diff --git a/MAPPING-SLSA.md b/MAPPING-SLSA.md
new file mode 100644
index 0000000..1ef35aa
--- /dev/null
+++ b/MAPPING-SLSA.md
@@ -0,0 +1,42 @@
+# DevOps Maturity ↔ SLSA Mapping
+
+This document maps DevOps Maturity criteria to relevant [SLSA (Supply-chain Levels for Software Artifacts)](https://slsa.dev/) concepts, helping teams understand where the two frameworks overlap.
+
+## Relationship
+
+DevOps Maturity is a **broader DevOps baseline assessment**, not a supply-chain security standard. It covers build, test, security, supply chain, analysis, and reporting — a wider surface than SLSA's focused scope on artifact integrity and provenance.
+
+**DevOps Maturity does not replace SLSA.** SLSA provides a rigorous, verifiable supply-chain integrity framework. DevOps Maturity can help teams assess their readiness across the full DevOps spectrum, and the supply-chain-related criteria map naturally to SLSA requirements.
+
+## Criteria Mapping
+
+| DevOps Maturity | Description | SLSA Direction |
+|---|---|---|
+| **D401** Documented Build Process | Build steps are version-controlled and documented | Build process transparency — a prerequisite for Build Track reproducibility |
+| **D402** CI/CD as Code | Pipelines and infrastructure defined as code | Build process definition — SLSA requires the build process to be defined and verifiable |
+| **D403** Artifact Signing | Build artifacts are cryptographically signed | Artifact integrity / provenance distribution — aligns with SLSA's requirement for signed attestations |
+| **D404** Dependency Pinning | All dependencies pinned to exact versions | Reproducibility support — reduces supply-chain attack surface |
+| **D405** SBOM Generation | Automatically generate Software Bill of Materials | Supply-chain transparency — complements SLSA provenance with dependency inventory |
+| **D603** Compliance Mapping & Auditability | Map controls to standards, provide audit-ready reports | Verified properties / audit evidence — supports the consumption and verification side |
+
+## Where They Diverge
+
+SLSA provides detailed requirements that go beyond DevOps Maturity:
+
+- **Build Track** (Levels 1–3): Defines specific requirements for hermetic builds, isolated environments, parameterless builds, and ephemeral builders.
+- **Source Track**: Covers source integrity protections (two-person review, branch protection, verified history).
+- **Attestation Format**: SLSA defines standardized in-toto attestation formats (provenance, VSA).
+- **Verification**: SLSA specifies policy-based verification of attestations.
+
+DevOps Maturity covers areas SLSA does not:
+
+- **Quality** (D2xx): Unit testing, functional testing, code coverage, accessibility.
+- **Analysis** (D5xx): Static analysis, dynamic analysis, linting.
+- **Reporting** (D6xx): Notifications, attached reports.
+- **Security Scanning** (D3xx): Vulnerability and license scanning.
+
+## Practical Path
+
+A team can use DevOps Maturity as a **first-step health check** to identify gaps across the entire DevOps lifecycle. Once the supply-chain security criteria (D4xx) are addressed, SLSA provides the next level of rigor — with verifiable attestations, signed provenance, and policy-based enforcement.
+
+For teams already pursuing SLSA compliance, DevOps Maturity can serve as a **companion assessment** covering the broader practices that SLSA does not address.
diff --git a/README.md b/README.md
index a8d50e7..df59cf6 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,31 @@
 [![DevOps Maturity](https://img.shields.io/badge/DevOps%20Maturity-Specification-yellow)](https://devops-maturity.github.io/)
 [![Website](https://img.shields.io/website?url=https%3A%2F%2Fdevops-maturity.github.io&up_color=yellow)](https://devops-maturity.github.io/)
 
-The DevOps Maturity specification is standardized to assess the maturity of DevOps practices. It is a set of questions and answers to help you measure and improve your DevOps maturity.
+The DevOps Maturity specification is standardized to assess the maturity of DevOps practices. It is a set of criteria to help you measure and improve your DevOps maturity.
+
+> DevOps Maturity is a **broad DevOps baseline assessment**. It does not replace specialized supply-chain security standards like [SLSA](https://slsa.dev/). See the [SLSA mapping](MAPPING-SLSA.md) for where the two frameworks overlap.
+
+## Schema
+
+The assessment file format is defined by a [JSON Schema](schema/devops-maturity.schema.json). Criteria accept both simple boolean values and structured objects with evidence, verification metadata, and rationale:
+
+```yaml
+# Simple boolean — quick self-assessment
+D101: true
+D202: false
+
+# Structured — auditable evidence
+D403:
+  status: true
+  evidence:
+    - type: workflow
+      path: .github/workflows/release.yml
+    - type: artifact-signature
+      tool: cosign
+  verified_by: devops-maturity-action
+  verified_at: "2026-05-24T00:00:00Z"
+  rationale: "Release workflow signs artifacts with Cosign keyless signing"
+```
 
 ## 🎉 Show Your Support
 
@@ -17,6 +41,11 @@ Let others know your project follows the DevOps Maturity specification. Add this
 [![DevOps Maturity](https://img.shields.io/badge/DevOps%20Maturity-Specification-yellow)](https://devops-maturity.github.io/)
 ```
 
+## Additional Documents
+
+- **[MAPPING-SLSA.md](MAPPING-SLSA.md)** — Maps DevOps Maturity criteria to SLSA requirements
+- **[schema/devops-maturity.schema.json](schema/devops-maturity.schema.json)** — JSON Schema for the assessment YAML format
+
 ## 🤝 Contributing
 
 We welcome contributions from the community!  
diff --git a/content/_index.md b/content/_index.md
index 85c1a6c..d7dc518 100644
--- a/content/_index.md
+++ b/content/_index.md
@@ -12,6 +12,8 @@ layout: single
 
 The DevOps Maturity Specification is a set of guidelines and criteria designed to help organizations assess and improve their DevOps practices. It provides a structured approach to evaluate key areas such as Basics, Quality, Security, Supply Chain Security, Analysis, and Reporting. The specification is intended to align with best practices and provide a framework for continuous improvement within the DevOps community.
 
+> **Note:** DevOps Maturity is a broad DevOps baseline assessment, not a replacement for specialized standards like [SLSA](https://slsa.dev/) (supply-chain integrity) or [OpenSSF Scorecard](https://securityscorecards.dev/) (open-source security health). For supply-chain-specific criteria, see the [SLSA mapping](https://github.com/devops-maturity/spec/blob/main/MAPPING-SLSA.md).
+
 ### Key Points
 
 - **Purpose**: Help organizations and teams assess DevOps practices, align on best practices, and drive continuous improvement.
@@ -123,6 +125,10 @@ Your score will generate one of the following badges:
 
 [OpenSSF Best Practices](https://www.bestpractices.dev/) targets open source projects across the entire software development lifecycle, while DevOps Maturity focuses specifically on DevOps practices applicable to both open source and internal enterprise projects. DevOps Maturity provides both a web UI and a CLI for automatic maturity scoring. In contrast, OpenSSF Best Practices only offers a web-based SaaS and does not support internal deployment.
 
+### How does DevOps Maturity relate to SLSA?
+
+DevOps Maturity does not replace SLSA — it complements it. SLSA is a specialized supply-chain integrity framework with rigorous attestation formats and verification rules. DevOps Maturity covers a wider surface: build, test, quality, security scanning, supply chain, analysis, and reporting. The supply-chain criteria (D4xx) map naturally to SLSA requirements, and teams can use DevOps Maturity as a first-step health check before pursuing deeper SLSA compliance. See the [SLSA mapping](https://github.com/devops-maturity/spec/blob/main/MAPPING-SLSA.md) for details.
+
 ### What is the difference between DevOps Maturity Model and DevOps Maturity Specification?
 
 The DevOps Maturity Model is a conceptual framework that outlines the stages of DevOps adoption and maturity, while the DevOps Maturity Specification provides a detailed, actionable set of criteria and guidelines for assessing and improving DevOps practices.
diff --git a/schema/devops-maturity.schema.json b/schema/devops-maturity.schema.json
new file mode 100644
index 0000000..2f9ae88
--- /dev/null
+++ b/schema/devops-maturity.schema.json
@@ -0,0 +1,84 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://devops-maturity.github.io/schema/devops-maturity.schema.json",
+  "title": "DevOps Maturity Assessment",
+  "description": "Schema for the devops-maturity.yml assessment file. Supports both simple boolean values and structured evidence objects for each criteria.",
+  "type": "object",
+  "required": ["project_name"],
+  "properties": {
+    "project_name": {
+      "type": "string",
+      "description": "Name of the project being assessed."
+    },
+    "project_url": {
+      "type": "string",
+      "format": "uri",
+      "description": "URL of the project repository or homepage."
+    }
+  },
+  "patternProperties": {
+    "^D[1-6][0-9]{2}$": {
+      "description": "A criteria entry. Accepts a boolean (true/false) or a structured object with status and optional evidence.",
+      "oneOf": [
+        {
+          "type": "boolean",
+          "description": "Simple pass/fail for the criteria."
+        },
+        {
+          "type": "object",
+          "required": ["status"],
+          "properties": {
+            "status": {
+              "type": "boolean",
+              "description": "Whether the criteria is met."
+            },
+            "evidence": {
+              "type": "array",
+              "description": "Optional list of evidence items demonstrating how the criteria is met.",
+              "items": {
+                "type": "object",
+                "required": ["type"],
+                "properties": {
+                  "type": {
+                    "type": "string",
+                    "description": "Evidence type, e.g. workflow, artifact-signature, config, tool, report.",
+                    "examples": ["workflow", "artifact-signature", "config", "tool", "report"]
+                  },
+                  "path": {
+                    "type": "string",
+                    "description": "Path to the relevant file (e.g. CI workflow, config file)."
+                  },
+                  "tool": {
+                    "type": "string",
+                    "description": "Name of the tool used (e.g. cosign, trivy, codeql)."
+                  },
+                  "url": {
+                    "type": "string",
+                    "format": "uri",
+                    "description": "URL pointing to the evidence (e.g. attestation, report)."
+                  }
+                },
+                "additionalProperties": true
+              }
+            },
+            "verified_by": {
+              "type": "string",
+              "description": "Tool or method that verified this criteria (e.g. devops-maturity-action, manual-review)."
+            },
+            "verified_at": {
+              "type": "string",
+              "format": "date-time",
+              "description": "ISO 8601 timestamp of verification."
+            },
+            "rationale": {
+              "type": "string",
+              "description": "Human-readable explanation of why this criteria is met."
+            }
+          },
+          "additionalProperties": false
+        }
+      ]
+    }
+  },
+  "additionalProperties": true
+}