The Cyber Resilience Act (CRA) introduces mandatory cybersecurity requirements for all products with digital elements (PwDE) made available on the EU market, placing obligations on manufacturers to exercise due diligence over the security of the software components they integrate into PwDE.
Recognizing the unique characteristics of Free and Open Source Software (F/OSS), the CRA establishes a differentiated, light-touch regulatory regime for F/OSS stewards, the legal entities providing sustained support to F/OSS projects intended for commercial use.
In this context, the CRA empowers the European Commission to adopt a delegated act establishing voluntary security attestation programmes for F/OSS projects. Such attestations should be authorable by open source stewards, should support the compliance requirements of PwDE, and should allow third parties to assess that open source components comply with essential cybersecurity requirements.
The objective of this project is to propose a means to support the due diligence responsibilities of manufacturers who rely on F/OSS components in a way that, rather than burdening F/OSS maintainers or stewards, helps to sustain F/OSS projects and facilitates interaction with both market surveillance and vulnerability coordination functions at the national and ENISA levels.
Voluntary security attestations offer an opportunity to proactively strengthen the security posture of F/OSS by enabling a wide range of stakeholders, from developers and stewards to integrators and public authorities, to participate in a structured and trustworthy process of security validation.
CRA-Attestations provides a comprehensive set of recommendations regarding voluntary security attestations for open source projects, as described in CRA Article 25, including but not limited to:
- the nature and structure of the contents of attestations
- recommended procedures to create, disseminate, and authenticate attestations
- comparative analysis of different approaches to addressing the objective
This project may include:
- synchronous and asynchronous discussions on this topic, minutes and agendas of meetings, etc
- descriptions of processes and reference templates that support the creation of voluntary security attestation documents
- comparative review of existing 3rd party materials related to the topic
- samples and document templates
- automation for auto-publishing documents from markdown into other formats
The objective of this project is to propose a means to support the due diligence responsibilities of manufacturers who rely on F/OSS components in a way that, rather than burdening F/OSS maintainers or stewards, helps to sustain F/OSS projects and facilitates interaction with both market surveillance and vulnerability coordination functions at the national and ENISA levels.
Voluntary security attestations offer an opportunity to proactively strengthen the security posture of F/OSS by enabling a wide range of stakeholders, from developers and stewards to integrators and public authorities, to participate in a structured and trustworthy process of security validation.
This effort is aligned to and parallel to the ORC WG's efforts, and will benefit from shared expertise.
None.
- Log in to post comments