Open source software is used across critical infrastructure ecosystems. Cybersecurity standards to identify trustworthy software products is coming fast. The EU CRA requires product vendors to provide product vulnerability reports starting in September 2026.; standards for vulnerability reporting in the EU CRA is currently underway The US Government already has NIST Guidance for vulnerability reporting best practices described in the CISA Secure Software Acquisition Guide Vulnerability Management Section.
Updates to the US FAR rules cybersecurity practices are currently being drafted and will be available for review this year. NASA has taken a lead in developing and implementing SCRM best practices
ย