Open Source Initiatives
The Federal Source Code Policy is designed to support reuse and public access to custom-developed Federal source code. It requires new custom-developed source code developed specifically by or for the Federal Government to be made available for sharing and re-use across all Federal agencies. It also includes an Open Source Pilot Program that requires agencies to release at least 20% of new custom-developed Federal source code to the public.
By making source code available for sharing and re-use across Federal agencies, we can avoid duplicative custom software purchases and promote innovation and collaboration across Federal agencies. By opening more of our code to the brightest minds inside and outside of government, we can enable them to work together to ensure that the code is reliable and effective in furthering our national objectives. And we can do all of this while remaining consistent with the Federal Government’s long-standing policy of technology neutrality, through which we seek to ensure that Federal investments in IT are merit-based, improve the performance of our government, and create value for the American people.
Section 7.7 of the Federal Source Code Policy states that:
Progress on agency implementation of this policy will be primarily assessed by OMB through an analysis of each agency’s internal Government repositories, public OSS repositories, and code inventories on Code.gov, as well as data obtained through the quarterly Integrated Data Collection (IDC), quarterly PortfolioStat sessions, the IT Dashboard, and additional mechanisms [..]
Generally, OMB's approach to assessing agency progress in meeting the Federal Source Code Policy's requirements can be broken into two categories:
OMB will provide additional information about its assessment mechanisms over time.
OMB will regularly review each agency’s enterprise code inventory to ensure that the agency is satisfying the requirements of the Source Code Policy. This review will include both the agency’s internal Government repositories and public open source repositories to ensure that each agency’s enterprise code inventory is properly reflected on – and easily discoverable through – this website.
OMB collects agency data through a number of existing mechanisms, including quarterly PortfolioStat sessions and the Integrated Data Collection. Much of this data is publicly available on ITDashboard.gov. OMB will use this data and other relevant information to better understand the overall impact of the Source Code Policy over time.
18F, a digital services delivery team within the General Services Administration, develops in-house digital solutions to help agencies meet the needs of the people and businesses they serve. This requires flexibility in how we code, with a focus on lowering costs for the American people, while improving their interactions with the U.S. Government.
The default position of 18F when developing new projects is to:
Using FOSS allows for product customization, advances interoperability between tools, and improves the overall quality of the final product. Other benefits include:
Active involvement from the open source community is integral to the success of open source code. 18F will be an active contributor to FOSS projects that it or its clients utilize.
Code written entirely by 18F staff will be dedicated to the public domain. In addition, any contracts 18F enters into, where others will develop software on 18F’s behalf, will ensure that all results are dedicated to the public domain. In general, all discussion in this document about the licensing of work of 18F’s contractors means that 18F will ensure that their contracts guarantee those terms.
18F encourages contributions to its open source projects, whether it be code, commentary, bug reports, feature requests, or overall strategic direction.
Forks or clones of our code repositories are free to be re-distributed. This means code created by 18F can be integrated into work that is under a more restrictive license, even those that are not considered open source licenses.
This changes when 18F code repositories include code that was not created by 18F and carries an open license. Code previously released under an open source license and then modified by 18F or its contractors is considered a “joint work” and must be released under terms permitted by the original open source license.
The public can use the code as the basis of wholly proprietary and commercial systems. 18F would appreciate that users of our code disclose its lineage, but 18F maintains no legal right to require disclosure. Notifications that the work is used in a new system are always greatly appreciated.
As previously mentioned, most work generated at 18F falls within the U.S. public domain.
For international colleagues, 18F also permanently waives all copyright and related rights worldwide to code created by 18F or its contractors.
The default LICENSE file for projects acknowledges that our work is in the US public domain, and uses CC0 to waive copyright internationally.
The default CONTRIBUTING file informs contributors that their contributions will be licensed under the same terms.
However, certain projects will require the usage of licensed open source software not created by 18F. Some open source licenses make source code available under different terms and conditions. These terms and conditions specify how the code may be used, modified, or shared. When users modify 18F code, they should review and understand the terms of the open source license in question.
Each project may need to modify or extend the above LICENSE and CONTRIBUTING files as needed for its own circumstances.
There is a misconception that FOSS that is distributed to the public should not be integrated or modified for use in sensitive systems. On the contrary, FOSS is often preferred for use in sensitive systems, due in part to its increased auditability. In other words, security in FOSS must be designed never to rely on obscurity in how the code works.
In addition, while open source licenses permit the user to modify FOSS for internal use without obligating them to distribute source code to the public, when the user chooses to distribute the modified FOSS outside the user’s organization, then the code is subject to whatever license it carries.
The only conditions where code shall not be developed and released in the open are:
These decisions will be made as needed by the 18F DevOps team, which will lead an interdisciplinary team to review the conditions under which code will not be made available publicly. Any further exemptions will be rare, documented publicly, and the result of compelling interest.
If an existing solution cannot be found in the open source community, 18F may consider other options, including creating an open source solution itself. Ultimately, the software that best meets the needs and mission of 18F should be used.
The IRS posted information on IRS.gov about Use of Federal Tax Information (FTI) in Open Source Software. Open source software is an attractive option for organizations looking to employ inexpensive or “free” solutions into their environments. This desire must be tempered by a thorough understanding of the pros and cons associated with the use of these applications. Using this information, organizations can make a risk-based decision as to whether or not they should use this type of software.
Open source software is ubiquitous and is relied upon by major organizations throughout the world. Organizations such as Linux Foundation, Apache Software Foundation and Mozilla develop open source software solutions that are considered the industry gold standard.
This software consists of or resides on everything from graphics cards and central processing units (CPU) to workstations, web browsers, web servers, server clusters, firewalls, routers, intrusion prevention systems and everything from smartphones to massive virtualized computing environments. Without open source software, it is possible that our current computing environment would not be nearly as mature as it is today.
One of the most highly touted reasons for using open source software is the fact that it may be inexpensive or “free.” One of the big questions regarding how this software can be provided at low or no cost is answered by understanding that these applications have several sources:
The reason for providing this background information is that it is important to understand the organization residing behind or supporting the continued development of the application under consideration. Depending on the application and the organization that stands behind it, there may be a tremendous amount of support for evaluating the software.
An example of this is OpenSSL. When the Heartbleed vulnerability was identified, developers immediately worked to assist with remediation efforts. Patches were available within 24 hours of the vulnerability being officially registered.
There are some areas of concern to consider regarding the use of open source software:
When deciding to procure open source software, IRS recommends that the agency pursue a conservative approach and seek organizations that will provide assurance that a secure development lifecycle is employed and that software support for the application being considered for use is available. This may include the use of a third-party vendor that specializes in supporting this application, but is separate from the primary development organization. As mentioned above, this may be required if direct support from the software developer is not an option.
Any agency considering the use of FTI in open source software must adhere to the following considerations:
This Department of Commerce (the Department) Source Code Policy is being issued to promote software code reuse by making custom-developed Federal source code available across the Department and to other Federal agencies. It supports the requirements of OMB Memorandum M-16-21, “Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software". This policy requires agencies to develop plans to release at least 20 percent of new custom-developed source code as Open Source Software (OSS) when commissioning new custom software.
The objectives of this policy are to:
This policy is effective immediately, applies to all projects that commission development of custom software within the Department to include all Operating Units, with the exception of software covered in Section 6 of OMB 16-21, as deemed appropriate by the Department Chief Information Officer. The requirements outlined herein do not apply retroactively (i.e., they do not require that existing custom-developed code be retroactively made available for Government-wide reuse or as OSS).
Source code developed for National Security Systems (NSS), as defined in 40 U.S.C. § 11103, is exempt from the requirements of this policy. For NSS, agencies shall follow applicable statutes, Executive Orders, directives, and internal agency policies.
Requests for exemptions from requirements of this policy must explain why compliance is unachievable and be approved in writing by the Department CIO or OU CIO. Exemptions from the policy may be requested when:
Agencies are required to perform various tasks in order to satisfy the objectives of the Federal Source Code Policy. Currently, agencies are evaluated on whether they've completed three tasks:
Agencies are evaluated as fully compliant (green), partially compliant (yellow), or non-compliant (red) with the tasks outlined above. An agency's overall compliance is green only if they are green in all categories.
Agency policy is being updated for consistency with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy has not been reviewed for consistency with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced greater than 20% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced greater than 20% of their custom developed code.
Agency has inventoried 100% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried 100% of new custom code.
Agency policy has not been reviewed for consistency with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced less than 10% of their custom developed code.
Agency has inventoried less than 50% of new custom code.
Agency policy is consistent with the Federal Source Code Policy.
Agency has open sourced greater than 20% of their custom developed code.