Policy

California Open Source Policy documents are outlined below.

California Department of Technology Letters

TL 18-02

DATE ISSUED: MAY 2018 SUBJECT: OPEN SOURCE AND CODE REUSE REFERENCES: Government Code § 11545 and § 11546 State Administrative Manual (SAM) Sections 4819.2, 4984, 4984.1 and 4984.2 Technology Letter 10-01

BACKGROUND

The California Department of Technology (CDT) is committed to improving the way Agencies/state entities acquire, build, and deliver information technology (IT) solutions, to better support cost efficiency, effectiveness, and the public’s experience with government programs. Currently, when Agencies/state entities produce custom-developed source code, they do not make their new code broadly available for state government-wide reuse. These challenges have resulted in duplicative acquisitions for substantially similar code and the inefficient use of taxpayer dollars. Enhanced reuse of custom-developed code across state government can have significant benefits for taxpayers, including decreasing duplicative costs for the same code and reducing vendor lock-in. This policy seeks to address these challenges by ensuring new source code, which has been custom-developed by the State of California, be broadly available for reuse across state government in a consistent manner.

In January 2010 CDT’s predecessor organization, the Office of the Chief Information Officer (OCIO), permitted the use of Open Source Software (OSS) in state government. While the benefits of custom developed code reuse are significant, additional benefits can accrue when custom-developed code is also made available to the public for inspection, improvement, and reuse as OSS. When possible, making source code available as OSS can enable continual improvement of state software development efforts as a result of a broader user community implementing the code for its own purposes and publishing improvements. This collaborative atmosphere can make it easier to conduct software peer review and security testing, to reuse existing solutions, and to share technical knowledge.

PURPOSE

The purpose of this Technology Letter (TL) is to announce:

• New SAM Section 4984, provides an overview of the Open Source and Code Reuse Policy.

• New SAM Section 4984.1, outlines Agency/state entity requirements for the Open Source and Code Reuse Policy.

• New SAM Section 4984.2, includes exceptions to the Open Source and Code Reuse Policy.

• Updated SAM Section 4819.2 to include new definitions of "Code Repository", “Custom Developed Code”, “Source Code” and modified definition of “Open Source Software”.

• Establishment of CDT’s public code repository, code.ca.gov, to host all new custom-developed open source code and related information and make this information available to all other Agencies/state entities.

• Agencies/state entities shall use best practices to ensure custom-developed code, documentation, and other associated materials are delivered from developers throughout the software development lifecycle and made available for reuse across state government through code.ca.gov.

• Agencies/state entities shall, whenever possible, make code custom-developed by the State of California available to the public as OSS, pursuant to the limited exceptions outlined in SAM Section 4984.2.

Source: 18-02 https://cdt.ca.gov/technology-letters*/ *

California State Administrative Manual (SAM)

Open Source and Code Reuse Policy Introduction 4984

(New 05/2018)

The California Department of Technology (CDT) is committed to improving the way Agencies/state entities buy, build and deliver information technology (IT) and software solutions to better support cost efficiency, effectiveness, and public experience with government programs. Enhanced reuse of custom-developed code across state government can have significant benefits for taxpayers, including decreasing duplicative costs for the same code. To maintain previous investment(s) in IT software, Agencies/state entities shall make code custom-developed by the State of California broadly available for reuse across state government in a consistent manner. This policy is intended to avoid duplicative custom software investments and promote innovation and collaboration across state government while adequately addressing relevant statutory and policy requirements associated with State IT systems, including information security and risk management, privacy, legal issues, and other applicable requirements. The requirements outlined in this section apply to source code that is custom-developed by the State of California, subject to the limited exceptions outlined in SAM Section 4819.2.

Source: https://www.documents.dgs.ca.gov/sam/SamPrint/new/sam_master/sam_master_File/chap4900/4984.pd*f *

Open Source and Code Policy Requirements 4984.1

(New 05/2018)

As part of the Open Source and Code Reuse policy, each Agency/state entity shall:

1. Evaluate, as part of the Project Approval Lifecycle alternatives analysis, existing state software solutions for all reportable and non-reportable IT projects. Alternatives analysis shall give preference to the use of existing state software solutions.

2. If alternatives analysis concludes that existing state software solutions cannot efficiently and effectively meet the needs of the Agency/state entity, the Agency/state entity must explore whether its requirements can be satisfied with an appropriate commercially-available solution or open source solution.

3. Use best practices to ensure custom-developed code, documentation, and other associated materials are delivered from developers throughout the software development lifecycle.

4. Create and maintain an enterprise code inventory that includes all new State of California custom-developed code and related information and make this information available to all other Agencies/state entities on an ongoing basis. See code.ca.gov for additional information.

5. Make custom-developed code broadly available for reuse across state government and make their code inventories discoverable through code.ca.gov, the California Department of Technology’s code repository, pursuant to the limited exceptions outlined in SAM Section 4984.2.

6. Maintain and frequently update all custom-developed code available in the code repository to ensure code integrity.

7. Whenever possible, secure the rights necessary to make code custom developed by the State of California available to the public as OSS, pursuant to the limited exceptions outlined in SAM Section 4984.2. Each Agency/state entity’s Chief Information Officer (CIO), with consultation from the Agency/state entity’s Information Security Officer (ISO), is responsible for determining if the Agency/state entity’s custom-developed code will be shared with the public as Open Source Software (OSS) and controlling public access through the Department of Technology’s code repository. Agency/state entities must attribute Copyleft licenses (e.g. GPL v.3) to all custom-developed code made OSS to prohibit the creation of proprietary derivative software.

Source: *https://www.documents.dgs.ca.gov/sam/SamPrint/new/sam_master/sam_master_File/chap4900/4984.1.pd*f

Open Source and Code Policy exceptions 4984.2

(New 05/2018)

Nothing in SAM Section 4984 shall be construed to require Agencies/state entities to make custom developed-code available as Open Source, if, on the facts of the particular case, disclosure of that code would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of an Agency/state entity. The exceptions provided below may be applied, in specific instances, to exempt an Agency/state entity from sharing custom-developed code with other Agencies/state entities. Any exceptions used must be approved and documented in the enterprise code inventory by the Agency/state entity’s Chief Information Officer (CIO) for the purposes of ensuring effective oversight and management of information technology resources.

Applicable exceptions are as follows:

1. The sharing of the source code is restricted by law or regulation, including—but not limited to—patent or intellectual property law, the Export Asset Regulations, the International Traffic in Arms Regulation, and the Federal laws and regulations governing classified information;

2. The sharing of the source code would create an identifiable risk to the detriment of national security, confidentiality of Government information, or individual privacy;

3. The sharing of the source code would create an identifiable risk to the stability, security, or integrity of the Agency/state entity’s systems or personnel;

4. The sharing of the source code would create an identifiable risk to the Agency/state entity’s mission, programs, or operations.

Source: https://www.documents.dgs.ca.gov/sam/SamPrint/new/sam_master/sam_master_File/chap4900/4984.2.pd*f *

Resources

• Federal Source Code Policy (U.S. Government)

• Open source policy (18F)

• Open Source Software (U.S. Department of Health & Human Services)