Slide 1

Slide 1 text

The CRA and what it means for us Greg Kroah-Hartman [email protected] git.sr.ht/~gregkh/presentation-cra

Slide 2

Slide 2 text

All of this is just my personal opinion, based on working as part of CRA expert group. “Us” means “Open Source developers”, not “manufacturers” or “businesses” or any other corporate role. I’m only going to focus on how this all will affect us individual developers in our role of creating software that everyone else uses. Disclaimer

Slide 3

Slide 3 text

The CRA has loads of TLAs ›Cyber Resilience Act (CRA) ›Product with digital elements (PDE) ›Open Source Software (OSS) ›Software bill of materials (SBOM) ›European Union (EU)

Slide 4

Slide 4 text

What is the CRA ›List of software “ingredients” in a “device” ›Making sure those “ingredients” are “safe”

Slide 5

Slide 5 text

What is the CRA ›EU Regulation covering PDEs in the EU market ›Obligations for manufacturers, distributors, and importers ›Product classification ›Market surveillance and enforcement

Slide 6

Slide 6 text

Market surveillance and enforcement ›Designated Cyber Security Incident Response Teams (CSIRT) ›European Union Agency for Cybersecurity (ENISA)

Slide 7

Slide 7 text

What is the CRA – cont. ›Requirements for cybersecurity portions of the PDE life cycle ›Vulnerability reporting and handling

Slide 8

Slide 8 text

Software life cycle requirements ›Risk management ›Design ›Development ›Documentation (SBOM) ›Production

Slide 9

Slide 9 text

Different “types” of products ›Default ›Level 1 ›Level 2 ›Critical

Slide 10

Slide 10 text

Stuff outside the scope of the CRA ›Services (websites, SaS) ›Many specific types of devices – Auto, medical, aeronautical, marine, etc. ›Non-commercial hobby products

Slide 11

Slide 11 text

Stuff outside the scope of the CRA ›Services (websites, SaS) ›Many specific types of devices – Auto, medical, aeronautical, marine, etc. ›Non-commercial hobby products – Until your software gets added to a product!

Slide 12

Slide 12 text

Different classification of groups ›OSS developers ›OSS “Stewards” ›Manufacturers ›Integrators ›Distributors

Slide 13

Slide 13 text

Is your open source project covered? * Are you providing FOSS or merely contributing? NOT IN SCOPE providing Are you directly monetizing the project? “Manufacturer” Legal person providing support to FOSS intended for commercial activities? yes “Open-source software steward” Development in the course of a commercial activity (in the broad sense)? no yes no yes no NOT IN SCOPE NOT IN SCOPE contributing * Simplified flow-chart for presentation purposes.

Slide 14

Slide 14 text

“legal person” ›Disagreement about what this means right now ›Hopefully will have clarity in a few months

Slide 15

Slide 15 text

Open-source Software Steward ›“Foundation” or other legal entity releasing open source software ›Supposed to not be an individual

Slide 16

Slide 16 text

Stewards responsibilities ›Provide a contact for security issues ›Report security fixes to

Slide 17

Slide 17 text

You should already be doing this! ›security.txt ›Become a CNA or fill out a web form ›https://bestpractices.dev/ ›reuse tool from FSFE

Slide 18

Slide 18 text

Stewards checklist https://github.com/ossf/wg-globalcyberpolicy/blob/main/documents/CRA/ checklists/OSS_Stewards_Obligations_Checklist.md

Slide 19

Slide 19 text

Timeline ›10 December 2024 – “entered into force” ›11 June 2026 – Governments ready – Assessment bodies ready

Slide 20

Slide 20 text

Timeline – cont. ›11 September 2026 – Manufacturers must report ›11 December 2027 – Entire regulation applies

Slide 21

Slide 21 text

Standards ›Use of standards is voluntary ›Standards are not finished yet ›Some will not be finished until after Dec, 2027 ›We are participating in the standards process

Slide 22

Slide 22 text

External Resources ›Linux Foundation CRA site ›Linux Foundation free CRA training course ›OpenSSF documentation ›Open Regulatory Working Group FAQ