OpenSSF Projects as Compliance Infrastructure for Cloud-Native Software

Global regulations such as the EU CRA, NIS2, DORA, and NIST SSDF are reshaping expectations for software supply chains. Open source is at the center of this shift, not only for how it is developed, but increasingly for how it is consumed in cloud-native systems.

This session is a follow-up to a presentation held during OpenSource Security Con that makes one point clear: OpenSSF’s Baseline is only the beginning. To ensure real compliance, OpenSSF is helping manufacturers and consumers of open source software via tooling, automation, and shared evidence that can scale across ecosystems.

The talk focuses on how OpenSSF projects and Working Groups work together to support regulatory needs in practice. Starting from the Global Cyber Policy Working Group, it shows how policy interpretation, regulatory mapping, and international alignment feed into technical efforts across OpenSSF. From there, it explores how OpenSSF projects, spanning software integrity, provenance, SBOMs, vulnerability information, and attestations, help produce the artifacts and signals increasingly expected by regulators and auditors.

A key theme is tooling integration and rationalization. Rather than treating each tool or framework in isolation, the session highlights how OpenSSF is aligning projects and guidance so that the same outputs can be reused across multiple regulations and cloud-native environments. This reduces manual toil for both maintainers and consumers, and avoids pushing compliance complexity onto upstream open source projects.

A central element of this session is OpenSSF’s CRA-driven stewardship role. With CRA timelines creating urgency across the ecosystem, OpenSSF is positioned to act as a steward that helps align open source security signals, compliance evidence, and tool integration across communities. This stewardship is not just advisory; it is about coordinating and guiding the ecosystem toward consistent, reusable compliance artifacts that are CRA-relevant, while also supporting broader regulatory alignment.

Finally, the session emphasizes why closer collaboration between OpenSSF and CNCF matters. CNCF projects and platforms are natural integration points where OpenSSF tooling can be embedded once and reused broadly, turning compliance from a bespoke, organization-specific exercise into shared infrastructure for the cloud-native ecosystem.

Attendees will leave with a clearer understanding of how OpenSSF projects and Working Groups fit together, and how cloud-native teams can use this ecosystem to support verifiable, real-world compliance demands.