This is FYI: the Open Policy Alliance (technically an OSI project) wrote a response (PDF) to CISA's request for comments on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (extended to July, 3rd).
Timing made it impossible to bring this up to the group before approving the response, so after checking with @rginn, and because the topic wasn't contentious and inaction more harmful than action, I signed it on behalf of OpenJSF.
Overall the general feeling was that CIRCIA wouldn't impact open source but that it was a good idea to clarify that open source was out of scope, notably because there were explicit questions addressed at the open source community, in particular:
How the proposed IT Sector
sector-based criteria might apply to
members of the open-source ecosystem,
including whether entities that may
provide IT hardware, software, systems,
or services to the Federal government
know or could determine whether they
are providing such goods or services to
the Federal government, and, if so, the
level of effort in making such a
determination.
This is FYI: the Open Policy Alliance (technically an OSI project) wrote a response (PDF) to CISA's request for comments on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (extended to July, 3rd).
Timing made it impossible to bring this up to the group before approving the response, so after checking with @rginn, and because the topic wasn't contentious and inaction more harmful than action, I signed it on behalf of OpenJSF.
Overall the general feeling was that CIRCIA wouldn't impact open source but that it was a good idea to clarify that open source was out of scope, notably because there were explicit questions addressed at the open source community, in particular: