That makes a lot of sense. Thanks for clarifying!
I'm not sure what will be most helpful here - I unfortunately am unaware of any list of "approved R packages" for use in classified / other environments. Most organizations end up with their own somewhat varied classifications based on license, authorship, organization sponsorship, testing approaches, scope of testing coverage, did it go through a virus scanner, etc.
CRAN itself does have a rather stringent set of security requirements, and CRAN package approvals are maintained by humans (i.e. no auto-approval for a first time package submission, etc.). Many organizations trust the CRAN check / validation process as sufficient to limit the length of their own formal security process.
One of the focuses for RStudio Package Manager (enterprise software created by RStudio) is to give organizations the type of tooling that they need to marshal these conversations and review processes, approve a subset of packages / versions, and then serve those to users with minimal overhead.
You can read more about package manager here: https://www.rstudio.com/products/package-manager/ or here:
In particular, what this flow might look like in an organization such as yours:
- define some type of rules around excluding certain package sets
- define rules around accepting certain package sets
- build an "initial list" of packages as a proposal (Package Manager calls this a "curated repo" and will generate the list of information for you with the CLI)
- review the proposal / review / modify / approve as necessary
- serve only the approved packages to your internal infrastructure
- have some process by which additions to the approved list can be requested and evaluated
EDIT: The flow in RStudio Package Manager is described here: https://docs.rstudio.com/rspm/admin/quickstarts.html#quickstart-curated-cran