Include a discrete reference to an Open Source Security Policy

[jstclair2019]

We recommend either explicitly in the Policy, or by reference to another germane policy, that Open Source Security is specified as part of the assessment criteria and life cycle management. For reference, please see the Linux Foundation Open Source Security Framework project: https://openssf.org

[otlah]

Hi Jim, we reference the Central Digital and Data Office's security policies fairly heavily. I've just updated the security section to make reference to open source supply chain issues, and link to Microsoft's Open Source Security summary. I note that most of the OpenSSF's Technical Initiatives have been approved and are in formative stages. As they produce guidance and advisory that can sit alongside the policies of UK Government I'll be more than happy to reference them here!

[jstclair2019]

Brilliant, @otlah, thanks! I'll be happy to share updates as they develop. We will be making a big splash in additional resources shortly.