DHS U-turns on feds’ open source policy

The Department of Homeland Security has walked back comments on the White House’s Open Source Code Policy, agreeing with the majority of the administration’s stipulations while offering a few tweaks.

Last week, an extensive comment attributed to DHS was posted on the open source policy’s GitHub page. The comments claimed the project’s goal of releasing at least 20 percent of the agency’s software code would be akin to the FBI handing over their source code to the Mafia, leaving agency’s open to highly targeted attacks.

The comments further asked for the 20 percent rule to be modified, adding a stipulation in which contractors were only allowed to “modify or derive alternative applications from the source code for the sole and exclusive use of the U.S. Government.”

A new comment from DHS CIO Luke McCormack was posted Monday, reversing much of what the initial DHS comment said. The new posting explicitly states that last week’s comments “do not represent DHS policy or views.”


[Read more: New OMB policy aims to make federal agency code open source]

“The Department of Homeland Security strongly supports the proposed Federal Source Code Policy,” McCormack writes. “We believe moving towards government-wide reuse of custom-developed code and releasing federally-funded custom code as open source software has significant financial, technical, and cybersecurity benefits and will better enable DHS to meet our mission of securing the nation from the many threats we face.”

The only suggestion McCormack makes is to tweak the 20 percent rule so agencies can smartly decide on what parts of their code would be reused by the public once it’s released.

“We worry that the requirement of releasing 20 percent of custom code will encourage releasing code without thinking thoughtfully about how the government and community can get the most value from it,” he writes. “The private sector has rejected looking at lines of code as a metric for engineering productivity, and we do not believe it is the most appropriate metric here either.”

McCormack also refutes the notion advanced in the first set of comments that releasing code to the public would be like opening the government’s systems to attackers.


“Security through obscurity is not true security: we cannot depend on vulnerabilities not being exploited just because they have not been discovered yet,” he said. “There are many examples of widely-used pieces of software that benefit greatly from constant and vigorous community reviews and contributions to find bugs, and thus making them more secure. We look forward to government systems joining them.”

A host of government agencies, open source advocates and private companies have weighed in on the policy, with over 230 comments now posted the the project’s GitHub page.

The project’s public comment period will close Tuesday at midnight.

Contact the reporter on this story via email at, or follow him on Twitter at @gregotto. His OTR and PGP info can be found hereSubscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here:

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts