EU Cyber Resilience Act: Good for Software Supply Chain Security, Bad for Open Source?

by Brian Fox on December 22, 2022

Following the software supply chain attack on Solarwinds and the worldwide panic from the vulnerability affecting Log4j, government and regulatory bodies around the world have been trying to address this looming problem: How do you secure and protect software supply chains as they become a greater target for cybersecurity attacks?

In the United States, the two Presidential Executive Orders of February 2021 and May 2021 started the conversation about protecting critical U.S. federal systems from cyberattacks. This has since turned into a steady drumbeat of activity intensifying and spreading beyond the borders of the United States and into the private sector.

For example:

Sponsorships Available

NIST has put out several publications, including the comprehensive guidance in “Software Security in Supply Chains,.”
OMB issued another memorandum called “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices.”
Several legislative routes are being discussed, including the Securing Open Source Act of 2022 (introduced in the Senate in September).
There are industry initiatives like the Linux Foundation’s OpenSSF Open Source Software Security Mobilization Plan (which I’ve been a part of) that aim to provide guidance on the topic as well.

There are industry initiatives like the Linux Foundation’s OpenSSF Open Source Software Security Mobilization Plan (which I’ve been a part of) that aim to provide guidance on the topic as well.

Since this is a global concern, other governments are also acting: