🎉 2025 OpenSSF Annual Report is now live! Download Report

Open Source Software in Public Policy

Governments globally recognize cybersecurity’s importance, establishing partnerships and strategies to secure digital infrastructure. However, this attention risks unintentional government policies inconsistent with open-source software (OSS) development and use, often due to a lack of understanding of OSS.

The OpenSSF is a “community of software developers, security engineers, and more who are working together to secure OSS for the greater public good.” This includes the secure development, distribution, deployment, and use of OSS. This short document gives a clear stance on OpenSSF policy work, whether regional or general, as a basis for policy summits, member discussions, and solidarity across our policy representatives.

We, the OpenSSF, take steps to constructively engage with stakeholders worldwide to help improve the security of OSS globally, including working to ensure that OSS will continue to be sustainably available to everyone. This includes responding to government requests for information (RFI), providing expert advice, engaging in processes to develop relevant standards, reporting vulnerabilities/incidents and working to improve related processes, providing fora for discussions and collaboration, and developing educational materials. Per the Linux Foundation bylaws section 8.8, we do not perform any political expenditure or lobbying that might impact our status as a tax-exempt organization.

The OpenSSF focuses on following (per the OpenSSF Public Policy Committee):

  1. Encourage governments to responsibly consume OSS in general and contribute upstream, particularly in areas concerning security
  2. Encourage public funding of OSS ecosystems, particularly targeting security enhancements and maintenance
  3. Encourage OSS consumers to be responsible for OSS security outcomes
  4. Encourage governments to engage with or join OSS communities
  5. Encourage governments to adopt secure-by-design, secure open source software, and software supply chain security best practices as three key pillars of cyber workforce and education strategies
  6. Encourage governments to collaborate, internationally, to secure open source software
  7. Encourage governments to include OSS consumption, contribution, appropriate regulation, engagement, education, and international collaboration as key prongs of their AI strategies, and use AI to accelerate each of these.

We advocate for flexible approaches that are efficient, agile, and enable innovation. We note that many OSS projects have small communities (often only one person) and don’t have a source of finances, so many OSS projects cannot develop extensive documentation or provide specialized responses to regulations without additional assistance. The OpenSSF develops tools, guidance, education, and other materials to make it easier for maintainers and communities to develop more secure OSS.

The OpenSSF has a global focus, with international policy and standards experts who advise and work with our communities. We recognize that cybersecurity concerns transcend political borders and want to address universal challenges that all creators and consumers of software face today.

Global Cyber Policy Working Group

Cybersecurity is a matter of global interest and concern. Stakeholders from across the ecosystem and the globe are impacted by the deluge of cybersecurity incidents and vulnerability exploits. The Global Cyber Policy Working Group seeks to assemble subject matter experts from many disciplines to collaboratively discuss legislation, regulation, and cybersecurity frameworks and standards that can help stakeholders of all background meet their compliance obligations.

Governing Board Public Policy Committee

The mission of the Governing Board Public Policy Committee is to provide an avenue for OpenSSF members to collaborate on policy matters related to or that impact open source software. Activities may include, for example, making recommendations on public statements regarding technical documents (including guidelines) published or authorized by public authorities, policy statements such as the U.S. EO, proposed regulations, and draft legislation or documents advancing the joint understanding on these issues in a manner consumable by policymakers.

European Union Cyber Resilience Act

The Cyber Resilience Act (CRA) law entered into force (EIF) on December 10, 2024, when it was published as Regulation (EU) 2024/2847 in the Official Journal of the European Union. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. The CRA intends to address threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements as part of a wider set of European product legislation.

Public Policy News and Updates

UnderstandingCRA1

Nov 25, 2024 | OpenSSF

In Blog, EU Cyber Resilience Act

Understanding the CRA: OpenSSF’s Role in the Cyber Resilience Act Implementation – Part 1

With publishing as Regulation (EU) 2024/2847 in the Official Journal of the European Union, the Cyber Resilience Act (CRA) enters into force (EIF) on December 10, 2024. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their… Read more.
1 2 3