Why me?
OSS contributor & maintainer since ~2008
Helped write the DoD's 2022 open source policy
Wrote the 2023 DHS open source policy
SW engineer, split time between private industry and public sector, joined USDS 2017
Why Open Source?
The Challenges
The Policy
The Reality
The Possibilities
This is our agenda -- MENTION which areas may be shorter (OSS is good?)
Open Source is good. [citation needed]
Reusability
build once, use anywhere... but also requires a lot of the other aspects of OSS
Collaboration and Contribution
"group mindset" to catch issues a solo dev might not
Security
OSS is secure, and often more secure than closed source projects
Transparency
without this, we don't get collaboration and we don't get security
Cost *
Asterisk here because while TCO may be lower, it is not zero-cost
For the people...
the people's taxes pay for all gov systems, so that code is for you
https://www.flickr.com/photos/thepreiserproject/
most common argument against OSS from gov, but mostly because we don't consume it well
"It's illegal"
https://undraw.co
Not a joke, some people in gov think both using AND publishing is illegal
http://disney.wikia.com/wiki/Seagulls_(Finding_Nemo)
inane argument... the people paid for it, code belongs to them
Lack of Techincal Knowledge
http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=7076
Grace Hopper was an exceptional computer scientist, but we've lost that tech knowledge
Stagnation
https://commons.wikimedia.org/wiki/File:III-A-12.jpg
both in the code and the people
"M" for memo (from OMB), "16" for 2016, "21" sequential identifier
Section 5: Open Source Software
Pilot program to release 20% of gov code as OSS
Participation in the community
Open development practices
Community engagement
Accepting code contributions
Focus on documentation
What does 20% mean here? LoC? Projects? Files?
Section 4: Goverment-Wide Code Reuse
Data rights to share code
Code inventory
Data rights were critical for gov to open source its code
Code.gov
Liaison for OSS in fed gov, tracked progress of all agencies
Code.gov
Digital.gov
Most guidance still exists on digital.gov, but no more agency tracking or liaising
SHARE IT Act
congress.gov/bill/118th-congress/house-bill/9566
Data rights to share code
Goverment-wide code access and reuse
Code inventory
There's executive policy, but then there's law; passed in 2024
{
"agency" "DHS" "releases" "name" "trustymail" "contact" "description" "Scan domains and return data based on trustworthy email best practices" "homepageURL" "https://github.com/cisagov/trustymail" "repositoryURL" "https://github.com/cisagov/trustymail.git" "languages" "Python" "Shell" "Dockerfile" "organization" "Cybersecurity and Infrastructure Security Agency" "permissions" "licenses" "name" "CC0-1.0" "status" "Development" "tags"
One example of a project, note that this one is OSS which you can see from license
EO 14144 (January 2025)
Section 2(c) (was 2(e)):best practices for contributing to open source software projects ."
"EO" is executive order, this one was revised recently, but still in effect
Agency Open Source Policies & Guidance
Unfortunately, most of these are focused only on publication and not consumption
Not a complete list, but many agency policies and guidance are only internally published
Is anyone actually sharing code?
This site (government.github.com) has a ton of world-wide public sector entities publishing OSS now
Is anyone actually sharing code?
"US Federal" is just one section, but with 164 orgs!
Some Examples
SE Linux: developed by NSA, open sourced in 2000
What about upstream OSS?
Government is (arguably) the largest consumer of OSS ...
... and might be the worst consumer of open source.
Fed Gov spends over $100 billion on IT & cyber systems
What's the process for using OSS in gov?
1. Selection
How we decide to use a piece of OSS, what are the criteria?
1. Selection
No standardized process, frequently ignore warning signs (stale repos, no velocity, single contributor, etc)
2. Consumption
How do we pull dependencies into our build process? How do we ensure we do so safely?
2. Consumption
No standardized process, limited use of mirrors, often a "one and done" situation
3. Contribution
When we find bugs or vulns in OSS, what do we do? What about when we need new features?
3. Contribution
No standardized process, blockers from legal, security, privacy (remember "Challenges")
The Possibilities
Reminder: these views are my own!
Goal: Increase Open Source Publication
Clear guidance on the process
Build modular, reusable components
Make it a contract requirement
Enforce secure coding practices
Contracts: forcing a company to START from an open source approach will force them to think twice about their bad practices
Goal: Secure Government Systems
Baseline OSS selection process
Automate OSS scanning & approval
Use mirrors
Guidance on OSS updating
guidance needs to be cross-agency! CISA will be doing some of this based on EO 14144
Goal: Support a Secure Ecosystem
Contribute all security fixes upstream
Cotnributions to OSS we rely on
Grants for critical OSS infrastructure
Be an active participant in the community
Upstream security fixes need to be required in gov contracts
What can you do?
As a contractor...
Do better. Do this on your own. You don't need specific contract terms to do it!
As a federal employee...
push for open-by-default practices and better IT contracts!
As a private indivudal...
contribute to gov OSS!
State of Open Sourcein the Federal Government
Jordan Kasper
@jakerella.bsky.social
https://undraw.co
http://www.doncio.navy.mil/CHIPS/ArticleDetails.aspx?ID=7076
https://commons.wikimedia.org/wiki/File:III-A-12.jpg
