Open source is so much more than free code

Shutterstock Image

In 2011, the Department of Veterans Affairs officially moved its most critical software, the VistA electronic health record system, into open source by establishing the Open Source Electronic Health Record Alliance (OSEHRA). Along the way, VA officials solicited and followed advice from numerous open source experts, including Red Hat, Carnegie Mellon University and the Industry Advisory Council.

OSEHRA now has five years of experience dealing with the unique challenges of federal laws and open source approaches, which means it can serve as a powerful resource for other federal agencies looking to establish successful open source policies and implementation. OSEHRA's expertise is especially timely because Executive Memorandum M-16-21 has established a new federal policy to encourage agencies' embrace of open source.

The key lesson from OSEHRA is that open source software is much more complex than "make it free." Successful open source is about the growth and evolution of a software asset, and it requires establishment of a comprehensive and integrated ecosystem around that asset. Successful open source efforts must emphasize software management, community collaboration and transparent governance.

Without a license, software is not open source. This is a source of widespread misunderstanding among those who mistakenly equate a software license with a royalty. Even for free software, the license defines the terms under which the code can be distributed and reused. It protects the rights of the user as much as it does the rights of the provider. Loading software into a repository -- whether that's OSEHRA or GitHub -- without establishing a license does not make it open source.

Licensing is especially critical to federal open source efforts because code developed under contract to the federal government frequently doesn't belong only to the government. Unless code is developed by an employee of the federal government, there is always a copyright. Conveyance (or non-conveyance) of rights to the software is determined by the development contract. Thus, if the code is to be licensed as open source, it is important to determine who would assert copyright in the licensing process and ensure that a clear license is provided.

Over the years, more than 30 types of open source licenses have been developed to support various business models. Those licenses are not universally compatible, and developing code with mixed licenses can unintentionally create license violations. Current federal acquisition rules allow application of open source licenses for contractor-developed software. For those interested in this issue, OSEHRA has drafted a guide for dealing with open source licenses (available by request,

Not all open source code is usable. To help ensure that VistA code is usable, OSEHRA developed an Open Source Software Quality Certification standard in conjunction with VA and members of the community. OSEHRA certification is initially the attestation and ultimately the verification that an executable artifact is safe, compliant and functional.

This certification is based on four major factors: license, documentation, testing and adherence to community standards and conventions.

OSEHRA certification has become very valuable to VA. Non-VA open source products that are available to fill gaps in VistA functionality are put through the OSEHRA certification process, and the OSEHRA-certified products are offered to VA for further consideration and potential adoption.

Most important, successful open source software is dependent on the establishment of a community that provides input and support to the software. Today's OSEHRA community is a robust group of large and small businesses, nonprofit organizations, academic institutions, government representatives, developers and clinicians from around the world.

Because of that community, VA is far from the only contributor of improvements to the codebase. OSEHRA members frequently collaborate on joint projects and respond to challenges faced by VA. When they identified the need for an immunization management information system, VA officials approached OSEHRA's open source community rather than use traditional software acquisition methods. Community leaders organized an OSEHRA workgroup composed of open source product developers, immunization experts and VistA experts.

That collaboration occurred without any money changing hands and resulted in the identification of an open source product that met VA's requirements. The finished code was adopted by VA, and the software developer successfully competed for a support and installation service contract.

The OSEHRA-facilitated collaborative process saved VA at least 18 months and at least $2 million. In the end, VA obtained an open source product that fits its needs, and the developers created a better commercial product for other customers.

These and other lessons learned at OSEHRA in the past five years can help agencies plan a smooth evolution as they comply with the new federal open source policy. OSEHRA can provide guidance to agencies moving toward open source, it can be a model for other agencies to reference for their own open source efforts, and its existing, proven infrastructure can be adopted by federal agencies to establish their own open source software capabilities.

The CSS Cleaner is a brilliant free online tool to take care of your dirty markup.

About the Author

Roger Baker has served as CIO for the departments of Veterans Affairs (2009-13) and Commerce (1998-2001).


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.