As “avoid vendor lock-in” eclipses “do more with less,” open source offers freedom to tailor mission-specific solutions and cherry-pick right-sized applications.
It’s mid-2021, and in federal IT, open-source technology remains contentious—even as it’s widely implemented, sometimes unknowingly. After all, one study found that 92% of applications contain open-source components. So why the consternation?
Like many federal quandaries, it’s complicated—interlaced with decades of proprietary technology deals, server-hugging culture and legitimate concerns about security. In reality, open source has come a long way since emerging as a dark horse in federal IT modernization. Now, it might be the best contender.
“Open-source technologies have helped organizations move forward faster. And they can be transformative in how an entity can better deliver services,” Suzette Kent, former federal CIO, said at the Postgres Vision conference June 22. “Just keeping up with the evolving technology landscape is not only a huge effort, but a significant financial investment. Open-source tools and cloud-based services have opened alternative pathways for many entities to unburden themselves from those antiquated environments with heavy hardware and proprietary software.”
As “avoid vendor lock-in” eclipses “do more with less,” open source offers freedom to tailor mission-specific solutions and cherry-pick right-sized applications, delivering efficiency and savings. And with open source, there’s improved plug-and-play integration with other IT capabilities—regardless of origin.
As promising as these advantages may be, none can be realized at the expense of security or user support. Questions around how to address software defects, who resolves issues and in what timeframe, and how trustworthy and secure the product is are all valid and crucial questions—for both proprietary and open-source solutions.
Luckily, these are areas central in open source’s meticulously intentional evolution. Today agencies can access open-source applications meeting high federal standards, including Security Technical Implementation Guides approved by the Defense Information Systems Agency and FIPS 140-2 compliance.
And while open-source applications are developed by a global community, that doesn’t mean agencies can’t access the support to which they’re accustomed in “traditional” vendors. Today, many open-source distributors and third-party companies offer support for open-source software—and help integrate with those traditional proprietary systems.
The Path Ahead in Open Source
Open source, in many instances, can be one answer for the public sector’s digital transformation goals and modernization requirements. But many still question open-source security, and there’s growing pressure on—and protective measures around—safeguarding the supply chain.
Most specifically, President Joe Biden’s recent cybersecurity executive order spotlighted open source in supply chain security. The order directs the National Institute of Standards and Technology to develop guidance “ensuring and attesting, to the extent practicable, to the integrity and provenance of open-source software used within any portion of a product” used by federal agencies. The measure also aims to codify requirements around use of a software bill of materials, or SBOMS, for federal purchasers.
These guidelines are an opportunity to augment and strengthen measures within the open source and broader IT communities. Providers already are bolstering defenses and offering service-level solutions, such as protective modules that fend off malicious code-borne attacks on databases; customizable, granular access controls and anomaly detection; or subscriptions services that scrub, improve and secure code—and offer the U.S. a competitive advantage.
There are also growing collaborative efforts fostered by tech leaders (Google) and pro-open source consortiums (Open Source Security Foundation) that further underscore how evident it is that securing open source will be a cross-industry undertaking.
Of course, challenges remain. SBOMs and other key measures in the order still need to be defined. Relevant communities still need to come together. Uniform standards, comprehensive best practices, and baseline goals, tactics and targeted security postures all need to be identified along with incremental steps for reaching them. But forward momentum is clear.
If there was ever any doubt, this year’s billion-dollar infusion into the federal Technology Modernization Fund should assuage concerns. The funding will only accelerate progress made so far, including under Kent’s tenure.
“One of the [early] projects funded under this act was a database transformation for GSA to move to open source for a specific legacy database,” Kent said. “The value of the initiative was not just the upgraded legacy systems for a single agency; it was that the agency produced a playbook so that others could use that as they went along the same journey, and we could accelerate that journey at other agencies. … There’s incredible potential for improved outcomes when you partner data and advanced technologies.”
Rick Hill is a solutions engineer at EDB. He’s spent more than 20 years engineering software and databases; he also served nearly nine years in the Army National Guard.