Introduction

Open Source Software (OSS) is software that is freely licensed to the public to use, copy, study, and change in any way. The source code is openly shared to encourage people to voluntarily improve the design of the software. CMS has been an active supporter of and has utilized OSS on several IT projects from the OSS consumption perspective. This chapter provides guidelines for the CMS project teams that wish to use the OSS libraries and packaged OSS for their internal consumption or for development of new and custom software.

From the OSS production perspective, several CMS business units and offices have been actively releasing code as part of IT modernization projects. CMS has many active open source communities, such as BlueButton, Healthcare.gov Style Guide, and the MMIS Provider screening module on the Public CMS GitHub account. CMS has embraced OSS for development projects and is looking forward to releasing software to the open source community to promote its reuse.

CMS has launched its Open Source Software Policy that will guide IT Application Development Contractors that produce software for CMS’s mission-critical programs. The new policy is located at https://go.cms.gov/open-source-policy.

The new CMS policy is a living document, and changes to this policy would be handled via issues and pull requests in the CMS GitHub repository, https://github.com/CMSgov/cms-open-source-policy.

Scope

The guidance in this chapter is limited to using OSS within the CMS environment and does not address practices that are generally applicable to software engineering efforts. Moreover, the guidance complements and incorporates CMS’s existing policies, standards, and procedures, including those described in other parts of the CMS TRA, such as Network Services, Security Services. The TRB manages and approves the use of OSS in accordance with TRA guidance and its prescribed function within the CMS TLC.

Additional references used in this chapter:

https://en.wikipedia.org/wiki/Free_and_open-source_software

https://code.gov/#/policy-guide/policy/introduction

https://code.gov/#/policy-guide/docs/compliance/procurement

http://dodcio.defense.gov/Open-Source-Software-FAQ/

https://www.acquisition.gov/far/subpart-27.4

https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools