[SM2.2: 60] Verify release conditions with measurements and track exceptions.
Security release conditions (or gates, checkpoints, guardrails, milestones, etc.) are verified for every project, so each project must either meet an established measure or obtain a waiver in order to move forward normally, and the SSG tracks exceptions. In some cases, measures are directly associated with regulations, contractual agreements, and other obligations, with exceptions tracked as required by statutory or regulatory drivers. In other cases, measures yield some manner of KPIs that are used to govern the process. Allowing any projects to automatically pass or granting waivers automatically without due consideration defeats the purpose of verifying conditions. Even seemingly innocuous software projects must successfully satisfy the prescribed security conditions in order to progress to or remain in production. Similarly, APIs, frameworks, libraries, bespoke code, microservices, container configurations, and so on are all software that must satisfy security release conditions. It’s possible, and often very useful, to have verified the conditions both before and after the development process itself. In modern development environments, the measurement process for conditions will increasingly become automated (see [SM3.4 Integrate software-defined lifecycle governance]).