GSA Instructional Letter

01/14/2019


1. Purpose

The purpose of this Order is to review GSA’s policy on open source software development and publication, and to communicate responsibilities to the agency for compliance with OMB’s open source policy. Specifically, the Order outlines requirements for implementing open source code produced by and/or for the agency in accordance with OMB Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software, dated August 8, 2016.


2. Background

The Office of GSA IT has taken an open-first approach to data, application programming interface, and source code. Specifically, GSA IT developed an Open Source Working Group, with representation from multiple technology program offices, tasked with identifying processes for publishing open source code. At approximately the same time, OMB published OMB Memorandum M-16-21. The release of this memorandum prioritized the creation of an agency-wide process of releasing open source code.


3. Cancellation

This Order supersedes and cancels CIO IL-16-03, GSA Open Source Software (OSS) Policy, dated November 3, 2016.


4. Explanation of Changes

a. Requires organizations to account for and publish their open source code in accordance with M-16-21.

b. New code developed after August 8, 2016 must use JavaScript Object Notation (JSON) format with metadata, and be published on gsa.gov/code.json.

c. Contract requirements must follow OMB’s software analysis outlined in M-16-21.

d. Incorporates discussion of GSA’s Open Source Working Group, which was created to identify a process for publishing open source code. This process and all guidance pertaining to GSA open source code can be found at https://open.gsa.gov. The Open Source Working Group will update and maintain all guidance and implementation instructions pertaining to this Order on this site.

e. Ensures a standard, secure open source code development pipeline is in place.


5. Applicability

a. This Order applies to all GSA Services, Staff Offices, and Regional components.

b. This Order applies to the Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act and it does not conflict with other OIG policies or the OIG mission.

c. This Order applies to the Civilian Board of Contract Appeals (CBCA) only to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and other authorities and it does not conflict with the CBCA’s policies or the CBCA mission.


6. Policy

This Order requires GSA organizations to account for and publish their open source code in accordance with OMB Memorandum M-16-21 and:

a. Promotes GSA’s vision of “being open” through development and acquisition practices;

b. Promotes a posture of being “open first” by requiring new custom code to be released as a Minimum Viable Product (MVP), engaging the public before releasing, and drawing upon the public’s knowledge to improve the project. Justification will be required for new custom code that does not follow these guidelines;

c. Incorporates GSA’s Open Source Implementation guidelines and Open Source Checklist to ensure the proper considerations are made before going live with a public software project;

d. Requires that a standard, secure open source code development pipeline process be in place at GSA that all organizations will follow. This process can be accomplished multiple ways, such as performing automated code scanning or code reviews. The Open Source Working Group will establish the pipeline process and publish it at https://open.gsa.gov;

e. Adheres to releasing open source code through a public-facing software version control platform, including code developed by GSA personnel and contractors. Guidance on releasing open source code can be found at https://open.gsa.gov;

f. Implements OMB’s three-step software analysis outlined in M-16-21. Specific contract requirements will be developed through collaboration between GSA’s Chief Procurement Officer and the Open Source Working Group and will be subsequently communicated to the agency; and

g. Requires that a metadata file be included in each project’s source code repository. The metadata file will contain information about the project that can be included in GSA’s code inventory. See https://open.gsa.gov for details.


7. Responsibilities

a. GSA’s Chief Technology Officer (CTO) is responsible for establishing an internal policy that incorporates M-16-21 requirements and publishing it on www.gsa.gov/digitalstrategy. Additionally, the CTO is responsible for running the Open Source Working Group that creates the guidance and implementation instructions as needed to implement this policy. All guidance and other instructions for this initiative is available on https://open.gsa.gov.

b. The CTO is responsible for identifying a standard Version Control System. GSA Service and Staff Offices (Project teams) are responsible for moving to the standard Version Control System. The standard Version Control System and guidance related to it is found on https://open.gsa.gov.

c. GSA Service and Staff Offices (Project teams) are responsible for being “open first” by requiring new custom code to be released as a MVP, engaging the public before releasing, and drawing upon the public’s knowledge to improve the project. Project teams will utilize existing processes such as the Authority to Operate Impact Analysis to determine the application’s level of strategic importance in terms of Integrity, confidentiality and availability. Project teams should also consider the business value that open sourcing all or part of the code base provides towards meeting the objectives of the program. Sufficient justification will be required for new custom code that does not follow these guidelines. For guidance, see https://open.gsa.gov.

d. GSA Service and Staff Offices (Project teams) are responsible for inventorying all new code developed after August 8, 2016 using a standard JSON file format with metadata criteria established by OMB. Guidance on how to meet this requirement is available on https://open.gsa.gov under “Inventory Inclusion”.

e. GSA Service and Staff Offices (Project teams) are responsible for publishing all new open source code, barring sufficient justification as outlined in 7.c.. Publishing all new code as open source allows GSA to exceed OMB’s goal that 20% of code be published as open source.

f. GSA Service and Staff Offices (Project teams) are responsible for publishing the inventory JSON on www.gsa.gov/code.json. Guidance on how to meet this requirement is provided on https://open.gsa.gov.


8. Signature

DAVID SHIVE
Chief Information Officer
Office of GSA IT