As prescribed in § 1539.2071, insert the following clause:

Open Source Software (AUG 2020)

(a) Definitions.

“Custom-Developed Code” means code that is first produced in the performance of a federal contract or is otherwise fully funded by the federal government. It includes code, or segregable portions of code, for which the government could obtain unlimited rights under Federal Acquisition Regulation (FAR) Part 27 and relevant agency FAR Supplements. Custom-developed code also includes code developed by agency employees as part of their official duties. Custom-developed code may include, but is not limited to, code written for software projects, modules, plugins, scripts, middleware and Application Programming Interfaces (API); it does not, however, include code that is truly exploratory or disposable in nature, such as that written by a developer experimenting with a new language or library.

“Open Source Software (OSS)” means software that can be accessed, used, modified and shared by anyone. OSS is often distributed under licenses that comply with the definition of “Open Source” provided by the Open Source Initiative at https://opensource.org/osd or equivalent, and/or that meet the definition of “Free Software” provided by the Free Software Foundation at: https://www.gnu.org/philosophy/free-sw.html or equivalent.

“Software” means: (i) Computer programs that comprise a series of instructions, rules, routines or statements, regardless of the media in which recorded, that allow or cause a computer to perform a specific operation or series of operations; and (ii) recorded information comprising source code listings, design details, algorithms, processes, flow charts, formulas and related material that would enable the computer program to be produced, created or compiled. Software does not include computer databases or computer software documentation.

“Source Code” means computer commands written in a computer programming language that is meant to be read by people. Generally, source code is a higher-level representation of computer commands written by people, but must be assembled, interpreted or compiled before a computer can execute the code as a program.

(b)

(1) Policy. It is the EPA policy that new custom-developed code be made broadly available for reuse across the federal government, subject to the exceptions provided in (b)(3). The policy does not apply retroactively so it does not require existing custom-developed code also be made available for Government-wide reuse or as OSS. However, making such code available for government-wide reuse or as OSS, to the extent practicable, is strongly encouraged. The EPA also supports the Office of Management and Budget's (OMB) Federal Source Code Policy provided in OMB Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software, by:

(i) Providing an enterprise code inventory (e.g., code.json file) that lists new and applicable custom-developed code for, or by, the EPA;

(ii) Indicating whether the code is available for Federal reuse; or

(iii) Indicating if the code is available publicly as OSS.

(2) Exemption: Source code developed for National Security Systems (NSS), as defined in 40 U.S.C. 11103, is exempt from the requirements herein.

(3) Exceptions: Exceptions may be applied in specific instances to exempt EPA from sharing custom-developed code with other government agencies. Any exceptions used must be approved and documented by the Chief Information Officer (CIO) or his or her designee for the purposes of ensuring effective oversight and management of IT resources. For excepted software, EPA must provide OMB a brief narrative justification for each exception, with redactions as appropriate. Applicable exceptions are as follows:

(i) The sharing of the source code is restricted by law or regulation, including - but not limited to - patent or intellectual property law, the Export Asset Regulations, the International Traffic in Arms Regulation and the federal laws and regulations governing classified information.

(ii) The sharing of the source code would create an identifiable risk to the detriment of national security, confidentiality of government information or individual privacy.

(iii) The sharing of the source code would create an identifiable risk to the stability, security or integrity of EPA's systems or personnel.

(iv) The sharing of the source code would create an identifiable risk to EPA mission, programs or operations.

(v) The CIO believes it is in the national interest to exempt sharing the source code.

(c) The Contractor shall deliver to the Contracting Officer (CO) or Contracting Officer's Representative (COR) the underlying source code, license file, related files, build instructions, software user's guides, automated test suites, and other associated documentation as applicable.

(d) In accordance with OMB Memorandum M-16-21 the Government asserts its unlimited rights - including rights to reproduction, reuse, modification and distribution of the custom source code, associated documentation, and related files - for reuse across the federal government and as open source software for the public. These unlimited rights described above attach to all code furnished in the performance of the contract, unless the parties expressly agree otherwise in the contract.

(e) The Contractor is prohibited from reselling code developed under this contract without express written consent of the EPA Contracting Officer. The Contractor must provide at least 30 days advance notice if it intends to resell code developed under this contract.

(f) Technical guidance for EPA's OSS Policy should conform with the “EPA's Open Source Code Guidance” that will be maintained by the Office of Mission Support (OMS) at https://developer.epa.gov/guide/open-source-code/ or equivalent.

(g) The Contractor shall identify all deliverables and asserted restrictions as follows:

(1) The Contractor shall use open source license either:

(i) Identified in the contract, or

(ii) developed using one of the following licenses: (a) Creative Commons Zero (CC0); (b) MIT license; (c) GNU General Public License version 3 (GPL v3); (4) Lesser General Public License 2.1 (LGPL-2.1); (5) Apache 2.0 license; or (6) other open source license subject to Agency approval.

(2) The Contractor shall provide a copy of the proposed commercial license agreement to the Contracting Officer prior to contracting for commercial data/software.

(3) The Contractor shall identify any data that will be delivered with restrictions.

(4) The Contractor shall deliver the data package as specified by the EPA.

(5) The Contractor shall deliver the source code to the EPA-specified version control repository and source code management system.

(h) The Contractor shall comply with software and data rights requirements and provide all licenses for software dependencies as follows:

(1) The Contractor shall ensure all deliverables are appropriately marked with the applicable restrictive legends.

(2) The EPA is deemed to have received unlimited rights when data or software is delivered by the Contractor with restrictive markings omitted.

(3) If the delivery is made with restrictive markings that are not authorized by the contract, then the marking is characterized as “nonconforming.” In accordance with Federal Acquisition Regulation (FAR) 46.407, Nonconforming supplies or services, the Contractor will be given the chance to correct or replace the nonconforming supplies within the required delivery schedule. If the Contractor is unable to deliver conforming supplies, then the EPA is deemed to have received unlimited rights to the nonconforming supplies.

(i) The Contractor shall include this clause in all subcontracts that include custom-developed code requirements.

(End of clause)