Revise core indicators for software maturity assessment

[ricardomiron]

Updated the core indicators document to define maturity indicators used by the DPG Maturity Model, including detailed descriptions and maturity levels across various pillars.

Restructure core indicators based on DPG Maturity Model

Summary

This PR replaces the initial draft of core-indicators.md with a comprehensive, research-informed indicator framework based on the initial maturity models. The update restructures the document from 7 loosely defined pillars with 8 single-row indicators into 6 well-defined pillars containing 18 indicators (15 core + 3 optional), each with detailed three-level rubrics, audience tags, and product type applicability.

---

What changed

Structural overhaul

Aspect	Before	After
Pillars	7 (including one marked "Suggestion")	6 (5 core + 1 optional)
Indicators	8 total (1 per pillar, except Pillar 2 with 3)	18 total (15 core + 3 optional)
Maturity levels	LOW / MED / HIGH	Emerging / Growing / Mature
Level definitions	None — levels were implicit	Explicit table defining what each level signals
Audience tagging	None	Each indicator tagged for Maintainers, Implementers, Funders, and/or Contributors
Product type applicability	Software-only	Each indicator marked for Software, Data, Content, and/or AI

---

Methodology

This restructuring was informed by a review of 17 established maturity frameworks, including:

• DPG/Global Goods-specific: Digital Square GGMM, Digital Square Shelf-Readiness Matrix, UNICEF Djenga, DPGA Standards & Best Practices categorization, GovStack Building Blocks, DIAL Digital Impact Exchange
• Open source-specific: Apache Software Foundation Project Maturity Model, CNCF Maturity Levels, OpenSSF Scorecard, CHAOSS Metrics, FINOS OSMM, TODO Group OSPO Maturity Model
• General software/process: CMMI, ISO/IEC 33000 (SPICE), OpenChain/ISO 5230

---

How to review

1. Structure: Verify that the 6-pillar organization makes logical sense and that indicators are placed under the right pillar.
2. Rubric clarity: Read through the Emerging / Growing / Mature descriptions — are they clear enough for a product owner to self-assess?
3. Gaps: Are there critical maturity dimensions missing, particularly for data, content, or AI product types?
4. Overlap with DPG Standard: Confirm that no indicator re-assesses something already required by the DPG Standard's 9 indicators.
5. Audience tags: Do the tags correctly reflect which audiences care most about each indicator?

Mapping from old indicators

Old Indicator	New Indicator(s)	Notes
1.1 Governance	1.1 Governance Model	Expanded rubric, same intent
2.1 Secure Development	2.2 Security Practices	Consolidated with old 2.3 Security Controls
2.2 Regulatory Data Compliance	Removed	Covered by DPG Standard
2.3 Security Controls	2.2 Security Practices	Merged into single indicator
3.1 Open Standards	4.1 Open Standards Adoption	Moved to Pillar 4, refined rubric
4.1 Product Roadmap	1.3 Product Roadmap	Moved to Pillar 1 (Governance)
5.1 Source Code Accessibility	Removed	Covered by DPG Standard (open licensing)
6.1 TCO	6.1 Total Cost of Ownership	Enriched rubric, now optional pillar
7.1 Composability	2.3 Architecture & Extensibility	Formalized as core indicator
New	1.2 Community Contribution	—
New	2.1 Quality Assurance	—
New	3.1 Deployment Tooling	—
New	3.2 Documentation Depth	—
New	3.3 Internationalization & Localization	—
New	3.4 Accessibility	—
New	4.2 Integration Readiness	—
New	5.1 Funding & Business Model	—
New	5.2 Maintenance Activity	—
New	5.3 User & Implementer Support	—
New	6.2 Vendor & Implementer Ecosystem	—
New	6.3 Adoption Tracking	—

[ricardomiron]

For the updated questionnaire.md, several changed where also made:

Practice Checklist Mapping

All practice checkboxes are cumulative positives — they only list things the product has in place. There are no "absence" statements. The more practices checked, the higher the maturity level. The suggested scoring logic is: the highest level for which all key practices are checked determines the indicator's maturity level. If no practices are checked, the indicator defaults to Emerging.

Suggested Scoring Logic

For each indicator, the web tool can derive a maturity level from the checked practices:

1. If no practices are checked → Emerging (default)
2. If all key Growing-level practices are checked → Growing
3. If all key Growing-level practices AND multiple Mature-level practices are checked → Mature

All checkboxes are cumulative positives — they only list things the product has in place. If nothing is checked, the indicator defaults to Emerging. This eliminates contradictory statements and keeps the form intuitive: check what you have, and the tool suggests a level.

The product owner should still confirm the derived level (step 1) to account for context not captured by checkboxes. This creates a "suggest then confirm" flow where the tool proposes a level based on evidence and the product owner can adjust.

[Ta1ch0ri]

The structural imporvement make sense. Two areas of feedback.

The number of indicator has more than doubled (7-> 16). This expansion raises several concerns.

1. A minimum set of indicators makes easier for DPG product owners to self assess. A 16 indicator assessment risks becoming a barrier rather than an entry point. Complexity at the door discourages DPG owners usint this tool. In the previous 7 indicators, we tried to make it high level so that DPG product owners can answer to the assessment easily.

2. I agree that two indicators should be removed as it is covered by DPG standard. But, newly added indicators like 5.1 Funding and Business Model, 6.2 Vendor and Implementer Ecosystem are outside of technicalviability scope. It seems like organizational viability and it is difficult to evaluate.

My suggestion is to tag each indicators not only by Audience but also technical and organizational. Then, we can see technical maturity and organizational maturity separately.

I like the approach "Cumulative positives only". I fully agree to change the level of indicators low, med and high to Emerging,growing and mature. Also, Audience tagging is also interesting idea and I like that approach.