[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 3594 Reported in Senate (RS)]
<DOC>
Calendar No. 491
118th CONGRESS
2d Session
S. 3594
[Report No. 118-213]
To require governmentwide source code sharing, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
January 16, 2024
Mr. Cruz (for himself, Mr. Peters, and Mr. Wyden) introduced the
following bill; which was read twice and referred to the Committee on
Homeland Security and Governmental Affairs
September 9, 2024
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To require governmentwide source code sharing, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Source code Harmonization
And Reuse in Information Technology Act'' or the ``SHARE IT
Act''.</DELETED>
<DELETED>SEC. 2. FINDINGS; PURPOSE.</DELETED>
<DELETED> (a) Findings.--</DELETED>
<DELETED> (1) In general.--Congress finds the
following:</DELETED>
<DELETED> (A) Duplication of efforts.--Federal
agencies often engage in the development or procurement
of similar software solutions for comparable problems,
leading to a duplicative allocation of resources that
could otherwise be avoided.</DELETED>
<DELETED> (B) Cost inefficiency.--The absence of a
mechanism for inter-agency source code sharing results
in the Federal Government incurring unnecessary costs
for software development, licensing, and maintenance,
an inefficiency highlighted by the Government
Accountability Office in numerous reports, including--
</DELETED>
<DELETED> (i) Government Accountability
Office Report ``Federal Software Licenses:
Better Management Needed to Achieve Significant
Savings Government-Wide'' (GAO-14-413),
published on May 22, 2014;</DELETED>
<DELETED> (ii) Government Accountability
Office Report ``2016 Annual Report: Additional
Opportunities to Reduce Fragmentation, Overlap,
and Duplication and Achieve Other Financial
Benefits'' (GAO-16-375SP), published on April
13, 2016;</DELETED>
<DELETED> (iii) Government Accountability
Office Report ``Information Technology: DoD
Needs to Fully Implement Program for Piloting
Open Source Software'' (GAO-19-457), published
on September 10, 2019;</DELETED>
<DELETED> (iv) Government Accountability
Office Report ``Information Technology: Federal
Agencies and OMB Need to Continue to Improve
Management and Cybersecurity'' (GAO-20-691T),
published on August 3, 2020; and</DELETED>
<DELETED> (v) Government Accountability
Office Report ``DoD Software Licenses: Better
Guidance and Plans Needed to Ensure Restrictive
Practices are Mitigated'' (GAO-23-106290),
published on September 12, 2023.</DELETED>
<DELETED> (C) Technological fragmentation.--The
isolated development efforts of each agency contribute
to a landscape of fragmented technologies that impede
interoperability and data exchange between Federal
systems.</DELETED>
<DELETED> (D) Slow adoption of best practices.--The
lack of software sharing hinders the diffusion of
engineering best practices and innovations across
agencies, whereas learning from the successes and
failures of other agencies would accelerate the
modernization of government systems.</DELETED>
<DELETED> (E) Security vulnerabilities.--Redundant
development efforts mean that security weaknesses
inadvertently introduced in the software of an agency
could go unnoticed by other agencies, whereas a shared
codebase would benefit from collective security
auditing and updates.</DELETED>
<DELETED> (F) Public accountability.--Software
funded by taxpayers should be available for scrutiny by
the public to the greatest extent possible, to ensure
transparency and accountability.</DELETED>
<DELETED> (G) Pilot success.--Preliminary
initiatives aimed at making federally funded custom-
developed code freely available to the public have
demonstrated the viability and benefits of such sharing
schemes, including--</DELETED>
<DELETED> (i) Memorandum M-16-21 issued by
the Office of Management and Budget on August
8, 2016, entitled ``Federal Source Code Policy:
Achieving Efficiency, Transparency, and
Innovation through Reusable and Open Source
Software''; and</DELETED>
<DELETED> (ii) ``Code.gov'', which documents
how agencies already extensively use public
repositories, demonstrating the ability of
agencies to share code using existing
infrastructure.</DELETED>
<DELETED> (2) Conclusion.--Based on the findings in
paragraph (1), it is imperative for Congress to enact
legislation that mandates the sharing of custom-developed code
across agencies to promote efficiency, reduce waste, enhance
security, and foster innovation in the Federal information
technology ecosystem.</DELETED>
<DELETED> (b) Purpose.--The overarching aim of this Act is to
maximize efficiency, minimize duplication, and enhance security and
innovation across Federal agencies by requiring the sharing of custom-
developed code between agencies by--</DELETED>
<DELETED> (1) enabling agencies to benefit mutually from the
investments of other agencies in custom-developed
code;</DELETED>
<DELETED> (2) promoting technological consistency and
interoperability among agencies, thereby facilitating seamless
data exchange and system integration;</DELETED>
<DELETED> (3) fostering a culture of sharing engineering
best practices and successful technological innovations among
agencies;</DELETED>
<DELETED> (4) enhancing transparency by making federally
funded custom-developed code available for public scrutiny,
subject to necessary security considerations; and</DELETED>
<DELETED> (5) leveraging inter-agency collaboration for
better security auditing of the shared codebase, aiming for a
more unified and secure technological infrastructure across
agencies.</DELETED>
<DELETED>SEC. 3. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Agency.--The term ``agency'' has the meaning
given that term in section 3502 of title 44, United States
Code.</DELETED>
<DELETED> (2) Custom-developed code.--The term ``custom-
developed code''--</DELETED>
<DELETED> (A) means source code that is--</DELETED>
<DELETED> (i) produced in the performance of
a Federal contract or is otherwise fully funded
by the Federal Government; or</DELETED>
<DELETED> (ii) developed by a Federal
employee as part of the official duties of the
employee;</DELETED>
<DELETED> (B) includes--</DELETED>
<DELETED> (i) source code, or segregable
portions of source code, for which the Federal
Government could obtain unlimited rights under
part 27 of the Federal Acquisition Regulation
or any relevant supplemental acquisition
regulations of an agency; and</DELETED>
<DELETED> (ii) source code written for a
software project, module, plugin, script,
middleware, or application programming
interface; and</DELETED>
<DELETED> (C) does not include--</DELETED>
<DELETED> (i) source code that is solely
exploratory or disposable in nature, including
source code written by a developer
experimenting with a new language or library;
or</DELETED>
<DELETED> (ii) commercial off-the-shelf
software or configuration scripts for such
software.</DELETED>
<DELETED> (3) Federal chief information officer.--The term
``Federal Chief Information Officer'' means the Administrator
of the Office of Electronic Government.</DELETED>
<DELETED> (4) Federal employee.--The term ``Federal
employee'' has the meaning given the term ``employee'' in
section 2105(a) of title 5, United States Code.</DELETED>
<DELETED> (5) Metadata.--The term ``metadata'', with respect
to custom-developed code--</DELETED>
<DELETED> (A) has the meaning given that term in
section 3502 of title 44, United States Code;
and</DELETED>
<DELETED> (B) includes information on whether the
custom-developed code--</DELETED>
<DELETED> (i) was produced pursuant to a
contract, and the contract number, if any;
and</DELETED>
<DELETED> (ii) is shared in a public or
private repository, and includes a hyperlink to
the repository, as applicable.</DELETED>
<DELETED> (6) Private repository.--The term ``private
repository'' means a software storage location--</DELETED>
<DELETED> (A) that contains source code,
documentation, and other files; and</DELETED>
<DELETED> (B) access to which is restricted to
authorized users.</DELETED>
<DELETED> (7) Public repository.--The term ``public
repository'' means a software storage location--</DELETED>
<DELETED> (A) that contains source code,
documentation, and other files; and</DELETED>
<DELETED> (B) access to which is open to the
public.</DELETED>
<DELETED> (8) Software.--The term ``software'' has the
meaning given the term ``computer software'' in section 2.101
of title 48, Code of Federal Regulations, or any successor
regulation.</DELETED>
<DELETED> (9) Source code.--The term ``source code'' means a
collection of computer commands written in a computer
programming language that a computer can execute as a piece of
software.</DELETED>
<DELETED>SEC. 4. SOFTWARE REUSE.</DELETED>
<DELETED> (a) Sharing.--Not later than 210 days after the date of
enactment of this Act, the head of each agency shall ensure that--
</DELETED>
<DELETED> (1) the custom-developed code of the agency is
contained at not less than 1 public or private repository and
is accessible to Federal employees via procedures developed
under subsection (d)(1)(A)(ii)(III); and</DELETED>
<DELETED> (2) all software and other key technical
components, including documentation, data models, schemas,
metadata, and architecture designs, are owned by the
agency.</DELETED>
<DELETED> (b) Software Reuse Rights in Procurement Contracts.--
</DELETED>
<DELETED> (1) In general.--The head of an agency that enters
into a contract for the custom development of software shall
acquire and enforce rights sufficient to enable the
governmentwide access, execution, and modification of the
custom-developed code relating to the software.</DELETED>
<DELETED> (2) Best practices.--</DELETED>
<DELETED> (A) Contract administration.--With respect
to a contract described in paragraph (1), the head of
an agency shall ensure appropriate contract
administration and use of best practices to secure the
full scope of licenses and rights for the Federal
Government of the custom-developed code developed under
the contract, to allow for access, execution, and
modification by other agencies.</DELETED>
<DELETED> (B) Development process.--With respect to
a contract described in paragraph (1), the head of an
agency shall ensure the use of best practices to
require and obtain the delivery of the custom-developed
code, documentation of the custom-developed code,
configuration and artifacts required to develop, build,
test, and deploy the custom-developed code, and other
associated materials from the developer throughout the
development process.</DELETED>
<DELETED> (c) Discovery.--Not later than 210 days after the date of
enactment of this Act, the head of each agency shall make metadata for
the custom-developed code of the agency publicly accessible.</DELETED>
<DELETED> (d) Accountability Mechanisms.--</DELETED>
<DELETED> (1) Agency cios.--Not later than 180 days after
the date of enactment of this Act, the Chief Information
Officer of each agency, in consultation with the Chief
Acquisition Officer, or similar official, of the agency and the
Federal Chief Information Officer, shall develop an agency-wide
policy that--</DELETED>
<DELETED> (A) addresses the requirements of this
Act, including--</DELETED>
<DELETED> (i) ensuring that agency custom-
developed code follows best practices for
operating repositories and version control
systems to keep track of changes and to
facilitate collaboration among multiple
developers;</DELETED>
<DELETED> (ii) managing the sharing and
discovery of source code, including
developing--</DELETED>
<DELETED> (I) procedures to
determine whether any custom-developed
code meets the conditions for an
exemption under this Act;</DELETED>
<DELETED> (II) procedures for making
metadata for custom-developed code
discoverable, pursuant to section
4(c);</DELETED>
<DELETED> (III) procedures for
Federal employees to discover and gain
access to private
repositories;</DELETED>
<DELETED> (IV) standardized
reporting practices across the agency
to capture key information relating to
a contract for reporting statistics
about the contract; and</DELETED>
<DELETED> (V) procedures for
updating metadata, private
repositories, and public repositories
on a quarterly basis;</DELETED>
<DELETED> (iii) identifying points of
contact for roles and responsibilities relating
to the implementation of this Act;
and</DELETED>
<DELETED> (iv) if practicable, using
existing procedures and systems; and</DELETED>
<DELETED> (B) corrects or amends any policies of the
agency that are inconsistent with the requirements of
this Act.</DELETED>
<DELETED> (2) Federal cio.--</DELETED>
<DELETED> (A) Framework for review.--Not later than
1 year after the date of enactment of this Act, the
Federal Chief Information Officer shall establish a
framework for reviewing the software being developed
across the Federal Government to surface and support
the goals of existing digital priorities.</DELETED>
<DELETED> (B) Minimum standard reporting
requirements.--Not later than 120 days after the date
of enactment of this Act, the Federal CIO shall, in
coordination with the Director of the National
Institute of Standards and Technology, establish
minimum standard reporting requirements for the Chief
Information Officers of agencies, which shall include
information relating to--</DELETED>
<DELETED> (i) measuring the frequency of
reuse of code, including access and
modification;</DELETED>
<DELETED> (ii) whether the shared code is
maintained;</DELETED>
<DELETED> (iii) whether there is a feedback
mechanism for improvements to or community
development of the shared code; and</DELETED>
<DELETED> (iv) the number and circumstances
of all exemptions granted under section
5(b)(2).</DELETED>
<DELETED> (C) Annual report.--Not later than 1 year
after the date of enactment of this Act, and annually
thereafter, the Federal Chief Information Officer shall
submit to Congress a report on the status of the
implementation of this Act by each agency, including--
</DELETED>
<DELETED> (i) a complete list of all
exemptions granted under section
5(b)(2);</DELETED>
<DELETED> (ii) a table showing whether each
agency has updated the acquisition and other
policies of the agency to be compliant with
this Act; and</DELETED>
<DELETED> (iii) an evaluation of the
compliance of the agency with the framework
described in subparagraph (A).</DELETED>
<DELETED>SEC. 5. SCOPE AND APPLICABILITY.</DELETED>
<DELETED> (a) New Custom-Developed Code Only.--This Act shall apply
to custom-developed code that is developed or revised--</DELETED>
<DELETED> (1) by a Federal employee not less than 180 days
after the date of enactment of this Act; or</DELETED>
<DELETED> (2) under a contract awarded pursuant to a
solicitation issued not less than 180 days after the date of
enactment of this Act.</DELETED>
<DELETED> (b) Exemptions.--</DELETED>
<DELETED> (1) Automatic.--This Act shall not apply to
classified source code or source code developed primarily for
use in a national security system, as defined in section 11103
of title 40, United States Code.</DELETED>
<DELETED> (2) Explanation required.--</DELETED>
<DELETED> (A) In general.--The Chief Information
Officer of an agency may exempt from the requirements
of this Act any source code for which a limited
exemption described in subparagraph (B) applies, after
documenting the limited exemption and providing to the
Federal Chief Information Officer a brief narrative
justification, with redactions as
appropriate.</DELETED>
<DELETED> (B) Limited exemptions.--The limited
exemptions described in this subparagraph are the
following:</DELETED>
<DELETED> (i) The sharing or discovery of
the source code is restricted by Federal law or
regulation, including the Export Administration
Regulations, the International Traffic in Arms
Regulations, regulations of the Transportation
Security Administration relating to the
protection of Sensitive Security Information,
and the Federal laws and regulations governing
classified information.</DELETED>
<DELETED> (ii) The sharing or discovery of
the source code would create an identifiable
risk to individual privacy.</DELETED>
<DELETED>SEC. 6. GUIDANCE.</DELETED>
<DELETED> The Director of the Office of Management and Budget shall
issue guidance, consistent with the purpose of this Act, that
establishes best practices and uniform procedures across agencies under
section 4(d).</DELETED>
<DELETED>SEC. 7. GAO REPORT ON INFORMATION TECHNOLOGY
PRACTICES.</DELETED>
<DELETED> (a) Initial Report.--Not later than 1 year after the date
of enactment of this Act, the Comptroller General of the United States
shall submit to Congress a report that includes an assessment of--
</DELETED>
<DELETED> (1) duplicative software procurement across and
within agencies, including estimates of the frequency,
severity, and dollar value of the duplicative software
procurement;</DELETED>
<DELETED> (2) barriers to agency use of cloud-based
platforms for software development and version control and how
to address those barriers;</DELETED>
<DELETED> (3) how source code sharing and open-source
software collaboration can improve cybersecurity at agencies;
and</DELETED>
<DELETED> (4) other relevant matters, as determined by the
Comptroller General of the United States.</DELETED>
<DELETED> (b) Supplemental Report.--Not later than 2 years after the
date of enactment of this Act, the Comptroller General of the United
States shall submit to Congress a report that includes an assessment
of--</DELETED>
<DELETED> (1) the implementation of this Act; and</DELETED>
<DELETED> (2) other relevant matters, as determined by the
Comptroller General of the United States.</DELETED>
<DELETED>SEC. 8. RULE OF CONSTRUCTION.</DELETED>
<DELETED> Nothing in this Act shall be construed to require the
disclosure of information or records that are exempt from public
disclosure under section 552 of title 5, United States Code (commonly
known as the ``Freedom of Information Act'').</DELETED>
<DELETED>SEC. 9. NO ADDITIONAL FUNDING.</DELETED>
<DELETED> No additional funds are authorized to be appropriated to
carry out this Act.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Source code Harmonization And Reuse
in Information Technology Act'' or the ``SHARE IT Act''.
SEC. 2. FINDINGS; PURPOSE.
(a) Findings.--
(1) In general.--Congress finds the following:
(A) Duplication of efforts.--Federal agencies often
engage in the development or procurement of similar
software solutions for comparable problems, leading to
a duplicative allocation of resources that could
otherwise be avoided.
(B) Cost inefficiency.--The absence of a mechanism
for inter-agency source code sharing results in the
Federal Government incurring unnecessary costs for
software development, licensing, and maintenance, an
inefficiency highlighted by the Government
Accountability Office in numerous reports, including--
(i) Government Accountability Office Report
``Federal Software Licenses: Better Management
Needed to Achieve Significant Savings
Government-Wide'' (GAO-14-413), published on
May 22, 2014;
(ii) Government Accountability Office
Report ``2016 Annual Report: Additional
Opportunities to Reduce Fragmentation, Overlap,
and Duplication and Achieve Other Financial
Benefits'' (GAO-16-375SP), published on April
13, 2016;
(iii) Government Accountability Office
Report ``Information Technology: DoD Needs to
Fully Implement Program for Piloting Open
Source Software'' (GAO-19-457), published on
September 10, 2019;
(iv) Government Accountability Office
Report ``Information Technology: Federal
Agencies and OMB Need to Continue to Improve
Management and Cybersecurity'' (GAO-20-691T),
published on August 3, 2020; and
(v) Government Accountability Office Report
``DoD Software Licenses: Better Guidance and
Plans Needed to Ensure Restrictive Practices
are Mitigated'' (GAO-23-106290), published on
September 12, 2023.
(C) Technological fragmentation.--The isolated
development efforts of each agency contribute to a
landscape of fragmented technologies that impede
interoperability and data exchange between Federal
systems.
(D) Slow adoption of best practices.--The lack of
software sharing hinders the diffusion of engineering
best practices and innovations across agencies, whereas
learning from the successes and failures of other
agencies would accelerate the modernization of
government systems.
(E) Security vulnerabilities.--Redundant
development efforts mean that security weaknesses
inadvertently introduced in the software of an agency
could go unnoticed by other agencies, whereas a shared
codebase would benefit from collective security
auditing and updates.
(F) Public accountability.--Software funded by
taxpayers should be available for scrutiny by the
public to the greatest extent possible, to ensure
transparency and accountability.
(G) Pilot success.--Preliminary initiatives aimed
at making federally funded custom-developed code freely
available to the public have demonstrated the viability
and benefits of such sharing schemes, including--
(i) Memorandum M-16-21 issued by the Office
of Management and Budget on August 8, 2016,
entitled ``Federal Source Code Policy:
Achieving Efficiency, Transparency, and
Innovation through Reusable and Open Source
Software''; and
(ii) ``Code.gov'', which documents how
agencies already extensively use public
repositories, demonstrating the ability of
agencies to share code using existing
infrastructure.
(2) Conclusion.--Based on the findings in paragraph (1), it
is imperative for Congress to enact legislation that mandates
the sharing of custom-developed code across agencies to promote
efficiency, reduce waste, enhance security, and foster
innovation in the Federal information technology ecosystem.
(b) Purpose.--The overarching aim of this Act is to maximize
efficiency, minimize duplication, and enhance security and innovation
across Federal agencies by requiring the sharing of custom-developed
code between agencies by--
(1) enabling agencies to benefit mutually from the
investments of other agencies in custom-developed code;
(2) promoting technological consistency and
interoperability among agencies, thereby facilitating seamless
data exchange and system integration;
(3) fostering a culture of sharing engineering best
practices and successful technological innovations among
agencies;
(4) enhancing transparency by making federally funded
custom-developed code available for public scrutiny, subject to
necessary security considerations; and
(5) leveraging inter-agency collaboration for better
security auditing of the shared codebase, aiming for a more
unified and secure technological infrastructure across
agencies.
SEC. 3. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given that
term in section 3502 of title 44, United States Code.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means the Committee on
Homeland Security and Governmental Affairs of the Senate and
the Committee on Oversight and Accountability of the House of
Representatives.
(3) Custom-developed code.--The term ``custom-developed
code''--
(A) means source code that is--
(i) produced in the performance of a
Federal contract or is otherwise exclusively
funded by the Federal Government; or
(ii) developed by a Federal employee as
part of the official duties of the employee;
(B) includes--
(i) source code, or segregable portions of
source code, for which the Federal Government
could obtain unlimited rights under part 27 of
the Federal Acquisition Regulation or any
relevant supplemental acquisition regulations
of an agency; and
(ii) source code written for a software
project, module, plugin, script, middleware, or
application programming interface; and
(C) does not include--
(i) source code that is solely exploratory
or disposable in nature, including source code
written by a developer experimenting with a new
language or library;
(ii) commercial computer software,
commercial off-the-shelf software, or
configuration scripts for such software; or
(iii) source code that is used in the
performance of, but not produced in fulfillment
of, a Federal contract.
(4) Federal employee.--The term ``Federal employee'' has
the meaning given the term ``employee'' in section 2105(a) of
title 5, United States Code.
(5) Metadata.--The term ``metadata'', with respect to
custom-developed code--
(A) has the meaning given that term in section 3502
of title 44, United States Code; and
(B) includes information on whether the custom-
developed code--
(i) was produced pursuant to a contract,
and the contract number, if any; and
(ii) is shared in a public or private
repository, and includes a hyperlink to the
repository, as applicable.
(6) Private repository.--The term ``private repository''
means a software storage location--
(A) that contains source code, documentation, and
other files; and
(B) access to which is restricted to authorized
users.
(7) Public repository.--The term ``public repository''
means a software storage location--
(A) that contains source code, documentation, and
other files; and
(B) access to which is open to the public.
(8) Software.--The term ``software'' has the meaning given
the term ``computer software'' in section 2.101 of title 48,
Code of Federal Regulations, or any successor regulation.
(9) Source code.--The term ``source code'' means a
collection of computer commands written in a computer
programming language that a computer can execute as a piece of
software.
SEC. 4. SOFTWARE REUSE.
(a) Sharing.--Not later than 210 days after the date of enactment
of this Act, the head of each agency shall ensure that--
(1) the custom-developed code of the agency is contained at
not less than 1 public or private repository and is accessible
to Federal employees via procedures developed under subsection
(d)(1)(A)(ii)(III); and
(2) all software and other key technical components,
including documentation, data models, schemas, metadata, and
architecture designs, are owned by the agency.
(b) Software Reuse Rights in Procurement Contracts.--
(1) In general.--The head of an agency that enters into a
contract for the custom development of software shall acquire
and enforce rights sufficient to enable the governmentwide
access, execution, and modification of the custom-developed
code relating to the software.
(2) Best practices.--
(A) Contract administration.--With respect to a
contract described in paragraph (1), the head of an
agency shall ensure appropriate contract administration
and use of best practices to secure the full scope of
licenses and rights for the Federal Government of the
custom-developed code developed under the contract, to
allow for access, execution, and modification by other
agencies.
(B) Development process.--With respect to a
contract described in paragraph (1), the head of an
agency shall ensure the use of best practices to
require and obtain the delivery of the custom-developed
code, documentation of the custom-developed code,
configuration and artifacts required to develop, build,
test, and deploy the custom-developed code, and other
associated materials from the developer throughout the
development process.
(c) Discovery.--Not later than 210 days after the date of enactment
of this Act, the head of each agency shall make metadata for the
custom-developed code of the agency publicly accessible.
(d) Accountability Mechanisms.--
(1) Agency cios.--Not later than 180 days after the date of
enactment of this Act, the Chief Information Officer of each
agency, in consultation with the Chief Acquisition Officer, or
similar official, of the agency and the Administrator of the
Office of Electronic Government, shall develop an agency-wide
policy that--
(A) addresses the requirements of this Act,
including--
(i) ensuring that agency custom-developed
code follows best practices for operating
repositories and version control systems to
keep track of changes and to facilitate
collaboration among multiple developers;
(ii) managing the sharing and discovery of
source code, including developing--
(I) procedures to determine whether
any custom-developed code meets the
conditions for an exemption under this
Act;
(II) procedures for making metadata
for custom-developed code discoverable,
pursuant to subsection (c);
(III) procedures for Federal
employees to discover and gain access
to private repositories;
(IV) procedures for checking the
use of existing shared code as an
alternative to initiating a new project
or procurement;
(V) standardized reporting
practices across the agency to capture
key information relating to a contract
for reporting statistics about the
contract; and
(VI) procedures for updating
metadata, private repositories, and
public repositories on a quarterly
basis;
(iii) identifying points of contact for
roles and responsibilities relating to the
implementation of this Act; and
(iv) if practicable, using existing
procedures and systems; and
(B) corrects or amends any policies of the agency
that are inconsistent with the requirements of this
Act.
(2) Administrator of the office of electronic government.--
(A) Framework for review.--Not later than 1 year
after the date of enactment of this Act, the
Administrator of the Office of Electronic Government
shall establish a framework for reviewing the software
being developed across the Federal Government to
surface and support the goals of existing digital
priorities, including issuing guidance on--
(i) the implementation of subsection (c);
(ii) websites for agencies to use with
respect to code discovery under subsection (c);
(iii) other procedures for agencies to use
to ensure that existing shared code has been
considered as an alternative to initiating a
new project or procurement;
(iv) identifying exemptions to this Act;
and
(v) the frequency of and official
responsible for security auditing of
repositories.
(B) Minimum standard reporting requirements.--Not
later than 120 days after the date of enactment of this
Act, the Administrator of the Office of Electronic
Government, in coordination with the Director of the
National Institute of Standards and Technology, shall
establish minimum standard reporting requirements for
the Chief Information Officers of agencies, which shall
include information relating to--
(i) measuring the frequency of reuse of
code, including access and modification;
(ii) whether the shared code is maintained;
(iii) whether there is a feedback mechanism
for improvements to or community development of
the shared code; and
(iv) the number and circumstances of all
exemptions granted under section 5(b)(2).
SEC. 5. SCOPE AND APPLICABILITY.
(a) New Custom-Developed Code Only.--The requirements under section
4 shall apply to custom-developed code that is developed or revised--
(1) by a Federal employee not less than 180 days after the
date of enactment of this Act; or
(2) under a contract awarded pursuant to a solicitation
issued not less than 180 days after the date of enactment of
this Act.
(b) Exemptions.--
(1) Automatic.--
(A) National security.--An exemption from the
requirements under section 4 shall apply to classified
source code or source code developed--
(i) primarily for use in a national
security system, as defined in section 11103 of
title 40, United States Code; or
(ii) by an agency, or part of an agency,
that is an element of the intelligence
community, as defined in section 3(4) of the
National Security Act of 1947 (50 U.S.C.
3003(4)).
(B) Freedom of information act.--An exemption from
the requirements under section 4 shall apply to source
code the disclosure of which is exempt under section
552(b) of title 5, United States Code (commonly known
as the ``Freedom of Information Act'').
(2) Discretionary.--
(A) Exemptions and guidance.--
(i) In general.--The Chief Information
Officer of an agency, in consultation with the
Federal Privacy Council, or any successor
thereto, may exempt from the requirements of
section 4 any source code for which a limited
exemption described in subparagraph (B)
applies.
(ii) Guidance required.--The Federal
Privacy Council shall provide guidance to the
Chief Information Officer of each agency
relating to the limited exemption described in
subparagraph (B)(ii) to ensure consistent
application of this paragraph across agencies.
(B) Limited exemptions.--The limited exemptions
described in this subparagraph are the following:
(i) The sharing or discovery of the source
code is restricted by Federal law or
regulation, including the Export Administration
Regulations, the International Traffic in Arms
Regulations, regulations of the Transportation
Security Administration relating to the
protection of Sensitive Security Information,
and the Federal laws and regulations governing
classified information.
(ii) The sharing or discovery of the source
code would create an identifiable risk to
individual privacy.
(3) Reports required.--
(A) In general.--Not later than December 31 of each
year, the Chief Information Officer of an agency shall
submit to the Administrator of the Office of Electronic
Government a report of the source code of the agency to
which an exemption under paragraph (1) or (2) applied
during the fiscal year ending on September 30 of that
year with a brief narrative justification of each
exemption.
(B) Form.--The report under subparagraph (A) shall
be submitted in unclassified form, with a classified
annex as appropriate.
(C) Annual report.--Not later than 1 year after the
date of enactment of this Act, and annually thereafter,
the Administrator of the Office of Electronic
Government shall submit to the appropriate
congressional committees a report on the status of the
implementation of this Act by each agency, including--
(i) a compilation of all information,
including a narrative justification, relating
to each exemption granted under paragraph (1)
or (2);
(ii) a table showing whether each agency
has updated the acquisition and other policies
of the agency to be compliant with this Act;
(iii) an evaluation of the compliance of
the agency with the framework described in
section 4(d)(2)(A); and
(iv) a classified annex as appropriate.
SEC. 6. GUIDANCE.
The Director of the Office of Management and Budget shall issue
guidance, consistent with the purpose of this Act, that establishes
best practices and uniform procedures across agencies under section
4(d).
SEC. 7. GAO REPORT ON INFORMATION TECHNOLOGY PRACTICES.
(a) Initial Report.--Not later than 1 year after the date of
enactment of this Act, the Comptroller General of the United States
shall submit to the appropriate congressional committees a report that
includes an assessment of--
(1) duplicative software procurement across and within
agencies, including estimates of the frequency, severity, and
dollar value of the duplicative software procurement;
(2) barriers to agency use of cloud-based platforms for
software development and version control and how to address
those barriers;
(3) how source code sharing and open-source software
collaboration can improve cybersecurity at agencies; and
(4) other relevant matters, as determined by the
Comptroller General of the United States.
(b) Supplemental Report.--Not later than 2 years after the date of
enactment of this Act, the Comptroller General of the United States
shall submit to the appropriate congressional committees a report that
includes an assessment of--
(1) the implementation of this Act; and
(2) other relevant matters, as determined by the
Comptroller General of the United States.
SEC. 8. RULE OF CONSTRUCTION.
Nothing in this Act shall be construed to require the disclosure of
information or records that are exempt from public disclosure under
section 552 of title 5, United States Code (commonly known as the
``Freedom of Information Act'').
SEC. 9. NO ADDITIONAL FUNDING.
No additional funds are authorized to be appropriated to carry out
this Act.
SEC. 10. GAO REPORT ON EFFECTIVENESS.
Not later than 540 days after the date of enactment of this Act,
the Comptroller General of the United States shall submit to Congress a
report on the effectiveness of this Act.
Calendar No. 491
118th CONGRESS
2d Session
S. 3594
[Report No. 118-213]
_______________________________________________________________________
A BILL
To require governmentwide source code sharing, and for other purposes.
_______________________________________________________________________
September 9, 2024
Reported with an amendment