cncf
TAG Security and Compliance Chair Nomination
Following the TAG Reboot Timeline, we are opening nominations for (3) Chairs for TAG Security and Compliance. If this interests you, please review the information on TAG governance and responsibilities in the TAG Governance doc and the draft charter for the TAG. Then, if you're still interested - please post your bio below and confirm your interest in running for chair.
Election timeline: May 19: Nominations close for new TAG Chairs May 19: TOC Vote opens for new TAG Chairs June 2: TOC Vote closes for new TAG Chairs June 2: Newly seated TAG Chairs announced
NOTE: Timeline is subject to change; check the TAG Reboot Timeline issue for the most up-to-date information.
Once the initial leads are seated, we'll work on refining the charters and really get things going. :)
Links: TAG Restructuring Presentation - Feb 4, 2025 TAG Reboot Timeline Issue TAG Governance Doc Draft Charter
I would like to self-nominate for the role as TAG Security and Compliance Co-chair.
My work with the TAG was recently documented in the TOC issue to my previous TAG Security co-chair appointment.
Bio: I am Principal Consultant at ControlPlane, where we help some of the world’s most security-conscious organizations build and assure mission-critical platforms. I am a maintainer of the Witness and Archivista sub-projects under in-toto and have served as a co-chair for the CNCF’s TAG Security. I am also actively involved in several Working Groups and projects within the OpenSSF. Prior to joining ControlPlane, I was the Director of Open Source at TestifySec and held multiple engineering leadership roles at VMware.
I would also like to nominate @mnm678 and @eddie-knight for Co-chair of the new Security and Compliance TAG.
They have proven their leadership skills as members and co-chairs of TAG Security over their many years of contributions. In addition to this, they are each maintainers of multiple open source projects, giving them the proper experience to support other CNCF projects with the new charter of the future TAG, the Project Review sub-project, and the Contributor Strategy sub-project.
Marina and Eddie have been highly engaged with the TAG restructuring process itself. This commitment, without regard for any guarantee of a future leadership role, shows their dedication and commitment. I would ❤ to see each of them continue providing their great leadership within the CNCF for the benefit of the community.
Huge thanks @jkjell. The three of us have been consistently aligned in our desire to elevate the CNCF project ecosystem, and where we disagree on implementation details, I find that ideas are quickly and effectively polished to move into something actionable.
I can highly recommend both @jkjell and @mnm678 for this role after seeing their consistent, human-centric, thoughtful leadership approaches.
With Marina's skills and experience with research, communication, and diversity in the security space, and John's insight from participating and leading a variety of projects... The TAG is consistently able to rely on these two to keep the community moving forward regardless of the weather.
My bio:
Software and Cloud Engineer with a background in banking technology. As the lead of Sonatype's Open Source Program Office, now combining passion and job duties by working to improve the security of open source software. Organizer for the CNCF Security Slam, Chair of the FINOS Technical Oversight Committee, author of the Open Source Project Security Baseline, and contributor to a variety of security and compliance projects across the ecosystem.
Thanks @jkjell for the nomination!
I second everything @jkjell and @eddie-knight have said. Their dedication to this community and cloud native security is evident in the time and care they have put into TAG Security.
As a current co-chair of TAG Security, I'm excited to put myself forward to participate in this new chapter.
My bio:
I am a Research Scientist at Edera and head of Edera Research where I conduct research on container isolation, confidential computing, software supply chain security, and cloud security. I am also a maintainer of The Update Framework (TUF), a CNCF graduated project that provides secure software update and delivery, as well as an emeritus maintainer of the recently graduated in-toto project. Outside of the CNCF I have contributed to open source projects including Uptane and Sigstore and participated in working groups from the OpenSSF.
As a co-chair of TAG Security, I have contributed to security assessments and whitepapers, as well as done community organizing around the TAG’s working groups, weekly meetings, and participation at KubeCon and CloudNativeSecurityCon.
I would like to nominate Robert Ficcaglia @sunstonesecure-robert for Co-chair of the new TAG Security and Compliance.
Robert is currently the Co-chair of the Compliance WG under TAG Security and with the broadening of TAG Security charter to include Compliance, it is perfect to have him as co-chair of the new TAG.
Robert has proven his leadership skills as co-chair of the Compliance WG and leading its agenda as part of this WG. He is highly dedicated to this community and in advancing the Cloud native compliance tools and use-cases. He has given multiple presentations/talks around compliance automation, tools, and technology in various forums such as CloudNativeSecurityCon North America 2024 and others.
That's very kind, Vikas. I will accept but I will be also transparent that my energy would be focused on growing the audience and cross disciplinary engagement - to be inclusive of a diverse array of perspectives on security and compliance to include SMEs who are not only technical but bring legal, regulatory and privacy perspectives. While I am a coder, there are many who are not who have much to contribute. Also as AI is now pertinent to all aspects of operating a secure and resilient Cloud Native open source based system - from generating Rego to agentic red teaming K8s, to validating CNCF project code- there needs to be an "AI native" review of the CNCF ecosystem.
If that's of interest to the community - always happy to help.
In terms of bio I'll just note that I oversee security and compliance strategy and operations for a portfolio of public and private companies representing several $B USD in market value, and personally work with dozens of Federal CSPs and Agencies. If you have ever used a credit card online, you have interacted with crypto and systems I helped design and secure. If you ever used a secure/encrypted USB, yeah I probably had a hand in that, too. I have also worked alongside with the US Department of Veterans Affairs for over a decade helping vets get better (and more secure) care - and personally I think Vets are super duper awesome and they deserve all our thanks! (I did not have the privilege of serving but respect tremendously the service they give!)
I have had the great opportunity to be a volunteer part of the CNCF community since 2018:
- one of the first members of the group that pre-dated the CNCF sig-security which became the TAG Security and now this new TAG
- hands on participating and leading many of the sig/TAG Security reviews/assessments including OPA, cloud custodian, OpenFGA, Prometheus, in-toto
- working also in k8s helping lead and coordinate the last 2 external audits, for which I was awarded a K8s contributor of the year (but still don't think I deserved it)
- helping audit k8s cluster api
- starting the k8s wg-policy
- helped define the first LF certification test for K8s security
- representing K8s and advocating for open source use in multiple other security communities including CSA, other LF groups, and public sector venues like NIST, ATARC
- helping the cloud teams at the cloud providers and biggest k8s enterprises audit k8s and CNCF projects
- sharing code and ideas at multiple KubeCons and other CNCF presentations and co-presenting with other CNCF projects
- most recently co-chairing the compliance WG with the explicit goal of expanding the breadth and diversity of SMEs and attendees to ensure CNCF projects get the support needed to be both secure and used in highly regulated environments. This has greatly increased the visibility of CNCF and participation from many more segments of cloud users.
What started as a way to give back a little 7+ years ago certainly has become an important community of friends and colleagues. If the community thinks I can help, I'll certainly try.
Hi - I nominate @evankanderson as co-chair of the new TAG Security and Compliance.
Evan's been involved with the Knative Project and has been a Security WG Lead (in addition to Steering/TOC) for many years now. He's branched off into supply chain security OSS work from his time at Staklok. I think he'd make a great chair given his background.
I accept the nomination, though I'm no longer at Stacklok (I am still focused on supply chain security at my new company, Custcodian). I also have interest in identity (human and machine) as the building blocks for robust authorization systems, and I've been a TOC or steering committee member on Knative wrangling governance issues for the past 7 years, as well as contributing to a number of other projects in CNCF, OpenSSF, and non-LF over time.
As chair, I'd be primarily focused on setting up consistent, predictable processes (check-ins and project reviews) to support CNCF projects while making sure to keep abreast of outside developments. I see the chair role as primarily supporting the tech leads and interfacing between their security expertise and the needs of the TOC, GB, and LF.
Thanks everyone for putting your nomination forward :) With the nomination period now closed, we're going to temporarily lock the issues just so it's clear that the nomination period is over. We'll reopen soon with updates. 👍
Still waiting on a final confirmation, once that is done I'll update the thread
The chairs to help bootstrap Security and Compliance are: @eddie-knight - 1 year term @mnm678 - 2 year term @evankanderson - 1 year term Thanks everyone for volunteering 🙏 Please still participate, theres a lot to do, and a lot of future opportunities as things evolve :)