The Department of Defense’s congressionally mandated efforts to create an open source software program aren’t going so well.
DOD must release at least 20 percent of its custom software as open source through a pilot required by a 2016 Office of Management and Budget directive and the 2018 National Defense Authorization Act. Open source software, OMB says, can encourage collaboration, “reduce costs, streamline development, apply uniform standards, and ensure consistency in creating and delivering information.”
DOD was required to fully launch its pilot by mid-2018. But, according to a new Government Accountability Office audit, the DOD is only partially there more than a year later, and it has yet to even release 10 percent of its custom software as open source, as of July.
While the department has not yet determined when the pilot will be fully implemented, CIO Dana Deasy “reported that the size of the department makes it nearly impossible to inventory all of its source code custom developed since August 2016,” according to the audit. “As such, the CIO stated that it would be difficult to meet the OMB memorandum’s goal of releasing at least 20 percent of its new custom code as OSS.”
Deasy further expands in his response to GAO‘s recommendations saying that the department doesn’t believe the pilot is implementable as proposed, citing national security concerns of open-sourcing its custom-made software, most of which is created for things like weapons systems.
That said, some within the DOD have been promoting the use of open source software in recent years. The Defense Digital Service team launched Code.mil in 2017 to boost the department’s open source efforts. Then in 2018, the team revamped the program to make guidance for open source usage to be more clear and accessible.
GAO also found in its report that DOD hasn’t developed a consistent way to measure the performance of its pilot or issued its own policy for open source, as required in OMB’s 2016 policy.
“According to the CIO, the department had been slow to develop a policy because these types of changes require significant resources, coordination, and buy-in across the department that will take additional time to address,” the report says. However, DOD plans to issue a policy by the end of calendar 2019.
The GAO report ends by highlighting the views of top officials at DOD components and the benefits and risks of open source software. While they mostly believe it creates financial benefits and increases efficiency, opinions were mixed on the inherent cyber risks of such a program. A few officials “expressed their views that security concerns and the lack of a cybersecurity governance process could result in the sporadic use of OSS.” But most believe the risks could be managed and are outweighed by the benefits of open source software.