I wonder why they decided not to release it under a Free Content license. Looking at the actual text, there is no detail about the license terms at all; and there's a request that people not forward the document on the download page. It seems rather oddly proprietary and locked down for a FOSS organization. I can understand a desire to capture people's contact info, but this seems unnecessarily heavy-handed.
In reading over the checklist, it's very buzzword heavy, but seems to have its heart in the right place. The report consistently uses "OSS", not "FOSS" or one of the other formulations. I suspect the elision of any reference to the FSF, no matter how slight, is not accidental.
Some elements that I particularly noticed included the following.
"The organization periodically reviews commercial and open source tools
to assess the costs and benefits of their use in discovering OSS in code
baselines." -- Commercial and open source are not opposites. It would be better if material from the Linux Foundation, of all people, didn't make this mistake.
"An open source review board is used to review and approve planned uses of OSS in products for distribution." -- This seems somewhat oddly centralized. I assume all uses of proprietary software from third-party suppliers arn't required to go through a single "review board"... or is such a arrangement typical? I can understand the desire -- it enables particular FOSS licenses to be accepted once, rather than having to be checked multiple times, but it still seems more bureaucratic than necessary.
"If determined to be necessary, efforts to re-write copyrighted code as
proprietary software under cleanroom conditions are carried out according to a defined procedure." -- Is it really appropriate for a FOSS organization to be endorsing the development of cleanroom proprietary re-implementations of FOSS projects? Or is this discussing something else?
"Growth of an internal community of OSS users is encouraged in order to
provide organizational guidance and leadership with respect to the use
of OSS in an ethical and compliant way." -- Glad to see the mention of "ethical" in there.
"The compliance team verifies that source code can be built outside the
organizations build environment." -- Important and easily missed point. Good that it's included.
And a few typos: (which I really ought to have emailed privately, but was dissuaded by the registration requirement)
"the companys law department." -- Shouldn't that be "legal department"?
"Estimates of one-time and overhead activities are estimated and tracked" -- Missing a period.