2025-Q2 Global Cybersecurity Policy WG TAC Update (#487)

torgo · gkunz · web-flow · commit 3399adc9fa1e · 2025-07-16T15:03:05.000-04:00
* Create 2025-Q2-GCP-WG.md

---------

Signed-off-by: Daniel Appelquist &lt;dan@torgo.com&gt;
Co-authored-by: Georg Kunz &lt;georg.kunz@ericsson.com&gt;
diff --git a/TI-reports/2025/2025-Q2-GCP-WG.md b/TI-reports/2025/2025-Q2-GCP-WG.md
@@ -0,0 +1,66 @@
+# 2025 Q2 TAC Report for Global Cybersecurity Policy Working Group
+
+## Overview
+
+* GitHub repo: https://github.com/ossf/wg-globalcyberpolicy/
+* Minutes doc: https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit
+* Charter: https://github.com/ossf/wg-globalcyberpolicy/blob/main/CHARTER.md
+
+This group has been formed in January 2025, after the Linux Foundation workshop on "Stewards and Manufacturers" in Amsterdam in December 2024. The shape of this group is very much based on consensus of that workshop. The scope of the group is to provide a forum for our members and the broader community to collaborate on Global Cybersecurity-related legislation, frameworks, and standards which facilitate conformance to regulatory requirements by open source projects and their consumers. We have been holding bi-weekly calls. We have 3 SIGs - Awareness, Tooling and Standards. The group is focusing most of its attention on the European Cyber Resilience Act (CRA) with some time put aside to monitor activities in other jurisdictions. We also have drafted a [liaisons list](https://github.com/ossf/wg-globalcyberpolicy/blob/main/governance/external-liaisons.md) which is a list of external organizations we feel we need to liaise with.
+
+We have two working group co-leads: [Daniel Appelquist | Samsung](https://github.com/torgo) and [Mike Bursell | Confidential Compute Consortium](https://github.com/MikeCamel) with support from [Crob](https://github.com/SecurityCRob), [Jeff Diecks](https://github.com/GeauxJD) and [Fukami](https://github.com/fukami) from OpenSSF staff.
+
+We have folded the "CRA tech bi-weekly" call into the remit of this group - and its content is currently being set by the Awareness SIG.
+
+We have a regular schedule of calls for our Awareness and Standards SIGs and have started to take minutes in our main minutes doc. The Tooling sig is still a work in progress. We are operating in a similar mode to the Best Practices Working group, with our SIGs reporting into the main working group call.  We have well attended meetings. Our general working group call, besides being a place where SIGs report, also serves as a venue to work on general deliverables and to drive awareness with group members of related activities. 
+
+We plan to hold a special session at LF Open Source Summit North America. (Details tba)
+
+We are working on a [consise guide to the CRA](https://docs.google.com/document/d/1Kjq7B8SMySs0OTd76p0wro-fAvIsbG3y5GnNeTzjTQg/edit?tab=t.0#heading=h.i4ci2t7a406t) to go along with the other OpenSSF concise guides.
+
+We are also working on a response to the EU CRA act consultation: https://github.com/ossf/wg-globalcyberpolicy/issues/47
+
+Since our last report, we have helped to launch the successful [Free LF Training on CRA](https://openssf.org/press-release/2025/04/29/openssf-launches-free-course-to-prepare-developers-for-the-eu-cyber-resilience-act/) by providing feedback and input. ~3000 enrollments so far.  
+
+## Awareness SIG
+
+The awareness SIG is led by [Megan Knight](https://github.com/businesscasualkesha) of Arm. The scope is activities that drive awareness of the work of this group and of the regulatory landscape in general. The SIG has been marshalling blog posts, upcoming conference schedule, as well as the CRA introductory course. The Awareness SIG minutes are kept in the [main working group minutes document](https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit). The group is working on a CRA glossary.
+
+Awareness sig has setup a project board for monthly content calendar organization (a work in progress to add issues but the monthly themes are visible): https://github.com/orgs/ossf/projects/33
+
+Blog Posts and other activities:
+* Tech talk on April 24: https://openssf.org/blog/2025/04/14/tech-talk-preview-strengthening-open-source-through-security-standards-and-global-policy/
+* Group co-chair Dan Appelquist presented on OpenSSF Baseline at Ospology Amsterdam event
+* Tech talk on 5-19: https://docs.google.com/presentation/d/1RSXEk-iTkuQZS5TbN6FQUClEFlxvn8p5j-yXVdS_uXg/edit?usp=sharing
+
+## Standards SIG
+
+The Standards work stream is progressing. Currently we have one lead [Tobias](https://github.com/0xAverageUser), with support from Jory Burson of LF.
+
+The SIGs mission was defined as: 
+
+> The OpenSSF Global Cyber Policy WG - Standardisation SIG’s mission is to align regulatory (e.g., the EU CRA) compliance strategies & standards across open-source participants to ensure clarity, consistency, and industry-wide adoption and coordination.
+
+We have been monitoring work happening in various standards groups related to CRA compliance (Eclipse, ISO, ETSI, FINOS, CEN/CENELEC, with "Ambassadors" for each of these within the SIG) and providing a forum for OpenSSF members to share and coordinate their activities in these standards.
+
+The SIG is currently working on a Standards Survey for OpenSSF members to determine what standards are highest priority.
+
+Created a directory of SIG-supported standardization bodies & contact paths.
+
+Working on: mapping baseline spec to CRA security requirements, CRA call-for-evidence (outline in progress), publushing a post oin CRA-Baseline matrix, draft proposal to advance Baseline as "Horizontal Security Specification".
+
+Minutes available here: [SIG Minutes Document](https://docs.google.com/document/d/1XjE5VYdyIdH32T94ZQIj0Hf5btRiKG58z3jSInY77wA/view?tab=t.0).
+
+## Tooling SIG
+
+The Tooling SIG is still in start-up mode. However we have one lead, [Puerco](https://github.com/puerco), and we're still looking for a co-lead. The scope is to coordinate work on relevant tooling and processes. What tools already exist out there that can help maintainers, stewards and manufacturers? What additional features do we need from existing tools?
+
+## Questions/Issues for the TAC
+
+None at this time.
+
+## Additional Information
+
+
+
+
