Technology Portfolio Management (TPM) Best Practices

Overview

Open source governance health metrics reflect the quality and completeness of the organization’s governance of its open source component portfolio. These metrics are distinct from general technical health metrics because open source governance creates specific compliance, security, and supply chain obligations that require their own measurement framework. The open source governance health metrics should be reportable to auditors, regulators, and customers who may request evidence of open source governance maturity as a supply chain security requirement.

Best Practice

Measure and report the following open source governance health metrics on a defined cadence. SBOM coverage: the percentage of applications and technology products in scope for SBOM requirements that have a current, complete SBOM in both SPDX and CycloneDX formats. Reported monthly to the governance function, quarterly to IT leadership. License compliance rate: the percentage of open source components in the Open Source Components Inventory whose license obligations have been assessed and confirmed as compliant with the organization’s license compliance policy. Reported quarterly to IT leadership and the legal or compliance function. Vulnerability remediation velocity: the average time from vulnerability disclosure to remediation completion for open source component vulnerabilities in the portfolio, measured by severity level. Reported monthly to the governance function and security function, quarterly to IT leadership. Supply chain risk score: an aggregate score reflecting the organization’s software supply chain security posture based on component integrity verification coverage, repository security controls, dependency version pinning coverage, and provenance attestation coverage. Reported quarterly to IT leadership and the security governance function.

Benefit(s)

Open source governance health metrics provide the measurement discipline that makes open source governance a continuously improving capability rather than a periodic compliance exercise. SBOM coverage trends reveal whether the SBOM automation program is achieving complete coverage or missing categories of applications or technology products. Vulnerability remediation velocity measures whether the organization is closing the window between vulnerability disclosure and exploitation faster or slower than the threat landscape requires. And supply chain risk scores provide a composite view of the organization’s software supply chain security posture that regulatory frameworks and enterprise customers increasingly require as evidence of supply chain governance maturity.