CEN/CENELEC Liaison summary

[Rob van der Veer]

Dear board,

Here's a comprehensive summary about that CEN/CENELEC liaison partner role.

Feel free to invite me for a board meeting to discuss.

Best regards,

Rob

• OWASP gained a great place at the table of international standardization by being accepted as an official liaison organization with CEN/CENELEC. Together with ETSI, they do all European electotechnical and IT standards. Plus they collaborate with global ISO standards.
• How
  • As you know we submitted a request for this in January. That has gone into voting with all European countries and passed after 6 weeks.
  • OWASP then needed to set their signature again on the agreement form. This has been done recently and sent in to CEN/CENELEC. So everything is in place.
  • OWASP pays a fee per working group (per standard or group of standards) per year of about 700 dollar
  • OWASP gains access to documents for the working group, can provide contributions and join group meetings
• Why
  • The key reason to apply for this is to secure our involvement in the AI Act and in ISO/IEC 27090 - both on the security of AI. This before depended completely on my personal involvement as representative from the Netherlands in CEN/CENELEC JTC21/WG5: the group working on security requirements for the AI Act and liaising with ISO on the 27090, called "Joint standardization on Cybersecurity for AI systems"
  • This involvement is important because:
    • 1. Secure AI: CEN/CENELEC needed help by external experts on the difficult topic of AI security to write standards and OWASP provided it to ensure secure AI systems which is important for the world, and
    • 2. Great exposure for OWASP: by doing so, this is very good for OWASP'S recognition and brand exposure - which also radiates to OWASP members feeling their sense of beloniging and motivating them to stay at OWASP and promote OWASP. This exposure is not just for the AI Act, but OWASP at the table of international standardisation is good for being taken serious.
  • I have been channeling OWASP content from my OWASP security and privacy guide project, under the working title of OWASP AI Exchange, in which I assembled a group of 35 top experts from around the world. Free of copyright and attribution.
  • Also, some of the CEN/CENELEC stakeholders have been asking questions regarding the status of OWASP. OWASP's role wasn't always taken seriously as its not an official SDO.
  • Furthermore, OWASP can be at the table for many more standards than just the AI Act. This can give more meaning to OWASP projects.
• Next:
  • I will keep joining the WG 5 meetings and the great thing is that the OWASP content will no longer be looked at as 'something that Rob and his team have been preparing', but input from an official liaison. Plus: I can invite team members from OWASP to join me, or temporarily subsitute me, and they can help process the material we have to digest in WG 5. Plus: further steps do not depend on my availability and it becomes a more scalable and continuous engagement.
  • Let's make some good noise on social media and press release.
  • Let's explore opportunities by reaching out to working group leaders.
• More details on the liaison partnership are in https://boss.cenelec.eu/media/Guides/CEN-CLC/cenclcguide25.pdf
• JTC 21 is about AI and JTC 13 is the 'joint technical committee' on security.
  • Their list of projects and working groups is here: https://standards.cencenelec.eu/dyn/www/f?p=205:29:0::::FSP_ORG_ID,FSP_LANG_ID:2307986,25&cs=1ED41A3D97E9C0D226A9087045F5D181C#1
• Now that the liaison relation is in place, OWASP has the option of joining one or more of these workgroups
  • Opportunities:
    • Here's what I know about that list of projects:
    • CEN/CLC/JTC 13/WG 10 Cryptography
    • CEN/CLC/JTC 13/WG 2 Management systems and controls sets
      • -> Could be interesting for SAMM to provide input
    • CEN/CLC/JTC 13/WG 3 Security evaluation and assessment
      • -> Could be interesting for WSTG
    • CEN/CLC/JTC 13/WG 5 Data Protection, Privacy and Identity Management
    • CEN/CLC/JTC 13/WG 6 Product security
      • -> This is about connected devices and includes product lifecycle processes (SAMM) and product requirements (ASVS etc)
    • CEN/CLC/JTC 13/WG 7 Adhoc group EU 5G Certification scheme support group
    • CEN/CLC/JTC 13/WG 8 Special Working Group RED Standardization Request
      • -> The RED is pretty far in the process. Probably no time for influence
    • CEN/CLC/JTC 13/WG 9 Special Working Group on Cyber Resilience Act
      • -> The CRA is pretty far in the process. Probably no time for influence
    • Looking at the new project lists(https://standards.cencenelec.eu/dyn/www/f?p=205:79:0::::FSP_LANG_ID:25&cs=1ADE62405963DACD28ADF531608F78285), there are some very interesting ones that just started, such as:
    • -15408-5-rev: information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 5: Pre-defined package

[Bil Corry - Treasurer]

Thank you Rob for the update.  There's a lot of opportunity for OWASP.  How best do you think OWASP can operationalize and organize our participation on the OWASP side?  Do we form an Standards committee?  Create an email list?  Create a Slack list?  Put out a call for volunteers (and if so, who will direct them)?  Something else?

- Bil

--
You received this message because you are subscribed to the Google Groups "Global-board" group.
To unsubscribe from this group and stop receiving emails from it, send an email to global-board...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CAJH_1%3DqQhNVJuUd08XhybiKyNWaE4H5ha9W8KvTcEiSx_QXc9w%40mail.gmail.com.

[Rob van der Veer]

Hi Board,

So just now during the board meeting, it was decided there needs to be a project to coordinate the links with the various standardization organizations with which OWASP has a liaison relationship.

I believe the best way to go about this is to let me focus on what I'm good at, which is creating results in AI security, OpenCRE, and SAMM - meaning: not to make me part of that standards project.

I understand the need to coordinate the relations. At the same time, I need to focus my available time on participating in CEN/CENELEC JTC21/WG5, in ISO 27090, running the AI Exchange to produce the AI security content and coordinating the 50 experts, plus taking OpenCRE.org to the next level.

I can and will make sure there is a good link between OWASP and CEN/CENELEC by identifying and briefing the designated channels:  the chairs of the committees and working groups at CEN/CENELEC. OWASP projects can best work with them directly - under coordination of the standards project. It works better and scales better than working through me. I can provide the contact details of these people and make sure they are briefed, plus provide an overview of CEN/CENELEC projects.

Of course, I am available to discuss matters around CEN/CENELEC whenever necessary.

Please let me know if you have any questions or remarks.

Best,

Rob van der Veer

AI security and privacy guide - including the AI Exchange

OpenCRE

SAMM

[Rob van der Veer]

Dear board,

As a follow-up to my previous email on the upcoming standards committee: 

First of all, thank you for your warm applause on my CEN/CENELEC efforts. That meant a lot to me. Secondly, I have recruited two great candidates for the standards committee:

Maxim Baele, from the SAMM team, who is committed to let SAMM and other OWASP work land in standards, and Olle E Johansson, who is connected to the Eclipse effort. 

Let me know if you need assistance in approaching them. I am sure they will appreciate being approached by the board directly for this.

In the meantime, I will keep you posted on the progress of hearing a confirmation from CEN/CENELEC of receiving the OWASP signature. Then OWASP can do a press release.

Perhaps it is possible to combine this news with the upcoming press release on standardisation. It would show that a lot is going on in one message. Or perhaps you want to spread these messages. Up to you.

Please let me know your preference.

Cheers,

Rob

[Avi D (BoD & OWASP Israel)]

Thank you Rob!

 

Board, I think we should add this (need for a standards/government relations committee) as a topic for discussion to July’s public meeting. Especially if @'Steve Springett' will be present and able to weigh in?

 

Avi D

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/global-board/CAJH_1%3DoMcwwR_8E%3DJCuh-J5sXhTdAm-d%2Br8HD-xCswFKcctA%3DQ%40mail.gmail.com.

[Steve Springett]

Yes, thank you Rob. Had some power and connectivity issues during last weeks meeting, but yes Avi, let’s discuss during July’s meeting.

— Steve