-
Notifications
You must be signed in to change notification settings - Fork 83
Add 2026 Q1 TAC Report for Global Cyber Policy WG #591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
torgo
wants to merge
15
commits into
ossf:main
Choose a base branch
from
torgo:patch-3
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
15 commits
Select commit
Hold shift + click to select a range
0ace742
Add 2026 Q1 TAC Report for Global Cyber Policy WG
torgo dd5ad76
Apply suggestions from code review
torgo d2d92df
Apply suggestion from @madalinnneag
torgo b10bf5a
Apply suggestion from @madalinnneag
torgo 1df33ff
Apply suggestion from @madalinnneag
torgo 3f65a31
Apply suggestion from @madalinnneag
torgo 0e78c26
Apply suggestion from @madalinnneag
torgo 70df3ae
Apply suggestion from @madalinnnea
torgo 2de97fc
Apply suggestion from @madalinnneag with @torgo edits.
torgo b308838
Apply suggestion from @torgo
torgo cfff67d
Apply suggestion from @torgo
torgo 77478a6
Apply suggestion from @madalinnneag
torgo 18b02dd
Update TI-reports/2026/2026-Q1-GCP-WG.md
torgo 3dfa320
Apply suggestion from @torgo
torgo 39317fa
Small typo fixes
marcelamelara File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| # 2026 Q4 TAC Report for Global Cyber Policy Working Group | ||
|
|
||
| ## Overview | ||
|
|
||
| * GitHub repo: https://github.com/ossf/wg-globalcyberpolicy/ | ||
| * Minutes doc: https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit | ||
| * Charter: https://github.com/ossf/wg-globalcyberpolicy/blob/main/CHARTER.md | ||
|
|
||
| This group has celebrated its 1st year of operation, having been been formed in January 2025, after the Linux Foundation workshop on "Stewards and Manufacturers" in Amsterdam in December 2024. The scope of the group is to provide a forum for our members and the broader community to collaborate on Global Cybersecurity-related legislation, frameworks, and standards which facilitate conformance to regulatory requirements by open source projects and their consumers. We have been holding bi-weekly calls. We have 2 active SIGs - Awareness and Standards. The group is focusing most of its attention on the European Cyber Resilience Act (CRA) with some time put aside to monitor activities in other jurisdictions. We also have drafted a [liaisons list](https://github.com/ossf/wg-globalcyberpolicy/blob/main/governance/external-liaisons.md) which is a list of external organizations we feel we need to liaise with, with a special emphasis on the [Eclipse ORC working group](https://github.com/orcwg/), to minimize overlap. | ||
|
|
||
| In late 2025, the group ran some workshop sessions at the LF Europe Roadshow event in Ghent and subsequent policy summit in Brussels to refine its scope and deliverables for 2026. For example, we added an emphasis on case studies and producing guidelines that would be useful to "manufacturers." | ||
|
|
||
| We have two working group co-leads: [Daniel Appelquist | Samsung](https://github.com/torgo) and [Roman Zhukov | Red Hat](https://github.com/rozhukov). [Megan Knight | Arm](https://github.com/businesscasualkesha) chairs the Awareness SIG and [Madalin Neag](https://github.com/madalinnneag) from OpenSSF staff chairs the Standards SIG. In addition, we have support from [Jeff Diecks](https://github.com/GeauxJD), [Crob](https://github.com/SecurityCRob) and [David A. Wheeler](https://github.com/david-a-wheeler). | ||
|
|
||
| We also operate the "EU CRA Monthly Tech Talk". | ||
|
|
||
| We have a regular schedule of calls for our Awareness and Standards SIGs and take minutes in the following minutes docs: | ||
| * Main WG/Awareness SIG: https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit?tab=t.0 | ||
| * Standards SIG: https://docs.google.com/document/d/1XjE5VYdyIdH32T94ZQIj0Hf5btRiKG58z3jSInY77wA/edit?tab=t.0 | ||
|
|
||
| This quarter, we have participated in the discussions that led to the formation of the [ORBIT Launchpad](https://github.com/ossf/orbit-launchpad) effort. As noted in their charter, we see the Cyber Policy working group as a key stakeholder and partner for ORBIT Launchpad. This work has subsumed the work that we initially conceived of as a "Tooling" SIG in our own working group. | ||
|
|
||
| Our general working group call, besides being a place where SIGs report, also serves as a venue to work on general deliverables and to drive awareness with group members of related activities. | ||
|
|
||
| Since our last report, we held two tech talks: | ||
|
|
||
| * one where Launchpad SIG was presented. [Recording is available here](https://zoom.us/rec/share/X5PE2JoOyLac15HXB-0eGm9avCPSrRuwfmZD7Uy2QCwq5mYkAqla--O6_fD7eYcr.AL_bBxDGeZD8SejU) and the slides are [available here](https://drive.google.com/file/d/17b-dUihdJJ-i6URvY6mqLWKLq4Cata8B/view?usp=sharing) | ||
| * one where we discussed our approach for stewardship and the documents that our community has developed. [Recording here](https://zoom.us/rec/play/vu7ETuGu10UZt3TUlZDNT597n8j8tEds1kFOjxOuLQimwYxHRf4nCcYFFbo54N_9qFOb4NfQdiIHR4fG.Br30pNufDbHGCo6P?eagerLoadZvaPages=sidemenu.billing.plan_management&accessLevel=meeting&canPlayFromShare=true&from=share_recording_detail&continueMode=true&componentName=rec-play&originRequestUrl=https%3A%2F%2Fzoom.us%2Frec%2Fshare%2FuiUTy3JAmVUI_CGYQFLXjhpeCUbsDrwb3J55n_IzFyBbKqSfuEyZ3yWi_ZUscVIz.qW8ITyi-A9YBLTvp) | ||
|
|
||
| * We collaborated with others in a successful [CRA In Practice](https://fosdem.org/2026/schedule/track/cra-in-practice/) dev room at FOSDEM. | ||
|
|
||
|
|
||
| * We have updated the page at https://policy.openssf.org | ||
|
|
||
| * We have helped to shape work by OpenSSF staff on Stewardship recommendations for LF Projects: | ||
| * [Stewards One-Pager](https://policy.openssf.org/CRA/stewards-one-pager.html) | ||
| * [Stewards Playbook](https://policy.openssf.org/CRA/stewards-playbook.html) | ||
|
|
||
| * We have sent out numerous updates on activities in relevant standards organizations, and produced a [CRA Standards Map](https://policy.openssf.org/CRA/standards.html). | ||
|
|
||
| * We have produced [blog posts](https://openssf.org/category/policy/cra/) including a case study from Red Hat. | ||
|
|
||
| ## Awareness SIG | ||
|
|
||
| The awareness SIG is led by [Megan Knight](https://github.com/businesscasualkesha) of Arm. The scope is activities that drive awareness of the work of this group and of the regulatory landscape in general. The SIG has been marshalling blog posts and the upcoming conference schedule. The Awareness SIG minutes are kept in the [main working group minutes document](https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit). | ||
|
|
||
| Activities and Publications: [pending] | ||
| * On 2026-02-25, Linux Foundation Member Summit, "CRA: Ask Us Anything" was led by Christopher "CRob" Robinson and David A. Wheeler; "Security through Education: Meeting AI, CRA, and Supply Chain Challenges in Software Development" was presented by David A. Wheeler | ||
|
|
||
| ## Standards SIG | ||
|
torgo marked this conversation as resolved.
|
||
|
|
||
| The Standards SIG is led by [Madalin Neag](https://github.com/madalinnneag). | ||
|
|
||
| The mission of the Standardization SIG has been to coordinate stakeholder engagement on cybersecurity standards related to policy, with a focus on raising awareness of standards development activities connected to the CRA. The SIG has also monitored complementary standards initiatives and policy developments to ensure members maintain visibility into the evolving regulatory and standardization landscape. | ||
|
|
||
| The group has supported the involvement of OpenSSF members and staff in standards activities by serving as a coordination forum to guide engagement strategies across European Standards Organizations (ESOs) and other SDOs, particularly where confidentiality practices differ from those typically used in open source communities. Through this coordination, OpenSSF representatives have enabled participation by sharing knowledge and updates, advocating for open source values, and coordinating community-level feedback on key deliverables, including the [CEN](https://www.cencenelec.eu/about-cen/) horizontal standards (such as PT1 and PT3 - see [standards map](https://policy.openssf.org/CRA/standards.html) for detail). | ||
|
|
||
| A core component of the SIG’s work has been facilitating community’s participation in public consultations related to cybersecurity standards and policy. The group has raised awareness of consultation opportunities, shared relevant information, and coordinated the consolidation of feedback so that responses reflect the collective expertise of the OpenSSF community. | ||
|
|
||
| The SIG has also acted as an information-sharing platform on related policy developments, standards initiatives, funding opportunities, and key steps for CRA implementation, including updates on delegated and implementing acts, guidance materials, roadmaps, and developments from relevant European institutions and authorities. | ||
|
|
||
| The Standards SIG is led by [Madalin Neag](https://github.com/madalinnneag). | ||
|
|
||
| The SIG's mission has been to coordinate between stakeholders regarding engagement in Standards work related to cybersecurity policy. This is complicated by the fact that many of these standards organizations have a different approach to confidentiality than the OpenSSF. The discussions of this group have helped to guide the engagement of OpenSSF staff within some of these efforts. | ||
|
|
||
| The SIG's main work this year has been on raising awareness of relevant standards efforts, disseminating information to members about these efforts, and highligting when public consultations are open / helping members participate in these consultations. | ||
|
|
||
| The SIG's main work this year has been on raising awareness of relevant standards efforts, disseminating information to members about these efforts, and highligting when public consultations are open / helping members participate in these consultations. | ||
|
|
||
|
torgo marked this conversation as resolved.
|
||
| We are developing [Comments to the draft Communication on Commission guidance on the application of the CRA](https://docs.google.com/spreadsheets/d/1UNVJ5o3snT1oV_bqLWSmlBYm1DCvysQJcwvBszPjzes/edit) | ||
| Minutes available here: [SIG Minutes Document](https://docs.google.com/document/d/1XjE5VYdyIdH32T94ZQIj0Hf5btRiKG58z3jSInY77wA/view?tab=t.0). | ||
|
|
||
| ## Questions/Issues for the TAC | ||
|
|
||
| None at this time. | ||
|
|
||
| ## Additional Information | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.