The Defense Department is not abiding by a federal mandate to promote the use of open source software and make common code more readily available to other agencies, according to the Government Accountability Office.
In 2016, the Office of Management and Budget published a memorandum that required every federal agency to make at least 20% of their custom-built software open source within three years, meaning the code would be available for other agencies to use. However, as of July, the Pentagon had released less than 10% of its software as open source, according to GAO.
The department has also failed to fully implement a number of other open source software initiatives required by the OMB memo, such as creating an enterprisewide open source software policy and building inventories of custom code, auditors said. Additionally, officials never created performance metrics to measure the success of their open source software efforts.
In both industry and government, the popularity of open source software has exploded in recent years to keep up with the growing demand for fresh tech. By sharing and reusing code, organizations can reduce the cost of developing software and trust the code they’re using has been thoroughly tested by other users.
However, relying on software that someone else developed requires a certain level of trust. If the developer overlooks a vulnerability in the code—or intentionally inserts one—that bug could end up in countless applications, and users wouldn’t know it’s there.
In conversations with GAO, some Pentagon officials said they were concerned about the security of open source software, citing the potential for malicious insiders to spread vulnerabilities across the department and the lack of internal governance over shared code. However, most said they were confident the department could manage those risks, and every official GAO spoke with agreed that embracing open source software could cut costs and allow for more rapid deployment of new tech, auditors said.
The Pentagon’s chief information officer attributed the failure to meet OMB’s open source standards standards the sheer size of the department, which “makes it nearly impossible to inventory all of its source code.” GAO urged the department to ramp up its efforts to hit the 20% mark, but officials did not agree with the recommendation.
Still, the department did commit to updating other policies and practices to increase the availability of its software, auditors said. Officials plan to update a 2009 policy with a blueprint for reusing software, and they also intend to expand efforts to inventory new custom code and obtain data rights for some vendor-provided applications.
They also agreed to grow their open source community, another requirement of the OMB memo. Today, the Defense Information Systems Agency and Defense Digital Service both operate online repositories where developers can work together on open source projects, auditors said, but those efforts could be improved.
“Until [the Defense Department] fully implements its pilot program and establishes milestones for completing the OMB requirements, the department will not be positioned to take advantage of significant cost savings and efficiencies,” GAO said in the report published Tuesday.