IN PROGRESS: This section is in the early planning stages and is subject to change. Stay tuned for details.


The SAM 'Open Source and Code Policy exceptions 4984.2' identifies certain security exemptions to the state open source policy:

Nothing in SAM Section 4984 shall be construed to require Agencies/state entities to make custom developed-code available as Open Source, if, on the facts of the particular case, disclosure of that code would reveal vulnerabilities to, or otherwise increase the potential for an attack on, an information technology system of an Agency/state entity. The exceptions provided below may be applied, in specific instances, to exempt an Agency/state entity from sharing custom-developed code with other Agencies/state entities. Any exceptions used must be approved and documented in the enterprise code inventory by the Agency/state entity’s Chief Information Officer (CIO) for the purposes of ensuring effective oversight and management of information technology resources.

Applicable exceptions are as follows:

  1. The sharing of the source code is restricted by law or regulation, including—but not limited to—patent or intellectual property law, the Export Asset Regulations, the International Traffic in Arms Regulation, and the Federal laws and regulations governing classified information;

  2. The sharing of the source code would create an identifiable risk to the detriment of national security, confidentiality of Government information, or individual privacy;

  3. The sharing of the source code would create an identifiable risk to the stability, security, or integrity of the Agency/state entity’s systems or personnel;

  4. The sharing of the source code would create an identifiable risk to the Agency/state entity’s mission, programs, or operations.

Security risk review

As indicated in the 'Licensing' section of the playbook:

Consult with the Agency CIO and Information Security Officer to determine if there are any identifiable security risks according to SAM 4984.2. If the Agency determines that the code will not be publicly released as open source, the particular risks identified must be logged in the code inventory.

Two-factor authentication

Two-factor authentication is recommended for all members of official California state government GitHub organizations and repositories.