Introduction
Open Source Software (OSS) is software that is freely licensed to the public to use, copy, study, and change in any way. The source code is openly shared to encourage people to voluntarily improve the design of the software. CMS has been an active supporter of and has utilized OSS on several IT projects from the OSS consumption perspective. This chapter provides guidelines for the CMS project teams that wish to use the OSS libraries and packaged OSS for their internal consumption or for development of new and custom software.
From the OSS production perspective, several CMS business units and offices have been actively releasing code as part of IT modernization projects. CMS has many active open source communities, such as BlueButton, Healthcare.gov Style Guide, and the MMIS Provider screening module on the Public CMS GitHub account. CMS has embraced OSS for development projects and is looking forward to releasing software to the open source community to promote its reuse.
The new CMS policy is a living document, and changes to this policy would be handled via issues and pull requests in the CMS GitHub repository, https://github.com/CMSgov/cms-open-source-policy.
Scope
The guidance in this chapter is limited to using OSS within the CMS environment and does not address practices that are generally applicable to software engineering efforts. Moreover, the guidance complements and incorporates CMS’s existing policies, standards, and procedures, including those described in other parts of the CMS TRA, such as Network Services, Security Services. The TRB manages and approves the use of OSS in accordance with TRA guidance and its prescribed function within the CMS TLC.
Additional references used in this chapter:
https://en.wikipedia.org/wiki/Free_and_open-source_software
https://code.gov/#/policy-guide/policy/introduction
https://code.gov/#/policy-guide/docs/compliance/procurement
http://dodcio.defense.gov/Open-Source-Software-FAQ/
https://www.acquisition.gov/far/subpart-27.4
https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools
Open Source Software Overview
Open Source Software is computer software whose source code is developed in an open and collaborative way and made available (in a human-readable format) with a copyright license that complies with the Open Source Initiative's Open Source Definition (OSD). The Open Source Initiative (OSI) established the following criteria for OSS, all of which must be met to comply with OSD:
- Software is free to be re-distributed
- Source code is available with software
- Derived work is allowed
- Integrity of author’s source code is maintained
- Contains no discrimination against persons or groups
- Contains no discrimination against fields of endeavor
- License must be distributed
- License must not be specific to a product
- License must not restrict other software
- License must be technology neutral
The backbone of OSS is community sharing of ideas and collaborative development of code to serve a common purpose. Some of the key enablers of OSS development are version control systems, mailing lists, wikis, and blogs that help developers collaborate to develop code. Copyright licenses make the resulting software code available to users to use, change, and improve the software, and to redistribute it in modified or unmodified forms.
Types of Open Source Software
CMS is interested in two basic types of OSS—open source frameworks/libraries and open source solutions(CMS Open Source Software (OSS) Thoughts for a Strategy, CMS, March 2010). Open source frameworks / libraries are standalone pieces of code that may have dependencies on other software and are used or embedded as part of a larger software development effort. Examples include the Spring Framework and Apache Struts, both of which are open source application frameworks for Java development, and Hibernate and myBatis, which are persistence frameworks that provide mappings between Structured Query Language databases and objects in Java.
Open source solutions are open source applications that may be part of a larger software distribution, can operate standalone, and serve a single function or set of functions. Open source solutions may come with vendor support. Examples include Linux, an open source operating system; Apache HTTP Server, an open source Web server; and Oracle Glassfish and RedHat JBoss, open source application servers.
CMS uses open source frameworks and libraries and a small set of open source solutions. Since 2014, CMS seeks to expand its use of OSS to include additional open source solutions.
Benefits of Open Source Software within the CMS Environment
OSS provides many advantages, as demonstrated in the commercial industry and the government sector. If used thoughtfully, OSS offers the potential for cost reduction, timelier delivery, and improvement of the overall capabilities of a system. Specifically, OSS can:
-
Offer considerable savings in software purchasing cost and greater efficiency in repurposing and enhancing existing software
-
Minimize vendor lock-in through open standards and flexibility in the choice of solutions
-
Enable transparency of software implementation to support extension of software (through supported plug-in mechanisms) while also ensuring robustness of design and implementation
-
-
Support open collaboration and innovation with the open source development community through free exchange of ideas and results with the wider community
-
Help keep the enterprise abreast of technology developments and facilitate the early adoption of emerging technology
CMS is committed to meeting the needs of its IT development community by optimizing best practices and creating innovative approaches for rigorously evaluating and enhancing existing software development processes. CMS incorporates OSS as part of its IT development practices to realize the many benefits and capabilities of OSS.
Considerations for Adoption of Open Source Software
Although there are tangible benefits to OSS, the process of realizing these benefits may significantly change how CMS uses IT. For example, adopting OSS alters the Agency’s development and acquisition of software and how the Agency’s IT departments conduct business.
A common misconception about OSS is that it is cost free. The nature of cost with OSS differs from commercially licensed software. Although licensing costs may be minimal to none, CMS must consider the total cost of ownership. One important contributor to OSS cost is the absence of a “productized” solution. Many OSS products do not offer comprehensive documentation, easy installation and upgrade of utilities, friendly migration tools, and Graphical User Interface (GUI) configuration tools. Therefore, operations and maintenance (O&M) can be complex and expensive for some OSS products. To overcome this gap, the enterprise adopting an OSS solution must possess the necessary skills or have access to third-party vendors who provide IT support services for that specific OSS solution.
Another key OSS consideration is managing the adoption of OSS within the enterprise. Free software and full access to the source code of OSS present unique challenges for the enterprise. Individuals might download and install OSS without sufficient oversight. Therefore, the enterprise must carefully manage open source adoption and assess OSS for use across the enterprise. Criteria for assessing solutions must include the open source software’s maturity, total cost of ownership, and licensing implications. CMS requires that OSS be managed to the same standard as COTS software. The business owner is responsible to perform due diligence.
The CMS Open Source Strategy
OMB Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software, encourages the use and publication of open source in the federal government.
CMS uses open source frameworks and libraries and a small set of open source solutions. CMS has taken an incremental approach toward adopting OSS and plans to allow additional OSS products on a case-by-case basis. The TRB governs CMS’s adoption of OSS.
Using OSS
CMS focuses on OSS solutions that can be used “out of the box,” like a COTS product. This has two implications:
-
That there will be third-party vendor support for the OSS solution (e.g., to install, configure, integrate, operate, and maintain the software)
-
That the OSS solution will require no customization, extension, or modification
Contractors using open source frameworks and libraries are responsible for (a) ensuring that the OSS works properly within the CMS environment, and (b) that their staff is well versed in configuring and subsequently operating the software. One major consideration is that the OSS license for a package may encumber any modifications to the source code.
The contractor’s responsibility extends to monitoring the community behind the OSS product for new versions and patches, and support for older versions. Furthermore, contractors will monitor the community to ensure it continues to offer substantial support for the OSS product. The contractor should coordinate with the TRB to understand how and where CMS currently uses OSS today, and to identify lessons learned from successful implementations and resolution of issues involving OSS. This knowledge will shape the contractor’s use of OSS and may also influence CMS’s policy regarding OSS.
The TRB is responsible for approval of OSS licenses. The TRB will rely on the guidance in this chapter to assess the potential adoption of and approval for specific OSS.
Open Source Software Extension or Correction for CMS Use
As CMS expands the adoption of OSS, it is possible that specific OSS will require extensions or customization for use within CMS’s environment. In some cases, the customization may be specific to CMS’s needs and remain internal to CMS. CMS should identify business rules and other guidance for managing OSS extension and customization for exclusive use within CMS.
Contribution of Open Source Software to the Community
CMS may consider release of internally developed software as open source, including software that is an extension to an existing OSS project or software that CMS may want to use to initiate a new OSS project. Appropriate considerations for developing and contributing OSS to the community include defining policies and processes to release software as open source, guidance for continued development, ground rules for engaging the larger community to contribute to the project, and assessment of alternative copyright licensing strategies.
Open Source Licensing
For CMS projects using OSS, each CMS business owner is responsible for assuring that CMS’s use of the open source is according to license. For a CMS-released OSS project, the CMS business owner is responsible for selecting an appropriate license model. In either case, the TRB is responsible for approval of OSS licenses.
Be aware of licensing issues and select a licensing model considering the difference between “permissive” and “non-permissive” licenses, warranty / guarantee limitations, attribution, and trademark / IP protections and its impact on the choice of license.
There are many open source copyright licenses, described in the Wikipedia Comparison of Free Software Licenses. The Open Source Initiative provides a list of OSI Approved Licenses. Another option is to place the software in the public domain, where there is no copyright of the software. Note that public domain status is not recognized in all countries, including the United States. Products developed by taxpayer funds may have additional copyright restrictions. In addition to obtaining TRB approval, the Office of General Counsel must review any proposed open source modification or creation.
A useful resource is Civic Commons’ Choosing a License.
OSS Consideration and Applicability
Project teams at CMS are requested to conduct market research and analyze commercial and other open source alternatives that may meet their business need before venturing into OSS development. To help make this decision, a project team may use the three-step software solution analysis outlined at Code.gov’s Building and Buying Custom Software, and supplemented by BR-OSS-2, BR-OSS-3, BR-OSS-4, and the CMS OSS Policy.
The CMS OSS Policy will guide project teams that venture into custom code development and intend to release as OSS. If the project teams seek to release as OSS, they should schedule a consult with the Office of the Acquisition & Grants Management (OAGM) to understand the contractual requirements, policies and legal issues.
CMS contractors who develop software for CMS business use are covered by the procurement clauses that assign the copyright of the CMS-funded custom designed software to CMS and prohibits the contractors from reselling it to other federal government agencies. Due to the variety of CMS IT and non-IT contracts, it is the project team’s responsibility to perform all due diligence for their specific contract in consultation with the OAGM.