Red Hat Standard:

• Red Hat Offerings must ensure the build process complies with all Product Security Supply Chain policies, including:
  • All services, tools, and infrastructure (STIs) related to the Red Hat productization pipeline will be registered within the Red Hat Configuration Management Database (CMDB) with appropriate data and asset owners.
  • All services, tools, and infrastructure in the productization pipeline used to develop, compose, maintain and deliver these offerings must be certified with a Security Operating Approval (SOA) prior to supplying customers with products or services. Once granted, an SOA must be reviewed and re-certified no less than annually by Product Security to maintain pipeline security compliance.

Evidence:

• Attestation that the offering is following the policies as written

More information about this practice can be found here.