Skip to main content

📣 OpenSSF Community Day NA CFP is now live. Submit your proposal.

search

Open Source Software in Public Policy

Cybersecurity — and specifically software provenance, assurance, and supply chain trust — has gained the attention of governments around the globe. For example, on May 12, 2021, President Biden released an Executive Order (EO) on Improving the Nation’s Cybersecurity that aims to counter “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.” In the European Union, the European Union Agency for Cybersecurity (ENISA) seeks “to achieve a high common level of cybersecurity across the Union in cooperation with the wider community.” However, with this increased global attention on cybersecurity, there is a risk that government policies (such as laws, regulations, guidelines, and reports issued by various institutions) could impose measures inconsistent with the development and use of open source software (OSS). Typically (but not always), this is unintentional and is due to a lack of understanding of how OSS is developed, distributed, and used.

OpenSSF supports groups and hosts events for members to collaborate on public policy matters.

Global Cyber Policy Working Group

Cybersecurity is a matter of global interest and concern. Stakeholders from across the ecosystem and the globe are impacted by the deluge of cybersecurity incidents and vulnerability exploits. The Global Cyber Policy Working Group seeks to assemble subject matter experts from many disciplines to collaboratively discuss legislation, regulation, and cybersecurity frameworks and standards that can help stakeholders of all background meet their compliance obligations.

Governing Board Public Policy Committee

The mission of the Governing Board Public Policy Committee is to provide an avenue for OpenSSF members to collaborate on policy matters related to or that impact open source software. Activities may include, for example, making recommendations on public statements regarding technical documents (including guidelines) published or authorized by public authorities, policy statements such as the U.S. EO, proposed regulations, and draft legislation or documents advancing the joint understanding on these issues in a manner consumable by policymakers.

European Union Cyber Resilience Act

With publishing as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) entered into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. The CRA intends to address threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements as part of a wider set of European product legislation.

Public Policy News and Updates

UnderstandingCRA1

Nov 25, 2024 | OpenSSF

In Blog, EU Cyber Resilience Act

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 1

With publishing as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) enters into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their… Read more.
1 2

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu