Open Source Dependency Readiness Checklist

Use this checklist when your team is preparing for a review, adoption decision, SBOM effort, governance conversation, AI tooling evaluation, or contribution plan.

1. Know what you depend on

  • Which open source projects, packages, frameworks, models, and tools are in use?
  • Where are they used: production systems, internal tools, vendor workflows, AI experiments, or public-facing services?
  • Who owns each dependency inside the organization?
  • Which dependencies are critical to mission delivery, security, compliance, or operations?

2. Understand the obligations

  • What licenses apply?
  • Are any dependencies subject to legal, procurement, grant, privacy, accessibility, or security review?
  • Are there hosted services, telemetry defaults, plugins, model terms, or third-party integrations that need attention?
  • Which questions should be reviewed with counsel?

3. Evaluate ecosystem health

  • Who maintains the project?
  • How active are releases, security updates, issue triage, and governance?
  • Is the project backed by a foundation, vendor, community, or small maintainer group?
  • What would happen if the project slowed down, changed direction, or became unavailable?

4. Decide how adoption should work

  • What criteria determine whether a project is acceptable to adopt?
  • Who can approve new open source use?
  • When does a dependency require security, privacy, legal, procurement, or leadership review?
  • How are exceptions documented?

5. Plan for participation

  • Are there projects your organization should contribute to, sponsor, or support?
  • What can your teams safely share back?
  • Who approves contribution, public communication, or community engagement?
  • How does participation connect to maintainability, trust, and long-term risk?

6. Make the work repeatable

  • Is there an intake workflow?
  • Is there a clear policy?
  • Are SBOMs generated, reviewed, and maintained where they are useful?
  • Do teams know where to bring questions?
  • Can leadership understand the decision path without reading every technical detail?

When to ask for help

Bring in support when the decision is important, the stakeholders are not aligned, the review path is unclear, or the dependency may become part of critical infrastructure.

Next step: Start the conversation.