A key requirement for highly responsive behaviour is situational awareness. In order to be able to act one has to know — at any given point in time — exactly what software, firmware and hardware are present across ones entire infrastructure. Having an up-to-date Software Bill of Materials is obviously a minimum requirement, but unfortunately more is needed in order to understand when and how to act and be able to act. The latter requires unconditional access to all upstream source code, up-to-date information sources that keep you in sync with the never ending influx of new vulnerabilities, a suitable test infrastructure including CI/CD, etcetera. This page gives an overview of a number of key free and open source solutions which are available to anyone at no cost.
If development, maintenance and operations are separate from your compliance workflow, you are not only duplicating effort but are likely run into significant inconsistencies sooner rather than later. Moreover, it doesn't help with actually improving responsiveness. Compliance is a by-product of a healthy main workflow. We recommend to follow what we labelled the golden route: transition your development and delivery pipeline to modern cross-platform functional package management (like Nix, Guix or Lix), while adding continuous integration/continuous delivery. Combined this gives you a hermetic, reproducible and highly responsive internal delivery process suitable for even the most critical environment, without adding any proprietary or expensive dependencies.
On top of such a package management solution, which makes your entire dependency tree transparent and validatable, you can use free and open source tooling to automatically generate compliance-ready CycloneDX Software Bill of Materials. Genealogos for instance produces a valid SBOM for you, for any package available in what is arguably the largest collection of industry-ready software in the world — the nixpkgs repository — or in fact from any nix flake. And what is even more interesting: you can automatically keep it up to date (and make it available to your users or customers) by integrating such a tool in your CI/CD. At their end, they are able to replicate your entire setup, as long as they have access to the source files (which you can either share with them, or in case of proprietary software, put into escrow).
We believe the combination of functional package management and dedicated tooling to not just comply but empower is the direction forward for the industry. There may be other ways to comply with Cyber Resilience Act, but it makes no sense to burn time and effort on patchwork when there are solid solutions that actually improve the entire global software supply chain.
If you are benefiting from projects from FOSS stewards such as Apache Foundation, OW2, Commons Conservancy or Eclipse, you may be well aware that the work done inside those communities is not done on a for-profit basis. Such foundations typically have a diverse and motivated community that helps make these awesome technologies available under a free and open source license. That doesn't mean there is an infinite amount of free resources.
As stewards they are themselves not the intended target for compliance regimes like the Cyber Resilience Act. But of course as the caretakers of the projects under their umbrella they have the situational awareness needed, and are eager to help their users who might be. FOSS foundations are a natural venue to facilitate and collaborate on compliance, having all the right people on board as well as procedural insight and technical knowledge. But it won't all magically fall into place. If you are a software or hardware vendor that depends on these technologies, and you need to make sure you comply, the most logical thing is to work together with others to make it happen — if only by pooling budgets to pay someone to do the work for you, so you can focus on your own core work. Many hands make all work light. Regulatory compliance is a burden we all have to face, but if we can share that burden with others the weight on our shoulders will diminish.
Contact us
If you have any questions or remarks about our work or this website, you can send us email through contact [@thisdomain].
If you would like to send us physical mail, our postal address is:
CodeSupply Institute