How one federal agency worked to release open source software responsibly

The Centers for Medicare and Medicaid Services (CMS), a federal agency within the U.S. Department of Health and Human Services (HHS) that runs healthcare programs for over 150 million Americans, wanted to help civil servants share internal software tools with the public. This process is called “open-sourcing,” where the code for software is made available for anyone to use, modify, and share their changes and enhancements with others. Executive orders, legislation like the 21st Century IDEA Act, and recent memos from the Office of the National Cyber Director have provided policy backing and urgency around the need for open-source security and software supply chain practices.

However, open-sourcing software is a complex process that requires legal documentation, security reviews, and guidelines for external developers to contribute. Many government agencies lack expertise in this area.

CMS sought to tackle this challenge by establishing an Open Source Program Office (OSPO) to create an intentional open-source strategy, manage inbound and outbound code, and engage with open-source communities around their ecosystem. As the first office of this kind in the federal government, they aimed to pilot approaches that could be replicated more broadly.

Remy Decausemaker, Open Source Lead at CMS, and his team transitioned some internal CMS software assets into publicly shared open-source tools to increase access, enable contributions from external developers, and ultimately improve CMS’s software tools.

The Challenge

CMS sought to make it easier for government agencies to release open-source software projects that follow best practices.

Facing these challenges, Remy connected with U.S. Digital Response (USDR). USDR provided a team of private sector volunteers with diverse and niche skills in open-source, including technical engineers, project leaders, and community builders. 

The team initially worked on helping HHS open-source a specific tool called Simpler Grants. Through this project, they learned that providing detailed instructions wasn't enough, as government agencies often lack the technical infrastructure and community involvement necessary to effectively open-source projects.

Creating a one-off handbook for HHS wouldn't address these underlying challenges. Instead, the team decided to develop generalized best practices, reusable tools, and frameworks that any government agency could use. This approach aimed to make open-sourcing easier, facilitate external contributions, and ultimately improve agency software. By creating scalable solutions, the team's work could have a broader impact beyond a single project.

Specifically, USDR volunteers aimed to address the following issues with open-sourcing:

• No standardized templates or frameworks for releasing open-source code: Though CMS had an open-source policy, there was no one-stop-shop for established procedures, guidelines, or infrastructure to operationalize releasing code projects externally.
• Difficulty collaborating with external contributors: Without guidelines and documentation for collaboration and contribution, it can be challenging for projects to facilitate external contributions and community involvement.‍
• No scalable way to manage many repositories: As agencies create more open-source code communities, managing changes and updates to documentation across many repositories becomes more challenging.

The CMS OSPO and USDR created repository templates and automated tools to make open sourcing easier for government programs aspiring to implement industry best practices. The tools include:

• Open Source Repository Maturity Model: A framework that determines what and how much documentation is needed based on the project’s size, community involvement, and goals. 
• Repo Templates: Pre-made documentation templates that agencies can customize for their projects. (for example, the Tier 4 Templates)
• CookieCutter command-line tool: An automated tool that guides users through a series of questions and recommends the appropriate templates they should use based on their tier in the Open Source Repo Maturity Model. 
• Management Scripts: Automated code tools that can quickly update documentation files across multiple projects in bulk. 

Remy shared how critical USDR’s volunteer talent was to this effort, “Having USDR at the table with us while doing this work was extremely helpful to get more perspectives, more skill sets, and more people involved."

Using this toolkit, other agencies can use these baseline tools and guidance to open-source their internal software much faster and follow open standards. The automated questionnaires and fillable templates prepare public code launches across products and align with industry best practices. Moreover, the templates are modular and customizable, allowing communities to determine their norms at higher maturity tiers based on their goals and where they are in their open source journey. For the code contributors themselves, consistent tooling and documentation across repositories make it easier for them to engage in open-source projects.

The tools are already catching on - at least four CMS open-source repositories have been released using this infrastructure. Other federal agencies, such as the Department of Education and the Department of Labor, have shown interest in and aim to model the same approach internally. 

The flexible models created also earned credibility in the open-source community with positive feedback from industry experts. Natalia Luzuriaga and Isaac Milarsky, Software Engineering Fellows from the United States Digital Corps on Remy’s team, presented the project at GitHub Universe and will present their work on Repository Cohorts and Repository Baselines at major industry conferences such as OSPOCon at Open Source Summit North America 2024 in Seattle, WA and PyCon 2024 in Pittsburgh, PA.

USDR and the CMS OSPO have dramatically simplified the process for releasing open, secure, high-quality government code repositories. They are saving agencies massive manual effort while opening the door to public contribution. It's a blueprint for responsibly accelerating public collaboration. “The repo-scaffolder project is the foundation for the next phase of development of our open-source program office,” Remy said.