Applied feedback to the moving-levels review template (#1387)

* Applied feedback to the moving-levels review template

Signed-off-by: Eddie Knight <[email protected]>

* typofix

Signed-off-by: Eddie Knight <[email protected]>

* linting

Signed-off-by: Eddie Knight <[email protected]>

* Update project-resources/moving-levels-review-template.md

Co-authored-by: Marina Moore <[email protected]>
Signed-off-by: Eddie Knight <[email protected]>

---------

Signed-off-by: Eddie Knight <[email protected]>
Co-authored-by: Marina Moore <[email protected]>
Co-authored-by: Brandt Keller <[email protected]>

ci/spelling-config.json

@@ -26,6 +26,7 @@
         "cisecurity",
         "CISO",
         "cloudcustodian",
+        "CLOMonitor",
         "CMMC",
         "CNCF",
         "CNSC",

project-resources/moving-levels-review-template.md

@@ -1,4 +1,4 @@
-# Template for TAG recommendation to TOC
+# TAG recommendation to TOC
 
 ## Project Overview
 
@@ -8,13 +8,17 @@ What ecosystem adoption has the project seen?
 
 ### Past TOC Reviews
 
-How has the project addressed comments from previous reviews (incubation if graduation, sandbox if incubating, etc)?
+If the project has undergone a previous TAG or TOC review, how has the project addressed comments from those reviews?
 
 ## Security Reviews
 
 ### TAG Security Assessments
 
-Has the project completed a TAG Security Self-Assessment and/or Joint Assessment? If yes, please add a link and discuss how this has impacted their security posture.
+If applying for incubation, has the project completed a self-assessment? _(If not, the TAG cannot provide any recommendation to the TOC.)_
+
+If applying for graduation, has the project completed a joint assessment? _(If not, the TAG cannot provide any recommendation to the TOC.)_
+
+If yes to either, were there any findings or recommendations that the project has addressed or added to a roadmap? Please provide links if applicable.
 
 ### Security Audit
 
@@ -24,14 +28,34 @@ Has the project completed an external security audit? If yes, how have they addr
 
 ### Metrics
 
-Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, CLO monitor), and how does it rate by these metrics?
+Which security best practices does the project follow (for example CNCF best practices badge, OpenSSF Best Practices, LFX Insights, CLOmonitor)?
+
+How does it rate by these metrics? Please provide links if applicable.
 
 ### Static Analysis
 
-Does the project perform static analysis?
+Does the project perform static analysis such as SAST or SCA? Please provide links if applicable.
 
 ## Sub-project Considerations
 
+### Role of Sub-projects in the Project Ecosystem
+
+Does your project have sub-projects? If so, how do they interact with the main project?
+
+What is the maturity and adoption of each sub-project?
+
+Please provide links to any sub-projects that are compiled into the main project.
+
+Please provide links to any other sub-projects that are currently intended for end-user adoption.
+
+### Security Posture of Sub-projects
+
 If the project has sub-projects, how does their security posture compare to the base project?
 
 ## TAG Recommendation to the TOC
+
+<!-- In order to form an accurate recommendation for incubation, the TAG requires the project to complete a self-assessment. -->
+
+<!-- In order to form an accurate recommendation for graduation, the TAG requires the project to participate in a joint-assessment. -->
+
+<!-- ... Based on these observations, the project appears to meet the expectations of a <sandbox/incubating/graduated> project. -->