[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [open-regulatory-compliance] Kicking off the CRA Attestations project
|
On Tue, 2025-10-28 at 16:27 -0400, Victoria Risk via open-regulatory-compliance
wrote:
> I have one observation which may or may not be relevant.
>
> When the US Government started soliciting for software attestations, these had
> to be signed by an organization’s chief executive, or their authorized
> representative, and they carry the potential for *criminal penalties* - not
> just economic penalties. In my opinion, this puts them into a very different
> risk category than a regulatory requirement which might carry a fine, or even
> under the revised PLD, a further punitive (but still financial) penalty. I
> haven’t heard anything about that in reference to the CRA, but I still have
> that association with the word “attestation”, (sorry, I don’t speak German!).
>
The association is understandable since it is the same term, but the context is
quite different.
As far as I'm aware, the criminal penalties you're referring to follow only from
potential perjury in federal procurement, would not apply to simply placing a
product on the market, and have nothing to do with cybersecurity or open source
software per se. (If this view is based on outdated info, I hope someone will
update me!)
On the other hand, the CRA clearly states that no financial penalties apply to
open source stewards.
All that being said -- even without knowing exactly how they will be
implemented, we already know there are major differences between "US federal
procurement attestations" and "EU CRA attestations". It's a good to remember to
be clear when talking about different types of "attestations."
Best,
--a.
