-
Notifications
You must be signed in to change notification settings - Fork 72
Add 2025 Q4 TAC Report for Global Cybersecurity Policy WG #549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
torgo
wants to merge
4
commits into
ossf:main
Choose a base branch
from
torgo:patch-2
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,63 @@ | ||
| # 2025 Q4 TAC Report for Global Cybersecurity Policy Working Group | ||
|
|
||
| ## Overview | ||
|
|
||
| * GitHub repo: https://github.com/ossf/wg-globalcyberpolicy/ | ||
| * Minutes doc: https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit | ||
| * Charter: https://github.com/ossf/wg-globalcyberpolicy/blob/main/CHARTER.md | ||
|
|
||
| This group has been formed in January 2025, after the Linux Foundation workshop on "Stewards and Manufacturers" in Amsterdam in December 2024 and is based on the consensus output of that workshop. The scope of the group is to provide a forum for our members and the broader community to collaborate on Global Cybersecurity-related legislation, frameworks, and standards which facilitate conformance to regulatory requirements by open source projects and their consumers. We have been holding bi-weekly calls. We have 2 active SIGs - Awareness and Standards. The group is focusing most of its attention on the European Cyber Resilience Act (CRA) with some time put aside to monitor activities in other jurisdictions. We also have drafted a [liaisons list](https://github.com/ossf/wg-globalcyberpolicy/blob/main/governance/external-liaisons.md) which is a list of external organizations we feel we need to liaise with, with a special emphasis on the [Eclipse ORC working group](https://github.com/orcwg/), to minimize overlap. | ||
|
|
||
| In 2025, the group produced deliverable documents, acted as an outreach vehicle, and also served as a venue to discuss and share information between community members regarding the regulatory landscape and its impacts on industry and the OSS ecosystem. | ||
|
|
||
| Last month, the group ran some workshop sessions at the LF Europe Roadshow event in Ghent and subsequent policy summit in Brussels to refine its scope and deliverables for the coming year. | ||
|
|
||
| We have two working group co-leads: [Daniel Appelquist | Samsung](https://github.com/torgo) and [Roman Zhukov | Red Hat](https://github.com/rozhukov). In October, [Mike Bursell | Confidential Compute Consortium](https://github.com/MikeCamel) stepped down as co-chair, after helping to organize and facilitate the workshop in Ghent. The group thanks Mike for all his work and contributions, and welcomes Roman as new co-chair. [Megan Knight | Arm](https://github.com/businesscasualkesha) chairs the Awareness SIG. In addition, we have support from [Crob](https://github.com/SecurityCRob), [Jeff Diecks](https://github.com/GeauxJD) and [Madalin Neag](https://github.com/madalinnneag) from OpenSSF staff. | ||
|
|
||
| We also operate the "EU CRA Monthly Tech Talk", the agenda of which is managed by the Awareness SIG. | ||
|
|
||
| We have a regular schedule of calls for our Awareness and Standards SIGs and take minutes in our main minutes doc. Although we initially envisioned a tooling SIG, it turned out that mny of the activities proposed for this are actually being progressed in the ORBIT working group, so we maintain active discussion with ORBIT. Our SIGs report into the main working group call. We have had well attended meetings this year. Our general working group call, besides being a place where SIGs report, also serves as a venue to work on general deliverables and to drive awareness with group members of related activities. | ||
|
|
||
| Since our last report: | ||
|
|
||
| * The [Free LF Training on CRA](https://openssf.org/press-release/2025/04/29/openssf-launches-free-course-to-prepare-developers-for-the-eu-cyber-resilience-act/), which the group helped to shape, has had over 5657 enrollments. | ||
|
|
||
| * We held sessions in Ghent and Brussels - see [OpenSSF Blog Post](https://openssf.org/blog/2025/11/17/recap-open-source-security-week-in-belgium-highlights-from-ghent-to-brussels/) for details. | ||
|
|
||
| * We collaborated with others in a successful [proposal for a FOSDEM dev room](https://lists.fosdem.org/pipermail/fosdem/2025q4/003697.html) covering "CRA in practice". | ||
|
|
||
| * We continued work on specifying a "compliance" file for OSS repos - that would include information about stewardship as well as additional info: https://github.com/ossf/wg-globalcyberpolicy/issues/69. It's already referenced as a "good practice" by the CRA Voluntary Security Attestation Project (Eclipse ORC WG) | ||
|
|
||
| * We have helped to shape work by OpenSSF staff on Stewardship recommendations for LF Projects, e.g. https://github.com/ossf/wg-globalcyberpolicy/pull/77. | ||
|
|
||
|
|
||
| ## Awareness SIG | ||
|
|
||
| The awareness SIG is led by [Megan Knight](https://github.com/businesscasualkesha) of Arm. The scope is activities that drive awareness of the work of this group and of the regulatory landscape in general. The SIG has been marshalling blog posts, upcoming conference schedule, as well as the CRA introductory course. The Awareness SIG minutes are kept in the [main working group minutes document](https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit). The group is working on a CRA glossary. | ||
|
|
||
| Awareness SIG has setup a project board for monthly content calendar organization: https://github.com/orgs/ossf/projects/33 | ||
|
|
||
| Activities and Publications: | ||
| * Tech Talk on OSPS Baseline and how it support CRA | ||
| * Tech Talk on SBOM Toools and the CRA | ||
| * Tech Talk on Risk Assessment | ||
| * Tech Talk on "What makes you commercial" in the CRA | ||
| * Tech Talk o the Brief Guide, as well as [Blog Post on Brief Guide](https://openssf.org/blog/2025/07/15/new-cyber-resilience-act-cra-brief-guide-for-oss-developers/) | ||
|
|
||
| ## Standards SIG | ||
|
|
||
| The Standards SIG is led by [Madalin Neag](https://github.com/madalinnneag). | ||
|
|
||
| The SIG's mission has been to coordinate between stakeholders regarding engagement in Standards work related to cybersecurity policy. This is complicated by the fact that many of these standards organizations have a different approach to confidentiality than the OpenSSF. The discussions of this group have helped to guide the engagement of OpenSSF staff within some of these efforts. | ||
|
|
||
| The SIG produced a Standards Survey for OpenSSF members to determine what standards are highest priority. The results of this survey were discussed in our main working group [call on 7-21](https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit?tab=t.0) and indicated high priority for certain vertical standards such as hypervisors, operating systems and identity management systems. This info has helped to prioritize the work of this group. | ||
|
|
||
| Minutes available here: [SIG Minutes Document](https://docs.google.com/document/d/1XjE5VYdyIdH32T94ZQIj0Hf5btRiKG58z3jSInY77wA/view?tab=t.0). | ||
|
|
||
| ## Questions/Issues for the TAC | ||
|
|
||
| None at this time. | ||
|
|
||
| ## Additional Information | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.