Discuss | Edit | View PDF of Policy

Source Code Policy

6. Implementation

The Federal Information Technology Acquisitions Reform Act (FITARA)39 creates clear responsibilities for agency CIOs related to IT investments and planning as well as requiring that agency CIOs be involved in the IT acquisition process. OMB’s FITARA implementation guidance—M-15-14: Management and Oversight of Federal Information Technology40—established a “common baseline” for roles, responsibilities, and authorities of the agency CIO and the roles of other applicable Senior Agency Officials41 in managing IT as a strategic resource. Accordingly, the heads of covered agencies must ensure that CIOs are positioned with the responsibility and authority necessary to implement the requirements of this policy in coordination with other Senior Agency Officials. As appropriate, the CIO should also work with the agency’s public affairs staff, open government staff, web manager or digital strategist, program owners and other leadership, to properly identify, publish, and work with communities concerning their open source software projects.

Project Open Source

Within 90 days of the publication date of this policy, the Administration will launch Project Open Source,42 an online repository of tools, best practices, and schemas to help covered agencies implement this guidance. Project Open Source will be accessible at https://project-open-source.cio.gov. Project Open Source will evolve over time as a community resource to facilitate the adoption of good custom source code development and release practices. Guidance and language on open source licenses will be provided as part of Project Open Source. The repository will include further definitions, evaluation metrics, checklists, case studies, model contract language and more, and will enable collaboration across the Federal Government in partnership with the public.

Code Repositories

Accessible repositories for the storage, discussion, and modification of custom code are a critical portion of both the Government-wide reuse and OSS pilot program portions of this policy. Covered agencies should utilize existing code repositories and common third-party repository platforms as necessary to comply with this policy.43 Project Open Source will contain additional guidance on using custom code repositories as related to achieving the objectives of this policy.

Code Inventories and Discovery

Code inventories are a means of discovering information such as the functionality and location of potentially reusable or releasable custom code repositories. Within 90 days of the publication date of this policy, each covered agency must update, and thereafter keep up to date, its inventory of agency information resources (as required by OMB Circular A-130)44 to include an enterprise code inventory that lists all custom code developed for or by the agency after the publication date of this policy. The enterprise code inventory is not intended to house the custom code itself; rather, it is intended to serve as a tool for discovering custom code that may be available for Government-wide reuse or as OSS, and to provide transparency into custom software code that is developed using Federal funds. The inventory will indicate whether the code is available for Federal reuse, is available publicly as OSS, or cannot be made available due to a specific exception from this policy.

Covered agencies must describe projects within the inventory using extensible metadata that will be described in an inventory schema on Project Open Source. OMB will provide this inventory schema to covered agencies within 60 days of the publication date of this policy. Within 120 days of the publication of this policy, OMB will identify a suitable central location to make the reported OSS searchable and discoverable for agencies and the public. Please refer to Project Open Source for best practices, tools, and schema to implement the enterprise code inventory and harvestable files.

Updated TechFAR Guidance

OMB’s Office of Federal Procurement Policy (OFPP) and the U.S. Digital Service (USDS) will update the TechFAR Handbook45 to highlight how agencies can go about securing Federal reuse rights and open source licenses as part of their acquisitions processes.

Agency Policy

Within 90 days of the publication date of this policy, each covered agency CIO must develop an agency-wide policy that addresses the requirements of this memo. In accordance with OMB guidance,46 these policies will be posted publicly. Moreover, within 90 days of the publication date of this policy, each covered agency’s CIO office must work to correct or amend any policies that are inconsistent with the requirements of this memo, including the correction of policies that automatically treat OSS as noncommercial software.

Accountability Mechanisms

Progress on agency implementation of the actions required in this policy will be primarily assessed by OMB through analysis of each covered agency’s internal Government repositories, public OSS repositories, and code inventories, as well as data obtained through the quarterly Integrated Data Collection (IDC), quarterly PortfolioStat sessions, the IT Dashboard, and additional mechanisms to be provided via Project Open Source.47

Exceptions to Government-wide Reuse or to Publication

The exceptions provided below may be applied, in specific instances, to exempt a covered agency from (1) sharing custom code with other Government agencies, or (2) publically releasing custom code that is developed by covered agency employees. Any exceptions used must be approved and documented by the agency’s CIO. Please note that the exceptions below do not exempt a covered agency from acquiring unlimited data rights in newly procured custom code. Moreover, these exceptions do not apply in calculating a covered agency’s codebase for purposes of the OSS pilot program; but covered agencies should, as part of their internal 20 percent of custom code selection process, refrain from selecting code that would fit any of the characteristics listed below. In the event that a covered agency’s CIO believes that the agency cannot meet the 20 percent requirement of the OSS pilot program because the agency is otherwise prohibited from releasing more than 80 percent of its code, the CIO should consult with OMB.

Applicable exceptions are as follows:

  • The release of the item is restricted by another statute or regulation, such as the Export Administration Regulations, the International Traffic in Arms Regulation, or the laws and regulations governing classified information;
  • The release of the item would compromise national security, confidentiality, or individual privacy;
  • The release of the item would create an identifiable risk to the stability, security, or integrity of the agency’s systems or personnel;
  • The release of the item would compromise agency mission, programs, or operations; or
  • The CIO believes it is in the national interest to exempt publicly releasing the work.

OMB expects exceptions to be rare and the result of a significant Government interest. Excepted software must still be listed in the agency’s enterprise code inventory, with certain redactions allowed. Please refer to Project Open Source for additional guidance on this topic. This memorandum is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Footnotes