Create table and directories for working groups and

- Create community/working-groups directory

- Adds table of active working groups to readme

Author: anvega

community/automated-governance/README.md

@@ -0,0 +1,28 @@
+# Automated Governance
+
+The TAG has advanced secure software practices with the Secure Software Factory Reference Architecture Paper. Building on this, the new initiative will provide guidelines for automated governance in cloud-native environments, focusing on integrating security, compliance, and auditability into CI/CD pipelines to automate and operationalize governance and compliance practices.
+
+## Goals
+
+- Provide guidelines and best practices for implementing automated governance processes in cloud native environments.
+- Integrate security, compliance, and auditability into CI/CD pipelines.
+- Streamline compliance processes and enhance the overall security posture of cloud native applications.
+
+## Scope
+
+The scope of this project includes:
+
+- Research and analysis of current automated governance practices.
+- Development of a comprehensive reference architecture.
+- Creation of best practice guidelines and documentation.
+- Potential development of tooling or integration patterns for common CI/CD platforms.
+
+## Meeting Information
+
+- **Meeting:** Every 2 weeks on Tuesday at 2:00 PM Pacific Time (US and Canada) ([Calendar Invite](https://zoom.us/meeting/tJUtduGoqz4qGddkUvgs3jVjzUEY6Y8MEcT6/ics?icsToken=98tyKuCprjoiGtGQsBqERowcAoj4WfTwmCVfjadZlyrzBDMAaDX8LNdnC-RGSPX1))
+- **Meeting Notes:** [Google Docs](https://docs.google.com/document/d/1sa_dBQifM8Fbp1tmNEkdoZKYXMw4pCPv_TcGBy6M4O0/)
+
+## Contact
+
+- **Lead:** Andrés Vega, Brandt Keller
+- **Slack Channel:** [Link](https://cloud-native.slack.com/archives/C06B26A12AF)

community/catalog/README.md

@@ -0,0 +1,9 @@
+# Catalog of Supply Chain Compromises
+
+The Catalog of Supply Chain Compromises provides real-world examples that help raise awareness and provide detailed information that lets us understand attack vectors and consider how to mitigate potential risk.
+
+For information on how to contribute, check the [catalog](/supply-chain-security/compromises) directly.
+
+## Contact
+
+- **Lead:** Santiago Arias Torres

community/compliance/README.md

@@ -0,0 +1,35 @@
+ Compliance Working Group
+
+Cloud Native systems shift technical and human workflows. The community has researched cloud native security, tackling software vulnerabilities, risk management, dependencies, GitOps, supply chain provenance, malicious attacks, threat models, and security assessments. Organizations must comply with privacy and data protection laws, ensuring compute and data integrity. These concerns require both technical configurations and complex human orchestration, especially for audits needing reviewable artifacts.
+
+Bridging technical issues with legal and regulatory workflows, the aim to prevent system breaches while addressing supply chain, operator, data, and AI failures. Focusing on auditability, non-repudiation, and forensic evidence, it plans to curate vendor-neutral tools for evidence collection, chain-of-custody in audits, and automated workflows for continuous compliance.
+
+The key focus areas include:
+
+Creating a knowledge base and case studies on operating a cloud native environment within legal and regulatory requirements. These requirements encompass not just technical security but also human activities, system availability, continuity of operations, and data location, sovereignty, and provenance.
+
+Generating compliance as code examples, templates, and tools for automating both technical and non-technical requirements, control assessment, data analysis, audit, and compliance remediation workflows benefiting CNCF projects and their users.
+
+Reviewing industry and governmental standards (e.g., NIST, PCI, HIPAA) from a cloud native perspective and advising the CNCF community on implementing and supporting these compliance requirements to enable best practice adoption by various organizations.
+
+## Responsibilities
+
+- Users/personas/needs/customer demands for industry and regulatory compliance (both human and technical)
+- Identifications of areas of focus e.g. human workflows, automated workflows, analytical tools, audit and assessment tools, technical security controls that cut across components and systems and clouds, etc
+- Framework for evaluation, audit and reporting - how do products and tools demonstrate compliance?
+- Training and automation - what is missing, what is difficult to understand, what knowledge gaps are there?
+- Work on integrating common tooling across different projects, particularly where that tooling is a CNCF project (but the targets may not be)
+- Cross project focus on the projects and efforts the CNCF is funding, helping projects identify needs and providing subject matter expertise to assist
+- Recommendations of integrating security tooling with compliance tooling and processes - making both the synergies and unique separations of concern explicit and achieving community consensus.
+- Growing CNCF external relationships with interested parties, e.g. NIST and other compliance standards bodies such as FINOS, OSCAL, OpenSSF
+
+## Meeting Information
+
+- **Weekly Meetings:** 10:00 AM Eastern Time (US and Canada)
+- **Meeting Link:** [Zoom Meeting](https://zoom.us/j/92729235315?pwd=ZFIxU3RSanlVODh4a1g2SFdJOGpoZz09)
+- **Meeting Notes:** [Meeting Notes Link](https://docs.google.com/document/d/1z9xvt-Z97j4CtEH1-nR9sMWul7jQkUi_fNY7BdMPgxM/edit#heading=h.88owgl3gm8w4)
+- **Calendar Invite:** See [CNCF calendar](https://calendar.google.com/calendar/u/0/embed?src=0b8u5el8ta4s93t2cm72tuvhhk@group.calendar.google.com&ctz=America/Los_Angeles) for invite
+
+## Contact
+
+- **Leads:** Anca Sailer (@ancatri), Robert Ficcaglia (@rficcaglia)

community/controls/README.md

@@ -0,0 +1,18 @@
+# Controls
+
+## Overview
+
+The controls catalog ensures the usability of CNCF deliverables by GRC professionals and Auditors of Cloud Native systems. The primary goal is to support quickly identifying the controls status of cloud-native environments, and methods to share the output of those assessments in machine readable formats (OSCAL, JSON, etc.). These outputs should also map to existing frameworks and regulations (CSA, NIST, FedRAMP, SOX, GDPR, etc.), and provide guidance to properly validate and verify administrative and technical controls.
+
+## Impact
+
+This initiative aims to provide a method for assessing environments against a standardized set of controls mapped to relevant frameworks and regulations, enabling easier compliance and security assessments in cloud native environments.
+
+## Meeting Information
+
+- **Meeting Notes:** [Google Docs](https://docs.google.com/document/d/1ARLHrZ4SKIEwnSKgDaa39vS19dVIH45RjfERBaJ1vlg/edit?usp=sharing)
+
+## Contact
+
+- **Lead:** Jon Zeolla
+- **Slack Channel:** [Link](https://cloud-native.slack.com/archives/C023TTU27KN)

community/research/README.md

@@ -0,0 +1,11 @@
+# Security TAG Research
+
+The Security TAG (STAG) group members often have good ideas they want to get out to the broader community. We've started to write up blog entries, etc. It may be useful to have a process to have them come out from STAG and be marketed as such.
+
+## Example Article
+
+- [Security of Software Update Systems in 2023](https://thenewstack.io/security-of-software-update-systems-in-2023/)
+
+This will help others get security awareness and bring in new contributors to TAG Security.
+
+It will take a week to a month for the authors of each post depending on the content. There will be some minor work for the organizers to choose the topics and coordinate logistics. Most likely, the group will publish 3-4 of these a year, so that work will not be onerous.

community/supply-chain-security/README.md

@@ -0,0 +1,14 @@
+# Software Supply Chain Security
+
+Software Supply Chain attacks have come to the wider community's attention following a recent high-profile attack, but have been an ongoing threat for a long time. With the ever-growing importance of free and open source software, software supply chain security is crucial, particularly in cloud native environments where everything is software-defined.
+
+## Meeting Information
+
+- **Weekly Meetings:** 8:00 AM Pacific Time (US and Canada)
+- **Meeting Link:** See CNCF calendar for invite
+- **Meeting Notes:** [Google Docs](https://docs.google.com/document/d/170y5biX9k95hYRwprITprG6Mc9xD5glVn-4mB2Jmi2g/edit#heading=h.xkkh09c7ni6)
+
+## Contact
+
+- **Lead:** Marina Moore, Michael Lieberman, John Kjell
+- **Slack Channel:** [Link](https://cloud-native.slack.com/archives/C01KL0B4LKC)