Open Source Software (OSS) Policy | Policy | GSA Open …

GSA Instructional Letter

01/14/2019

The purpose of this Order is to review GSAs policy on open source software development and publication, and to communicate responsibilities to the agency for compliance with OMBs open source policy. Specifically, the Order outlines requirements for implementing open source code produced by and/or for the agency in accordance with OMB Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software, dated August 8, 2016.

The Office of GSA IT has taken an open-first approach to data, application programming interface, and source code. Specifically, GSA IT developed an Open Source Working Group, with representation from multiple technology program offices, tasked with identifying processes for publishing open source code. At approximately the same time, OMB published OMB Memorandum M-16-21. The release of this memorandum prioritized the creation of an agency-wide process of releasing open source code.

This Order supersedes and cancels CIO IL-16-03, GSA Open Source Software (OSS) Policy, dated November 3, 2016.

a. Requires organizations to account for and publish their open source code in accordance with M-16-21.

b. New code developed after August 8, 2016 must use JavaScript Object Notation (JSON) format with metadata, and be published on gsa.gov/code.json.

c. Contract requirements must follow OMBs software analysis outlined in M-16-21.

d. Incorporates discussion of GSAs Open Source Working Group, which was created to identify a process for publishing open source code. This process and all guidance pertaining to GSA open source code can be found at https://open.gsa.gov. The Open Source Working Group will update and maintain all guidance and implementation instructions pertaining to this Order on this site.

e. Ensures a standard, secure open source code development pipeline is in place.

a. This Order applies to all GSA Services, Staff Offices, and Regional components.

b. This Order applies to the Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIGs independent authority under the IG Act and it does not conflict with other OIG policies or the OIG mission.

c. This Order applies to the Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines it is consistent with the CBCAs independent authority under the Contract Disputes Act and other authorities and it does not conflict with the CBCAs policies or the CBCA mission.

This Order requires GSA organizations to account for and publish their open source code in accordance with OMB Memorandum M-16-21 and:

a. Promotes GSAs vision of being open through development and acquisition practices;

b. Promotes a posture of being open first by requiring new custom code to be released as a Minimum Viable Product (MVP), engaging the public before releasing, and drawing upon the publics knowledge to improve the project. Justification will be required for new custom code that does not follow these guidelines;

c. Incorporates GSAs Open Source Implementation guidelines and Open Source Checklist to ensure the proper considerations are made before going live with a public software project;

d. Requires that a standard, secure open source code development pipeline process be in place at GSA that all organizations will follow. This process can be accomplished multiple ways, such as performing automated code scanning or code reviews. The Open Source Working Group will establish the pipeline process and publish it at https://open.gsa.gov;

e. Adheres to releasing open source code through a public-facing software version control platform, including code developed by GSA personnel and contractors. Guidance on releasing open source code can be found at https://open.gsa.gov;

f. Implements OMBs three-step software analysis outlined in M-16-21. Specific contract requirements will be developed through collaboration between GSAs Chief Procurement Officer and the Open Source Working Group and will be subsequently communicated to the agency; and

g. Requires that a metadata file be included in each projects source code repository. The metadata file will contain information about the project that can be included in GSAs code inventory. See https://open.gsa.gov for details.

a. GSAs Chief Technology Officer (CTO) is responsible for establishing an internal policy that incorporates M-16-21 requirements and publishing it on http://www.gsa.gov/digitalstrategy. Additionally, the CTO is responsible for running the Open Source Working Group that creates the guidance and implementation instructions as needed to implement this policy. All guidance and other instructions for this initiative is available on https://open.gsa.gov.

b. The CTO is responsible for identifying a standard Version Control System. GSA Service and Staff Offices (Project teams) are responsible for moving to the standard Version Control System. The standard Version Control System and guidance related to it is found on https://open.gsa.gov.

c. GSA Service and Staff Offices (Project teams) are responsible for being open first by requiring new custom code to be released as a MVP, engaging the public before releasing, and drawing upon the publics knowledge to improve the project. Project teams will utilize existing processes such as the Authority to Operate Impact Analysis to determine the applications level of strategic importance in terms of Integrity, confidentiality and availability. Project teams should also consider the business value that open sourcing all or part of the code base provides towards meeting the objectives of the program. Sufficient justification will be required for new custom code that does not follow these guidelines. For guidance, see https://open.gsa.gov.

d. GSA Service and Staff Offices (Project teams) are responsible for inventorying all new code developed after August 8, 2016 using a standard JSON file format with metadata criteria established by OMB. Guidance on how to meet this requirement is available on https://open.gsa.gov under Inventory Inclusion.

e. GSA Service and Staff Offices (Project teams) are responsible for publishing all new open source code, barring sufficient justification as outlined in 7.c.. Publishing all new code as open source allows GSA to exceed OMBs goal that 20% of code be published as open source.

f. GSA Service and Staff Offices (Project teams) are responsible for publishing the inventory JSON on http://www.gsa.gov/code.json. Guidance on how to meet this requirement is provided on https://open.gsa.gov.

Excerpt from:
Open Source Software (OSS) Policy | Policy | GSA Open ...