Cybercrime

GOVERNMENT IT REPORT

White House Opens More Doors for Open Source

The U.S. government is picking up the pace in its efforts to use open source software as much as possible. Federal CIO Tony Scott last month released details of a proposed policy designed to allow customized software created for one agency to be openly available to other government agencies as well.

Industry and government professionals may comment on the proposal by Monday.

“This policy will require new software developed specifically for, or by, the federal government to be made available for sharing and reuse across federal agencies. It also includes a pilot program that will result in a portion of that new, federally funded custom code being released to the public,” Scott said.

“Through this policy and pilot program, we can save taxpayer dollars by avoiding duplicative custom software purchases and promote innovation and collaboration across federal agencies. We will also enable the brightest minds inside and outside of government to review and improve our code, and work together to ensure that the code is secure, reliable, and effective in furthering our national objectives,” he said.

Scott revealed the proposal on behalf of the Office of Management and Budget in a notice last month in the Federal Register.

Missed Opportunities

All software created by federal employees as a government work is in the public domain and is not subject to U.S. copyright protection, according to OMB. However, software created on behalf of the government by third parties, such as private sector vendors, is subject to copyright protection. Third parties developed the majority of software solutions used in the federal government.

“When agencies procure custom-developed code, they are not always in a position to make their new code broadly available for federal governmentwide reuse. In some cases, agencies may have difficulty establishing under the terms of the contract that the software was produced in the performance of a federal government agreement,” OMB said in the proposal document.

Even when agencies are able to make their code available on a government-wide basis, “they do not routinely make their source code discoverable and usable to other agencies in a consistent manner,” OMB said. Such shortcomings can cause duplicate acquisitions for the same code and inefficient procurements.

The proposed policy is designed to address those issues to help ensure that new custom-developed federal source code is made broadly available for reuse across the federal government. The benefits of enhanced reuse of custom-developed code include reducing vendor lock-in, decreasing duplicative costs, increasing transparency and minimizing the challenges associated with integrating large blocks of code from multiple sources, OMB noted.

Revised Software Contracting

To take advantage of the benefits from the reuse of customized code, OMB proposed various changes in federal software contracting:

  • Developer materials: Federal agencies must require “delivery of the underlying custom source code, associated documentation, and related files from the third-party developer or vendor, including build instructions and, when applicable, software user guides, other associated documentation and automated test suites.”
  • Software rights: Agencies will be required to “secure unlimited rights to the custom source code, associated documentation and related files — which includes the rights to reproduction, reuse and distribution of the custom source code, associated documentation and related files across the federal government.” Covered agencies that enter into agreements for the development of software should require unlimited data rights in accordance with the policy.
  • Procurement: When seeking software solutions, agencies must analyze alternatives with a preference for using existing software where the government holds license rights or the ability to reuse. When an external source is required, preference must be given to commercial off-the-shelf offerings. Only after exhausting the prior options would agencies be allowed to proceed with a customized offering, in compliance with all other aspects of the policy.

The proposal also includes a pilot program in which each covered agency will be required to release at least 20 percent of its newly developed custom code each year as OSS. Custom code is defined as code for all custom software projects, modules and add-ons that are self-contained.

Change for Vendors

“The open source and code sharing will likely be hosted in cloud environments to facilitate cooperation and reuse, which will increase familiarity and access for agencies. The approach could also have an interesting byproduct effect of increasing code quality and security as more people scrutinize the work products,” said Katell Thielemann, a research director at Gartner.

“Having a process to ensure code is secure will be absolutely necessary to fulfill one intent of the policy, which is to share a portion of the code developed for the government with the general public,” she told the E-Commerce Times.

While the OMB proposal is still in process, the General Services Administration has implemented a contract that follows a similar philosophy. A governmentwide US$503 million blanket purchase agreement for implementation of Salesforce services expects sharing of modules developed for one agency to be made available to others, Thielemann noted.

The OMB proposal is a natural development of an “arc of change” in federal IT management and procurement, she said, as agencies gradually move toward more flexible and agile operations. As a result, vendors are re-evaluating their place in the market.

“The more that commercial off the shelf and code sharing will occur, the less labor hours to develop things from scratch are needed. The more bite-size developments become, the more important it becomes for vendors to be agile and responsive, rather than completely focused on scale,” Thielemann said.

“This trend is leading some federal vendors to productize their own offerings. Most realize they now have to partner much more aggressively with commercial and digital native companies, and many are also revisiting their business models to see if they can sell outcomes and as-a-service offerings rather than continue battling on labor hour rate prices and overheads,” she said.

“As the market evolves, federal vendors are adapting,” Thielemann added.

The Federal Buzz

New Group Targets Cyber Issues: A group of major companies has established an organization that will focus on collaboration with federal policymakers in dealing with various aspects of cybersecurity.

Founding members of theCoalition for Cybersecurity Policy and Law include Arbor Networks, Cisco, Intel, Microsoft, Oracle, Rapid7 and Symantec.

“The range of digital threats we face has never been greater, including criminal syndicates and state-sponsored attacks, and this coalition will serve as the voice of the industry as we work with policymakers to develop the most effective responses to those threats,” said Ari Schwartz, who will serve as coordinator for the group.

He is managing director of cybersecurity services atVenable and will retain that post while serving the coalition. He is a former member of the White House National Security Council.

While the IT industry in general does not lack for representation through various vehicles, coalition members “felt that the trade associations and others that work on security issues do so from the point of view of the technology industry, another particular critical infrastructure industry, or a cross-sector viewpoint. There is no voice that just represents companies with expertise specifically in cybersecurity,” he told the E-Commerce Times.

Industry and Government Cyber Session: The National Institute of Standards and Technology this week is conducting a workshop on the agency’s cybersecurity framework. The meeting will focus on assessing and updating the framework, which addresses cyber-risks and standards associated with critical infrastructure in both the public and private sectors.

John K. Higgins is a career business writer, with broad experience for a major publisher in a wide range of topics including energy, finance, environment and government policy. In his current freelance role, he reports mainly on government information technology issues for ECT News Network.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John K. Higgins
More in Cybercrime

E-Commerce Times Channels