| [open-regulatory-compliance] Self nomination for Specification Steering Committee |
I am writing to nominate myself to serve on the Specification Committee. This group will be vital in advancing standards, fostering collaboration, and shaping the future of standards that inevitable regulation worldwide will build upon as the world grapples with mature and responsible use of open source.
In my role as CTO of Sonatype and through nearly two decades of active contributions to the Apache Software Foundation open-source ecosystem, I have consistently worked to drive innovation, improve security, and open source consumption practices, particularly in regulated industries such as finance, telecommunications, and government. Over the past decade, my efforts have focused heavily on evangelizing and designing systems to help organizations improve their open source supply chain practices. More recently, I’ve been focused on pushing for sensible policies that can further encourage organizations to make the required improvements to their systems.
Key highlights of my recent work and ongoing contributions that align with this committee’s mission include:
• CycloneDX Champion: I’ve been involved in the evolution and adoption of CycloneDX, one of the most widely adopted SBOM standards since the very early days. My efforts included fostering the development of the first security extensions to the spec. I have continued, collaboration with industry stakeholders and advocacy for its use in regulatory and compliance contexts worldwide.
• Policy and Regulatory Engagement: I’ve played an active role in advancing secure open-source practices and policy, particularly through my work with the OpenSSF Technical Response Committee. I’ve chaired responses to key government initiatives such as CISA and ONCD RFIs/RFCs, helping to align the open-source community with emerging regulatory frameworks.
• Collaboration Across Ecosystems: My experience spans participation and leadership within OpenSSF, Policy and Infra work with the ASF, collaboration with Open Forum Europe, The Atlantic Council, and other policy-focused organizations, enabling me to bridge gaps between technical innovation and regulatory requirements. This includes contributing to the Cyber Resilience Act (CRA) and Product Liability Directive (PLD) dialogues in multiple forums to ensure practicality and effectiveness in their implementation.
As a member of the Specification Committee, I would aim to bring this unique combination of technical expertise, policy experience, and collaborative spirit to support the group’s objectives. My focus would be on ensuring that specifications are not only technically robust but also aligned with real-world regulatory and operational needs.
I am passionate about fostering an environment that encourages diverse participation and thought leadership. Success, to me, means specifications and practices that are broadly adopted, trusted, and impactful across industries.
Thank you for considering my nomination. I am excited about the opportunity to contribute and to further the important work of this committee.
Best regards,
Brian Fox
BIO:
Brian Fox, Co-founder and Chief Technology Officer at Sonatype, brings over 20 years of hands-on experience driving software development for organizations of all sizes, from startups to large enterprises.
A recognized figure in the Apache Maven ecosystem and a longstanding member of the Apache Software Foundation, Brian has played a crucial role in creating popular plugins like the maven-dependency-plugin and maven-enforcer-plugin. His leadership includes overseeing Maven Central, the world's largest repository of open-source Java components, which recently surpassed a trillion downloads annually.
As a Governing Board member for the Open Source Security Foundation, Brian actively contributes to advancing cybersecurity. Working with other industry leaders, he helped create The Open Source Consumption Manifesto, urging organizations to elevate their awareness of the Open Source Software (OSS) components they use. Brian has also chaired efforts to provide official responses to requests for information from the Open Source National Cybersecurity Directorate (ONCD) and the Cybersecurity and Infrastructure Security Agency (CISA), emphasizing his practical role in shaping the future of Open Source Cyber Security efforts.
Within the Atlantic Council’s Open Source Policy Network, Brian actively helps shape cybersecurity strategy, offering valuable insights on critical documents, such as The Office of the National Cyber Director’s recent National Cyber Security Strategy.
Brian's thought leadership extends to publications, including a position paper with the Atlantic Council that explores how the software industry can learn from manufacturing practices to improve supply chain management. His IEEE article, using similar concepts, highlights how addressing supply chain issues can boost productivity.
A regular speaker at national and regional events, including Java User Groups and development-related conferences, Brian not only shares his expertise but also provides practical insights for professionals navigating the ever-evolving landscape of software development and supply chain security.