Open source is so much more than free code

Shutterstock Image

In 2011, the Department of Veterans Affairs officially moved its most critical software, the VistA electronic health record system, into open source by establishing the Open Source Electronic Health Record Alliance (OSEHRA). Along the way, VA officials solicited and followed advice from numerous open source experts, including Red Hat, Carnegie Mellon University and the Industry Advisory Council.

OSEHRA now has five years of experience dealing with the unique challenges of federal laws and open source approaches, which means it can serve as a powerful resource for other federal agencies looking to establish successful open source policies and implementation. OSEHRA's expertise is especially timely because Executive Memorandum M-16-21 has established a new federal policy to encourage agencies' embrace of open source.

The key lesson from OSEHRA is that open source software is much more complex than "make it free." Successful open source is about the growth and evolution of a software asset, and it requires establishment of a comprehensive and integrated ecosystem around that asset. Successful open source efforts must emphasize software management, community collaboration and transparent governance.

Without a license, software is not open source. This is a source of widespread misunderstanding among those who mistakenly equate a software license with a royalty. Even for free software, the license defines the terms under which the code can be distributed and reused. It protects the rights of the user as much as it does the rights of the provider. Loading software into a repository -- whether that's OSEHRA or GitHub -- without establishing a license does not make it open source.

Licensing is especially critical to federal open source efforts because code developed under contract to the federal government frequently doesn't belong only to the government. Unless code is developed by an employee of the federal government, there is always a copyright. Conveyance (or non-conveyance) of rights to the software is determined by the development contract. Thus, if the code is to be licensed as open source, it is important to determine who would assert copyright in the licensing process and ensure that a clear license is provided.

Over the years, more than 30 types of open source licenses have been developed to support various business models. Those licenses are not universally compatible, and developing code with mixed licenses can unintentionally create license violations. Current federal acquisition rules allow application of open source licenses for contractor-developed software. For those interested in this issue, OSEHRA has drafted a guide for dealing with open source licenses (available by request,

Not all open source code is usable. To help ensure that VistA code is usable, OSEHRA developed an Open Source Software Quality Certification standard in conjunction with VA and members of the community. OSEHRA certification is initially the attestation and ultimately the verification that an executable artifact is safe, compliant and functional.

This certification is based on four major factors: license, documentation, testing and adherence to community standards and conventions.

OSEHRA certification has become very valuable to VA. Non-VA open source products that are available to fill gaps in VistA functionality are put through the OSEHRA certification process, and the OSEHRA-certified products are offered to VA for further consideration and potential adoption.

Most important, successful open source software is dependent on the establishment of a community that provides input and support to the software. Today's OSEHRA community is a robust group of large and small businesses, nonprofit organizations, academic institutions, government representatives, developers and clinicians from around the world.

Because of that community, VA is far from the only contributor of improvements to the codebase. OSEHRA members frequently collaborate on joint projects and respond to challenges faced by VA. When they identified the need for an immunization management information system, VA officials approached OSEHRA's open source community rather than use traditional software acquisition methods. Community leaders organized an OSEHRA workgroup composed of open source product developers, immunization experts and VistA experts.

That collaboration occurred without any money changing hands and resulted in the identification of an open source product that met VA's requirements. The finished code was adopted by VA, and the software developer successfully competed for a support and installation service contract.

The OSEHRA-facilitated collaborative process saved VA at least 18 months and at least $2 million. In the end, VA obtained an open source product that fits its needs, and the developers created a better commercial product for other customers.

These and other lessons learned at OSEHRA in the past five years can help agencies plan a smooth evolution as they comply with the new federal open source policy. OSEHRA can provide guidance to agencies moving toward open source, it can be a model for other agencies to reference for their own open source efforts, and its existing, proven infrastructure can be adopted by federal agencies to establish their own open source software capabilities.

The CSS Cleaner is a brilliant free online tool to take care of your dirty markup.

About the Author

Roger Baker has served as CIO for the departments of Veterans Affairs (2009-13) and Commerce (1998-2001).


  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

  • Comment
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    Doing digital differently at VA

    The Department of Veterans Affairs CIO explains why digital transformation is not optional.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.