State of Open Source
in the Federal Government
Jordan Kasper
@jakerella.bsky.social
Why me?
OSS contributor & maintainer since ~2008
Helped write the DoD's 2022 open source policy
Wrote the 2023 DHS open source policy
- Why Open Source?
- The Challenges
- The Policy
- The Reality
- The Possibilities
Open Source is good. [citation needed]
Reusability
Collaboration and Contribution
Security
Transparency
Cost *
For the people...
The Challenges
"OSS is insecure"
https://www.flickr.com/photos/thepreiserproject/"It's illegal"
https://undraw.co
"We paid for it, it's ours."
http://disney.wikia.com/wiki/Seagulls_(Finding_Nemo)Lack of Techincal Knowledge
http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=7076
Stagnation
https://commons.wikimedia.org/wiki/File:III-A-12.jpg
The Policy
Federal Source Code Policy (M-16-21)
Section 5: Open Source Software
- Pilot program to release 20% of gov code as OSS
(ended in 2019) -
Participation in the community
- Open development practices
- Community engagement
- Accepting code contributions
- Focus on documentation
Section 4: Goverment-Wide Code Reuse
- Data rights to share code
- Code inventory
Code.gov
Code.gov
Digital.gov
SHARE IT Act
congress.gov/bill/118th-congress/house-bill/9566
- Data rights to share code
- Goverment-wide code access and reuse
- Code inventory
DHS Inventory: dhs.gov/code.json
{
"agency": "DHS",
"releases": [
{
"name": "trustymail",
"contact": { ... },
"description": "Scan domains and return data based on trustworthy email best practices",
"homepageURL": "https://github.com/cisagov/trustymail",
"repositoryURL": "https://github.com/cisagov/trustymail.git",
"languages": [ "Python", "Shell", "Dockerfile" ],
"organization": "Cybersecurity and Infrastructure Security Agency",
"permissions": {
"licenses": [{ "name": "CC0-1.0" }]
},
"status": "Development",
"tags": [ ... ],
...
},
{ ... }
]
}EO 14144 (January 2025)
Strengthening and Promoting Innovation in the Nation's Cybersecurity
Section 2(e): CISA must create "recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects."
Agency Open Source Policies & Guidance
- Department of Homeland Security (DHS)
- Department of Defense (DoD)
- Center for Medicare & Medicaid Services (CMS)
- National Aeronautics & Space Administration (NASA)
- General Services Administration (GSA)
- Consumer Financial Protection Bureau (CFPB)
- Cybersecurity & Infrastructure Security Agency (CISA)
Unfortunately, most of these are focused only on publication and not consumtpion
The Reality
Is anyone actually sharing code?
https://government.github.com/community
Some Examples
How much is open?
😭
What about upstream OSS?
Government is (arguably) the largest consumer of OSS ...
... and might be the worst consumer of open source.
1. Selection
1. Selection
2. Consumption
2. Consumption
3. Contribution
3. Contribution
The Possibilities
Goal: Increase Open Source Publication
- Clear guidance on the process
- Build modular, reusable components
- Make it a contract requirement
- Enforce secure coding practices
Goal: Secure Government Systems
- Baseline OSS selection process
- Automate OSS scanning & approval
- Use mirrors
- Guidance on OSS updating
Goal: Support a Secure Ecosystem
- Contribute all security fixes upstream
- Cotnributions to OSS we rely on
- Grants for critical OSS infrastructure
- Be an active participant in the community
What can you do?
As a contractor...
As a federal employee...
As an indivudal...
Thank You!
State of Open Source
in the Federal Government
Jordan Kasper
jordankasper.com/oss-in-gov |
@jakerella.bsky.social
(This is not an endorsement of GitHub, I just like the Octocats.)