Where to Start: Establish a relationship with the ProdSec Security Architect assigned to the program. If you do not have a Security Architect, request one by reaching out to.... phruza@redhat.com who will help with Security Architect assignment for your offering 

Background: RH needs to provide customers assurance that Red Hat has the right approach and emphasis to meet and deliver security requirements.  To deliver this assurance, teams must go through the Red Hat Secure Development Lifecycle (RH-SDL) with the ultimate goal of meeting SSML Tier 2 standards. This is a requirement for selling into the US Federal space and into regulated industries going forward

Can I skip this task? You cannot skip this task - you must outline a plan for meeting SDL requirements

What if I need an exception? If you are not in a position to meet the SSML criteria, you will need an exception. Note that the main objective of this exception process is to ensure that there is formal collaboration between the service team and product security and that a reasonable remediation plan is in place. The intent is to support the service team in meeting their goals and planned deliverables. Create a tracker in PSX to link to the document following the process described here and ask your ProdSec architect and stakeholders to review and sign off. Further details about the Product Security Exception process can be found here.  

Deliverable/Completion criteria: 

Getting Help: Ordinarily your Program Manager (PgM) can help with getting a Security Architect assigned to your team. If the PgM is unavailable, an email to  prodsec-request@redhat.com can be used to initiate contact.