The federal government is beginning to demonstrate a greater awareness and interest in open source software, but confusion about acquisition and licensing still persist. This page provides some links to federal content which answers some of the pervasive questions about using open source software in the federal enterprise.

Is Open Source Software (OSS) considered to be "Commercial Software"?

For the purposes of government procurement, OSS is considered to be commercial software in most cases.

Are government agencies using OSS?

An emphatic yes. Whitehouse.gov is built around Drupal, an open source Content Management System (CMS). The State Department maintains online content for numerous diplomatic missions around the world using Drupal, Wordpress, and other open source applications. And the Department of Defense is using open source to develop its own applications on Forge.mil (login required).

Does OSS meet federal security mandates and guidelines?

Generally speaking, OSS is not guaranteed to be any more secure or compliant to federal standards than any commercial off-the-shelf software (COTS). However, the scrutiny associated with published source code and peer review encourages a healthy environment for high security assurance standards. (For example, OpenFISMA's security philosophy and defense designs are publicly documented.)

Publication of source code also allows for white box penetration testing -- security evaluations where the evaluator understands the design and implemenation of the system that he is testing. Closed source programs, on the other hand, are more difficult to test due to their close design and hidden implementation; these closed programs must be treated as black box.

OpenFISMA includes native implementations of most of the common application-level security controls described in the NIST 800-53 Security Control Catalog, which reduces the burden on federal agencies to Certify and Accredit the OpenFISMA application within their own agencies.

Is OSS free?

Not necessarily. OSS is considered "free" in the sense of "free speech", not "zero cost". In other words, as a user you are allowed to read and modify the source code to the application which you are using, but vendors will in some cases still charge licensing fees. There are many examples of for-profit business models which are based on open source software, such as RedHat, MySQL AB (acquired by Oracle), etc.

In addition to licensing fees, all software (and indeed, all goods) have a cost of ownership. The total cost of ownership (TCO) is based on many factors, but is predominantly determined by the cost and complexity to deploy, operate, and maintain software. OSS tends to drive down TCO because of the community of expertise that grows up around good products and the adoption of open standards which facilitate interoperability and portability. These effects result in reduced vendor lock-in, and greater competition for systems integration projects.

Does OSS conflict with the need for confidentiality?

Yes and no. Some licenses will require end users to distribute their own changes to the source code, which may result in conflicts of interest for organizations deploying sensitive or confidential information systems. There are licenses in common use, however, that allow for organizations to modify software for internal use without the requirement to distribute their modified source code. Therefore, open source software can be used in confidential information systems under the right circumstances.

References:

The Defense Information Systems Agency (DISA) has put together one of the best go-to references for open source software in government. "Frequently Asked Questions About Copyright And Computer Software: Issues Affecting The U.S. Government With Special Emphasis On Open Source Software".

The CIO of the Department of Defense also released a memorandum clarifying the federal and DOD policies applicable to federal acquisition and usage of open source software.