an "as necessary" . This change make it much easier to read as a suggestion and not a mandatory requirement.
SMK20: 3.3.2 Security Assurance and 2.2 Customer Agreement: Really? Get Customer Agreement? That seems implausible.
(see https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/8 for previous work on this)
From that issue:
Talked on Monthly call 2022-11-01 around:
SMK20: 3.3.2 Security Assurance and 2.2 Customer Agreement: Really? Get Customer Agreement? That seems implausible.
3.3.2 needs to be explored to see if it is a little difficult in certain markets and if we could or should explore options such as referring to public security stances as a requirement instead.