Gathering Input About Government Procurement of Open Source Software

By:

on

February 03, 2009

I attended an excellent talk last night about GCPedia that was presented by Jeff Braybrook, Deputy Chief Technology Officer for Canada at a Third Tuesday Ottawa Gathering. It was excellent to hear more about the history of the adoption of the open source tool Mediawiki within the Government of Canada. Jeff described Canada's CTO office as being "Hawkish about open source", and wanting to use it as much as possible. At a time when procurement officers and IT departments are still questioning whether or not open source can be used within government, this was great news.

His view that wiki's would become as integrated in the government workplace as the phone and email were very refreshing too. Grabbing notes off of Joseph Thornley's Tweet, "Jeff Braybrook wants to open source not just because it is cheap - but also for its mentality: participation; cooperation; standards." Doug wrote up a detailed post about the event here in his blog.

After writing this post I've been sent a number of interesting links that I thought were very important to point out. The US Department of Defense has set up a Forge.mil project to promote open source development within the US military. When looking at procurement of open source within the government, we really have to look at Europe. Three really solid sites that the Canadian government should be looking towards are previously OSOR.eu - supporting and encouraging the re-use of publicly-financed Open Source Software developments, FLOSSPOLS - Free/Libre/Open Source Software: Policy Support, and Public Sector OSS - the European Commission's DG Information Society and Media

On a related note, a client of ours pointed us to the MERX listing that PWGSC added to gather information on how to obtain open source in Government. I'm not sure how many people will see it, as lots of open source folks don't use MERX, but do have an interest in seeing the government apply this well (even just as tax payers). I pulled the relevant questions out of the 7 page PDF and created a simpler questionnaire about government adoption of no charge licensed software. There is also a wiki response that folks can contribute to.

There's an Appendix to this document that I'd also like to see feedback on. Please address comments on this Appendix directly to this post.

Appendix B – DRAFT Guidelines - Decision Process for acquiring
No Charge Licensed Software

Draft proposed Process description

The process begins with a request from an application delivery
group or end user to use a particular piece of software.
Depending on the nature of the acquisition (specifically,
whether or not the acquisition involves a cost greater than $0),
the process proceeds either through a conventional procurement
workflow (not detailed here) or through the "No Charge"
acquisition process.

The No Charge process consists of five concurrent streams of
activity, each of which is critical to the successful
acquisition, management and integration of the software within
the GC or departmental environment.
These five streams consist of the following:

1. Architectural Review and Approval – This involves the
applicable Enterprise Architecture group reviewing the product
to ensure that it:
- Is appropriate for the use specified in the request
- Works well within the technical environment
- Does not violate or overlap with any existing standards.

2. Financial Risk Assessment – Per Treasury Board Secretariat
direction, the use of No Charge Software (particularly Free and
OPEN SOURCE Software) requires the completion of a financial
risk assessment. The financial risk assessment must consider the
risk exposure per year against the financial benefit. Depending
on the level of risk involved, approval of the risk assessment
will be required by:
-The applicable Senior Financial Officer or delegate – for
substantive risk
-The business owner of the impacted or system – where risk is
non-substantive

3. Justification of No Charge Acquisition - A Procurement
Officer must review the justification for acquisition of No
Charge Software, for clarification and as due diligence for the
validity of reasons and that they will stand possible future
scrutiny.

4. Investigation of Security Risks – Given the potentially
heightened security risk of downloadable No Charge Software, the
appropriate IT Security Officer must investigate and approve No
Charge Software before it is approved for use. In particular,
the security assessment will assure that the product does not
contain viruses, malware or other means for an attacker to
compromise the GC or departmental environment.

5 Software License Review – Due to the diverse nature of license
models associated with No Charge Software, a review must be
conducted to identify potential legal/policy impediments for the
GC in agreeing to a particular license agreement. The intent is
to accumulate a list of acceptable licenses (including popular
ones such as GPL, LGPL, Apache etc.) so that a particular
license model would only have to be examined once across the
entire GC.

Some of the most significant legal/policy concerns would
include:
- No warranty or limitation of liability, the imposition of
flow-through obligations to 3rd parties, and obligations that the
Crown indemnify licensors or 3rd parties.
- ownership of data manipulated/stored with the product
- limitations on the use of the product conflicting with GC or
departmental intent
-instances where the Government of Canada could be obliged to
pay the creator.

If all five approvals are received, then the software can be
installed on the appropriate environment(s), be they servers or
desktops. The same change management and deployment processes
apply as to software that has been acquired through conventional
procurement.

About The Author

Mike Gifford is the founder of OpenConcept Consulting Inc, which he started in 1999. Since then, he has been particularly active in developing and extending open source content management systems to allow people to get closer to their content. Before starting OpenConcept, Mike had worked for a number of national NGOs including Oxfam Canada and Friends of the Earth.