The SDLC Controls Framework Working Group aims to create a shared, open reference library for software governance controls across the financial services industry. By establishing common definitions, implementations, and patterns, we reduce duplication, prevent drift, and enable institutions to focus on innovation rather than reinventing control frameworks.
This repository contains the documentation and website, generated via Jekyll.
The financial services industry faces an increasingly complex regulatory landscape where:
- Each institution interprets and implements their own SDLC controls — leading to massive duplication of effort
- No common language exists — making collaboration and benchmarking difficult across institutions and vendors
- Significant drift occurs — as institutions independently evolve their controls, wasting industry-wide resources
- Vague requirements persist — controls are either too generic to be actionable or too specific to be reusable
A composable, technology-agnostic controls catalogue that provides:
- Common definitions for SDLC controls used across financial services
- Reference implementations with concrete patterns and examples
- Shared vocabulary enabling clear communication between institutions, vendors, and regulators
- Flexible framework where institutions can select applicable controls while maintaining their unique requirements
- Bi-weekly calls (every 2 weeks on Mondays): Join via Zoom — alternating between a regular call and a 3-hour workshop session, both on the same dial-in. See the FINOS calendar for dates.
- Mailing list: Send an email to
sdlc-framework+subscribe@lists.finos.org - Background: Issue #261 — Software Development Lifecycle Common Controls Catalogue Framework
- Introductory talk from OSFF NY 2025: An Open SDLC Controls Framework for Financial Services
- Share your controls — help us understand how your institution defines and implements SDLC controls
- Review definitions — provide feedback on proposed control definitions
- Contribute patterns — share implementation examples and best practices
- Join discussions — participate in working group meetings and online discussions
This project operates under the FINOS DevOps Automation Special Interest Group (SIG) and follows FINOS governance principles.
Meeting minutes are posted as issues in the DevOps Automation repository with the prefix "SDLC Framework WG Bi-weekly call".
See MAINTAINERS.md for the list of participating organisations and maintainers.
You will need Ruby and bundle installed, then run the site locally using the following.
cd docs
bundle install
jekyll serveIf all goes well, view your freshly minted site at http://127.0.0.1:4000. It should 'hot reload' (Jekyll does its thing) so you can edit and see your changes in the browser.
If you don't have Ruby installed, you can use Docker to run the site locally.
cd docs
docker run --rm -v "$PWD:/srv/jekyll" -p 4000:4000 jekyll/jekyll jekyll serveThen visit http://127.0.0.1:4000 to view the site.
Copyright © 2025 Fintech Open Source Foundation
This work is licensed under a Creative Commons Attribution 4.0 International License.
SPDX-License-Identifier: CC BY 4.0.