Governance model

Principles, Structure, and Best Practices

CyberTOMP® is an open framework primarily designed to serve public sector entities, addressing their unique challenges such as a high dependency on third-party service providers, limited agility in adopting changes, and the complexity of managing large supply chains. While its principles and practices are optimized for governmental and public service organizations, the framework remains adaptable and can also be applied in private sector contexts where similar governance challenges exist.

Purpose

The purpose of this section is to define how the CyberTOMP® Framework evolves within an open and collaborative community. Rather than governing adoption, this governance model focuses on guiding the continuous improvement of a framework tailored to public sector realities, while remaining flexible for broader use. It ensures that changes are transparent, inclusive, and aligned with the framework’s core principles.

Governance Principles

The evolution of CyberTOMP® is guided by a set of principles that reflect the spirit of openness, collaboration, usefulness and robustness:

  • Transparency: All decisions, discussions, and changes are documented and accessible to the community.
  • Inclusivity: Every member of the community has the opportunity to contribute ideas and feedback.
  • Neutrality: Decisions are made in the interest of the framework and its users, avoiding favoritism or commercial bias.
  • Continuous Improvement: The framework should adapt to emerging needs, technologies, cyberthreats and best practices without losing its foundational values.
  • Evidence-Based Evolution: Changes to the framework must be supported by empirical evidence, such as documented research, pilot projects, or credible third-party studies, rather than unverified personal opinions.
  • Broad Applicability: Enhancements should provide value to a wide range of organizations and contexts, avoiding highly specific or niche improvements that benefit only a limited set of use cases.
  • Public Sector Priority: The framework’s evolution should prioritize the needs of public sector entities. Private sector considerations are welcome only if they do not compromise essential public requirements.

Scope

This governance model applies to:

  • The process for proposing, reviewing, and approving changes to the whole framework and all its subprojects.
  • The roles and responsibilities of individuals and groups involved in its evolution.
  • Mechanisms for resolving disagreements and maintaining community harmony.

It does not govern:

  • How organizations implement or adopt CyberTOMP®.
  • Specific technical deployments or proprietary/derivative adaptations.
  • Actions required to grant third parties permissions to use the CyberTOMP® trademark and associated logo, as defined in the Trademark section.

Governance Structure

The governance model is built around collaborative roles:

  • Steering committee: A group responsible for reviewing proposals, ensuring alignment with principles, and guiding strategic direction. The Steering Committee will be a collegial body composed of members of the GITACA research group, as the initial promoters of the project. However, this does not preclude the possibility that, in the medium term, other individuals may join if, in the judgment of the Steering Committee itself, they have demonstrated an exceptional commitment to the project and its objectives
  • Open Community: Contributors who share ideas, provide feedback, and participate in discussions and voting. The community members are welcome to submit their work for consideration as part of the CyberTOMP® Framework, provided it aligns with the overall governance model and adheres to the guidelines set forth in the Contributions section.
  • Facilitators: Individuals who moderate conversations, manage collaborative platforms, and ensure smooth communication. Facilitators will be appointed from among community members by the Steering Committee, provided they have demonstrated a strong commitment to the principles outlined in the Code of Conduct.

Governance structure

Evolution Process

The process for evolving CyberTOMP® is designed to be open and structured:

  1. Proposal Submission: Any community member can submit a change proposal through the official repository following the guidelines set forth in the Contributions section.
  2. Review Phase: The Steering Committee evaluates the proposal for technical soundness and alignment with principles, while opening it for public comments if necessary.
  3. Approval and Voting: Relevant decisions are made through a transparent vote by the members of the Steering Committee, taking into account compliance with the principles outlined in this governance model and, where applicable, the feedback provided by the broader community. Each decision will be communicated along with the rationale behind it. Minor changes may be approved directly if they meet the requirements established in this governance model.
  4. Publication: Approved changes are documented and integrated into the official framework (model, guides, materials, software…), with version notes and rationale.

Community Participation

Participation is the cornerstone of this governance model. Members can engage through:

  • Public forums and discussion channels.
  • Periodic surveys and voting sessions whenever needed.
  • Collaborative documentation and feedback loops.

Conflict Resolution

Disagreements are addressed through:

  • Mediation by facilitators.
  • Escalation to the Steering Committee if consensus cannot be reached.

Transparency and Accountability

Every decision or change will be documented in each repository using the standard tools provided by GitHub, allowing any community member to generate and review the corresponding changelog.

Licensing and Intellectual Property

CyberTOMP® operates under open licenses that guarantee free access and contribution. Contributors are acknowledged for their work, fostering a culture of recognition and respect. However, to ensure proper management of contributions and to prevent future licensing issues with content, materials, or software, each contributor must accept a Contribution License Agreement, as described in the Contributions section.The contributor’s acceptance of this CLA does not imply that the proposed contribution will be accepted, which will require the approvals and validations described in this governance model.