DOD pushes back on open source

The Department of Defense pushed back on an oversight report urging the launch of an open source pilot program in keeping with Office of Management and Budget requirements and mandated in the 2018 National Defense Authorization Act.

A Sept. 10 report from the Government Accountability Office found that DOD had not issued an open source policy and had only partially implemented other requirements, including analyzing its use of open source and securing data rights. OMB released its open source policy in 2016 with the goal of the government having more sharable, reusable code and to curtail the practice of licensing the same proprietary code over and over again.

DOD said it plans to release a policy, conduct an analysis, and update the existing open source software memo by the end of 2019, but it has no plans to release 20% of its custom code as open source software, as urged by GAO.

DOD CIO Dana Deasy said in reply comments that he does not believe open source pilot program "is implementable…as proposed" and notes that most of DOD's custom software "is created for weapons systems like the F-35 and the F-22, and as such, release of such source code is sensitive for national security reasons." Deasy said that because of these limitations, "it's unclear that 20% of the Department's custom code is releasable at all."

Deasy was more open to other recommendations from GAO, including a plan to develop metrics to measure the percentage of source code that is released by DOD, to set milestones for meeting certain OMB open source requirements and facilitating an open source software community.

DOD has existing policies for open source code, including a 2009 memo defining open source and in the 5000 series that manages the Defense Acquisition System, but GAO said in its report that those guidelines are outdated and don’t comply with OMB’s requirements.

DOD hasn’t enforced requirements for components to secure data rights and completely document source code. Deasy said that DOD is in the process of developing custom code policy that includes plans for a custom software inventory "and additional guidance" on open source software. That guidance is expected to be issued by the end of the year.

This article first appeared on FCW, a partner site to Defense Systems.