The Department of Defense has not fully implemented mandates from the Office of Management and Budget (OMB) and the 2018 National Defense Authorization Act (NDAA) to increase its use of open-source software and release code, according to a September 10 Government Accountability Office (GAO) report.
The report notes that the 2018 NDAA mandated DoD establish a pilot program on open source and a report on the program’s implementation. It also says that OMB’s M-16-21 memorandum requires all agencies to release at least 20 percent of custom-developed code as open-source, with a metric for calculating program performance.
However, DoD has released less than 10 percent of its custom code, and had not developed a measure to calculate the performance of the pilot program. In comments to GAO, the DoD CIO’s office said there has been difficulty inventorying all of its custom source code across the department, and disagreement on how to assess the success for a performance measure. While the department worked to partially implement OMB’s policy, the department had not yet issued a policy.
“Until DoD fully implements the [open-source software] pilot program … the department will likely miss opportunities to achieve related cost savings and efficiencies,” the report states.
GAO also interviewed DoD officials to understand their approach to open-source, and found a range of views. While most DoD units agreed that open-source can bring cost savings and efficiency in development, there were mixed views on related cybersecurity risk. Officials from the Navy, Marine Corps, and Army’s Communications-Electronics Command said their components were hesitant to adopt more open-source software, while officials from Acquisition and Sustainment noted that the risk is manageable and not a major barrier.
While GAO recommended that DoD release at least 20 percent of its code, the DoD CIO’s office disagreed, noting national security concerns on releasing code, and DoD’s complexity. The department did agree to identify a measure to calculate the percentage of code being released.