1、Pathways to Cybersecurity Best Practices in Open SourceHow the Civil Infrastructure Platform,Yocto Project,and Zephyr Project are Closing the Gap to Meeting the Requirements of the Cyber Resilience ActMarch 2025Mirko Boehm,PhD,The Linux FoundationHilary Carter,The Linux FoundationCailean Osborne,PhD

2、,The Linux FoundationForeword by Miriam Seyffarth,Open Source Business AllianceSPONSORED BY:The CRA introduces regulatory oversight on products with digital elements(PDEs),with important implications for OSS development across stakeholder groups.The CRA defines a new role of OSS steward,which are or

3、ganisations that systematically support the development of open source technologies which they do not monetize.Under the CRA,OSS stewards are responsible for cybersecurity policy,processes for handling&reporting vulnerabilities,cooperation with MSAs,&voluntary security attestations.Open source proje

4、cts need to establish a 5-year security roadmap,investing in PSIRT teams&security policies to prepare for CRA timeline requirements.Standardized security tooling accelerates CRA compliance,with SPDX 3.0,OpenSSF Scorecard,&OpenChain frameworks helping projects implement security best practices.Semant

5、ic versioning helps manufacturers track CRA compliance by mapping substantial modifications,minor updates,&bug fixes to clear versioning.SBOMs must provide greater granularity,as file-level tracking improves security visibility,risk assessment,&vulnerability response for manufacturers.Open source se

6、curity requires cross-industry collaboration,where manufacturers,governments,&projects co-develop policies,fund security,&ensure long-term software maintenance.The CRA presents an opportunity to strengthen OSS security by improving security practices,documentation,and collaboration across the ecosys