This email address is being protected from spambots. You need JavaScript enabled to view it. 601.427.0152

Trusted Code Initiative (update 2017)

Trusted Code Initiative

A Strategic Plan to Increase

Operational Efficiency and Aggregate Value

of Government Open Source Software Resources

A concept paper prepared by the Open Technology Center

April 2017


Abstract

The Trusted Code Initiative: A Strategic Plan to Increase Operational Efficiency and Aggregate Value of Government Open Source Software Resources

Open source software is a disruptive technology that offers technical, administrative and economic benefits to public and private sector IT environments. These include: cost effectiveness; unrestricted access to source code; flexibility to manage and modify the code base without penalty or fee; and the right to unlimited distribution. While these benefits are realized in both IT environments, the intrinsic value, operational priority, and significance of results are markedly different in each sector.

The Trusted Code Initiative seeks to enable Federal Government stakeholders to clearly define, administer and measure actual technical, administrative and economic benefits through the use of open source software technologies. To achieve this goal, the Trusted Code Initiative presents a vision and detailed plan to establish an independent, self-sustaining, nonprofit foundation to administer program operations and serve as facilitator and liaison between participating program stakeholders and the vast network of public and private sector communities of interest and subject matter experts whose participation and mutual benefit is critical to the collective success.

The Trusted Code Initiative is a strategy derived from nearly 20 years experience working as a leader in efforts to facilitate the adoption of open source software within Federal IT systems. The strength of this approach is not based on expectations of dramatic change in government policy or processes or rely on the development of a breakout technology, even though the process creates a fertile environment for such to take place. The success of this plan is based on the ability of key government stakeholders and program staff to collaboratively identify, support and efficiently execute the recurring process of securing government compliance requirements for a targeted set of open source software resources that provide acceptable, mutual benefit to the sponsors as well as those who utilize and support the Federal Government Enterprise.

Copyright 2013, Updated 2017 Open Technology Center


Executive Summary

Vision

Increase Value, Efficiency and Accessibility of Government OSS 

The vision of the Trusted Code Initiative is to increase the collective quality, security, access and subsequent value of open source software resources used within US government and public-sector systems.

Objective

Define an Acceptable Balance of Agility and Assurance

The objective is to define an acceptable, measurable balance between the agility and flexibility made available through the open source approach with the acquisition,  certification and validation, and operational regulations and policies that govern the use of software technologies within Federal Enterprise Systems.


Approach

Collaboration, Compliance, Continuity

The approach is to organize and facilitate administrative processes that enables open source software resources to more efficiently address and comply to Federal acquisition, information assurance and distribution requirements, policies and practices. 

The Initiative defines “Trusted” as any software component, development method or practice that is accredited by a government-sanctioned validation process; deployed and affirmed within a government technology system; or designated as “Trusted” by a Government-sanctioned entity.

Results

Trusted Code, Trusted Support, Trusted Community

The goal of the Trusted Code Initiative is to increase the collective quality, security, access and subsequent value of software resources and practices used within US Government and public-sector systems.


Success

The ultimate goal concept of Trusted Code become a productive, contributing factor in the collective efforts to raise the quality of software used within Federal Government systems.

Metrics for success to include:

(a) Establish an independent, vendor and agency-agnostic non-profit 501 (c) (3) Trusted Code Foundation to oversee governance and management of the Trusted Code Initiative program;

(b) Establish Trusted standards for software development, analysis and maintenance practices;

(c) Create a Trusted Code Analysis and Scoring process to accurately measure the administrative, vulnerability and policy compliance status of Trusted Code assets;

(d) Coordinate the selection, management and joint funding of government-sanctioned information and software assurance accreditation programs for commodity Trusted software applications;

(e) Development and distribution of technical, training and support documentation materials for Trusted Code assets to enhance workforce quality; and

(f) Establish a “secured” hosting and distribution network to ensure the integrity of Trusted Code resources.


Challenge

Reliance on Technology

Information technology (IT) has contributed to our society's high standard of living. However, our reliance on these systems has come at with a substantial price tag.

The United States Federal Government is the single largest consumer of information technology (IT) in the world. In 2013, the Federal IT budget was approximately $80 billion. Government projections estimate that spending to increase to $100 billion within a few years.

These figures do not include the additional billions of dollars that state and local governments spend annually on computer hardware, software, services, license fees and the manpower to keep it all going.

In 2010, the White House and Office of Management and Budget (OMB) issued its 25 Point Implementation Plan to Reform Federal Information Technology Management , which stated: “Information technology should enable government to better serve the American people. But despite spending more than $600 billion on information technology over the past decade, the Federal Government has achieved little of the productivity improvements that private industry has realized from IT.”

In short: how can government technology systems achieve the technical and economic efficiencies that are being realize in comparable commercial technology systems?

To address this challenge, it is critical to clearly identify the similarities and differences in public and private-sector technology system requirements, functionalities, expectations and cultural practices. Government and commercial systems may use similar technologies, but their expectations and cultural practices are vastly different.


Perspective

Commercial Perspective

Commercial investment in technology is tied to a company's ability to realize profit from providing products and/or services. This correlation between investment and benefit provides companies with an economic metric to more directly measure a financial return on investment (ROI) for technology systems. 


In addition, commercial adopters traditionally do not have the level of internal regulation including procurement, security and other policy compliance requirements that are common within public sector technology systems. As independent entities, commercial users are free to quickly adopt or terminate technologies that positively or negatively impact their bottom line. This independent accountability grants commercial interests the option to seek any level of technological innovation that may, or may not, improve performance.

While the results impact the company's ability to deliver its product or service, the ultimate accountability is to the entity's financial bottom line.

Government Perspective

The expectations for public-sector investments in technologies are measured in a different context.

Federal, state and local government agencies are all funded with public dollars and their primary function generally involves the collection, processing and disseminating of sensitive (personal, government or classified) information which must be handled as consistently and securely as possible. 


In addition, Government systems manage large amounts of information over long periods of time. This traditionally leads to reliance on legacy systems resulting in long-term commitments to specific architectures, protocols and practices, and dependence on a limited number of vendor-specific communities as suppliers and support providers.To structure the consistent evaluation, procurement and management of these systems, the Government maintains stringent acquisition, management and security policies and regulations.

While this approach has evolved to favor continuity and protection of the system from disruption, in many instances it results in inefficiencies from dated design and practices as well as inflated costs from lack of competition among vendors and technology solutions. 

In short, Government technology systems are measured more with regards to maintaining stability in relation to the larger enterprise, than on achieving technical efficiencies and economic cost savings for the agencies they serve.

To effectively achieve these goals, government systems need to streamline procurement and accreditation practices; reduce system duplication and encourage reuse and sharing of resources; temper reliance on proprietary, vendor-specific solutions; and encourage competition among suppliers by providing fair access to commodity resources.

Lost Opportunity

Many of the current technical and economic efficiencies realized by commercial entities come from the use of open source software technologies and practices.

While open source software is widely used within Federal Government systems, there are still many barriers that prevent or deter larger scale adoption. By discouraging the consideration or use of viable open source software solutions, these lost opportunities, cost the government considerable, yet unknown, amounts of money, time and efficiency.

It is very difficult to quantify the technical and economic value of these “lost opportunities.”  However, it is a primary objective of the Trusted Code Initiative to identify these gaps; define metrics to measure the benefits and return on investment for open source solutions used within government systems; and institute methods and practices that help recoup these loses by facilitating use of open source software by government adopters and commercial suppliers.


Solution

The Trusted Code Initiative is a collaborative vision shared by public and private-sector stakeholders that seeks to leverage the technical, administrative and economic benefits and best practices of open source software technologies to enhance the aggregate quality, security and access of all software resources available for use within Government enterprise systems.


Trusted Code resources must meet the following criteria:
The Trusted Code Initiative defines “Trusted Code” as open source software components, applications, development methods and practices that address the unique procurement, administrative and security requirements associated with Federal Government enterprise systems.

  1. appropriately validated or affirmed by a government-sanctioned accreditation process;
  2. deployed, or available for deployment, within a government technology system and affirmed by a government user or their designated representative; or,
  3. designated as “Trusted” by a government-sanctioned entity.

To accomplish this goal, the Trusted Code Initiative will define the standard for “Trusted Code” software components and practices based on existing government policy requirements; create a process for designating Trusted resources and practices; and facilitate the creation of a sustainable market environment that promotes adoption of the Trusted standard by government technology consumers and commercial vendors and service providers.


Benefits of Trusted Code

Benefits from the Trusted Code Initiative will directly accrue for all stakeholders involved in  the Government's technology marketplace. The Initiative seeks to identify and replicate the value proposition of open source software components and methodologies that have been widely demonstrated in the commercial sector, but barely realized within Federal, state and local government enterprise systems.

Benefits of the Trusted Code Initiative include:

Public Sector / Government

◦ Increased efficiency through access to mature, tested, validated and less expensive technology resources;

◦ Decrease cost through lower lifecycle management expense associated with open source software;

◦ Enhance quality of technology products and services by increasing competition among vendors and suppliers.

Private Sector / Industry

◦ Increased access to business opportunities in government technology marketplace;

◦ Increase competitive offerings by by utilizing inexpensive technology resources identified and tested within government-sanctioned environments;

◦ Insight opportunities for product and implementation strategies through access to collaborative public/private-sector development networks.

Researchers

◦ Access to quality IT resources;

◦ Unique research opportunities.

Community

◦ Maturing of code bases, adoption and business models for open source software resources;

◦ Opportunity to increase level of adoption of open source software within public-sector environments.


Open Source in Government

Defining Trusted Code

Software, along with hardware, make up technology systems.  Software code is a set of digital instructions that pass long information to other parts of the system.  It tells a computer what to do.  As an individual component, software can be visualized as a gear or widget.  These components, like digital gears, are impartial to the organizational structure of its user.  Software doesn't know if it's licensed as proprietary or open source.

On a base level, code is simply code.

Open source software is software whose license agreement grants the user certain rights and privileges as defined by the Open Software Initiative, an independent, non-profit standards organization.  Traditionally an OSI-approved open source license grants the user permission to obtain and study the human-readable source code; to make changes to the code as the user deems necessary; to distribute the code and any modifications without seeking permission of the copyright holder; and to do this without having to pay initial or recurring license fees.

It is important to note that open source software is not “freeware,” “shareware,” or software within the “public domain.”

Open source software is widely used in commercial and government environments and the licenses have withstood challenges in court.  In addition, the use of open source software has been recognized and approved for use in civilian government and Defense systems through Federal Acquisition Regulation (FAR) and Defense/Federal Acquisition Regulation (D/FAR).

Open Source vs Proprietary

Not a Zero-Sum Game

 The Trusted Code Initiative takes the position and there is value in all software licensing models, development techniques and business strategies including proprietary and open source.  In addition, the Initiative does not view the choice between open source and proprietary solutions as a zero sum game, but seeks to apply the most effective, efficient technology solution to the challenge at hand.  Adoption trends have demonstrated that most dynamic technology solutions consist of mixed-source combining the benefits of both development models to provide the strongest, most viable and resilient solution possible.

Roadblocks and Opportunities

In 2011, the U.S. Department of Homeland Security, Science and Technology Directorate commissioned a research paper to identify the existing challenges and opportunities for Federal Government adoption of open source software.

The report titled, Lessons Learned: Roadblocks and Opportunities for Open Source Software (OSS) in the U.S. Government, by Dr. David A. Wheeler of the Institute for Defense Analysis (IDA) and Tom Dunn of Georgia Tech Research Institute (GTRI), was conducted as part of the DHS Homeland Open Security Technology (HOST) program.

Information for the report was collected through one-on-one interviews with stakeholders representing government employees, contractors and commercial suppliers who were engaged in various levels of the Federal Government technology process.

Roadblocks in Government Adoption

The report acknowledged the current and increasing use of open source software throughout government systems.  However, the report revealed many of the sources of hesitation focused on procedural and policy compliance issues including procurement, security accreditation and 508 compliance; as well as reliable access and availability of trusted technical resources and supplier support.

In addition to the issues identified in the DHS study, limited resources and resistance to change are often factors that contribute to opposition in adoption of any new technology or system change.

Benefits of Open Source Software

 There are many measurable, as well as anecdotal, benefits that can be derived from the use of open source software.

 Common examples of benefits noted in public and private-sector adoption efforts include:

  • Cost - lower initial and lifecycle management cost provided through no license fee costs and broad access to commodity-based technical and human resources;
  • Security - increased security through transparency in development and maintenance process granted to each user via the software license access which permits access, review, modification and redistribution the program and source code;
  • Stability - increased reliability, stability, flexibility from granted access and ability to modify the code to fix flaws and customize to address specific user needs;
  • Freedom - increased access to development and service and supplier base.

Benefits to Military Systems

As defined by the U.S. Department of Defense

In 2009,  U.S. Department of Defense  Office of the CIO issued a guidance memo entitled Clarifying Guidance Regarding Open Source Software (OSS) which clearly identified many of the benefits made available through the use of open source software.

The DoD memo defined open source software as: software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of that software. 

The DoD memo also described the “positive aspects of OSS that should be considered when conducting market research on software for DoD use, such as:

  • The continuous and broad peer-review enabled by publicly available source code supports software reliability and security efforts through the identification and elimination of defects that might otherwise go unrecognized by a more limited core development team.
  • The unrestricted ability to modify software source code enables the Department to respond more rapidly to changing situations, missions, and future threats.
  • Reliance on a particular software developer or vendor due to proprietary restrictions may be reduced by the use of OSS, which can be operated and maintained by multiple vendors, thus reducing barriers to entry and exit.
  • Open source licenses do not restrict who can use the software or the fields of endeavor in which the software can be used. Therefore, OSS provides a net-centric licensing model that enables rapid provisioning of both known and unanticipated users.
  • Since OSS typically does not have a per-seat licensing cost, it can provide a cost advantage in situations where many copies of the software may be required, and can mitigate risk of cost growth due to licensing in situations where the total number of users may not be known in advance.
  • By sharing the responsibility for maintenance of OSS with other users, the Department can benefit by reducing the total cost of ownership for software, particularly compared with software for which the Department has sole responsibility for maintenance (e.g., Government Off-the-Shelf (GOTS)).
  • OSS is particularly suitable for rapid prototyping and experimentation, where the ability to “test drive” the software with minimal costs and administrative delays can be important.

Trusted Code Approach

How can government technology systems achieve the technical and economic efficiencies realized by comparable commercial technology systems?

Information technology (IT) is essential to the continued operation of our government, economy and private-sector society. Financial markets, health care, education, energy, communication, transportation, national defense and security networks are all reliant on digital technology systems.

However, the cost of sustaining these systems is daunting.  As the Federal Government adjusts to mandatory budget cuts, agencies must find ways to substantially reduce costs and increase efficiencies without compromising the security of information or operational objectives of the agencies themselves.

This challenge and objective is not new.  In 2010, the White House and Office of Management and Budget (OMB) issued its 25 Point Implementation Plan to Reform Federal Information Technology Management, which stated:

“Information technology should enable government to better serve the American people.  But despite spending more than $600 billion on information technology over the past decade, the Federal Government has achieved little of the productivity improvements that private industry has realized from IT.”

Many of the current technical and economic efficiencies realized by commercial entities come from the use of open source software technologies and practices.  While open source software is widely used within Federal Government systems, there are still many barriers that prevent or deter larger scale adoption.

 


Trusted Code Initiative

The Trusted Code Initiative addresses these barriers from the perspective of both government adopters and the commercial suppliers who service the Federal Government marketplace.  The objective of the Trusted Code Initiative is to create a collaborative, self-sustaining marketplace for “Trusted” open source software technologies and practices used within government technology environments.

Vision: Leverage the technical, administrative and economic benefits of open source software for government enterprise systems

The Trusted Code Initiative is a collaborative vision shared by public and private-sector stakeholders that seeks to leverage the technical, administrative and economic benefits and best practices of open source software technologies to enhance the aggregate quality, security and access of all software resources available for use within Government enterprise systems.

Objective: Define market value and provide secure access to “Trusted Code” resources

The objective of the Trusted Code Initiative is to define a volunteer standard for “Trusted” software components and practices based on existing government policy requirements; create a process for designating Trusted resources and practices; and facilitate the creation of a sustainable market environment that promotes adoption of the Trusted standard by government technology consumers and commercial vendors and service providers.

The Initiative defines “Trusted” as any software component, development method or practice that is accredited by a government-sanctioned validation process; deployed and affirmed within a government technology system; or designated as “Trusted” by a Government-sanctioned entity.

Approach: Establish an independent, self-sustaining “Trusted Code” marketplace

The Trusted Code Foundation (TrustedCodeFoundation.org) will serve as an independent, collaborative venue for public and private-sector stakeholders who share common technical, administrative and economic interests in advancing the quality, security and access of Trusted resources used within government and public-sector systems.

The Foundation will identify common challenges and opportunities where Trusted resources will provide value to Federal, state and local government systems, as well as to the vendor and support communities that service the public-sector technology marketplace.

The intent of the Trusted Code Foundation is become a self-sustaining entity by deriving operational revenue from services associated with Trusted Code programs, developing unique product and service offerings and from participating member fees and contributions from non-member, public and private-sector entities.

Program Activities

The goal of the Trusted Code Initiative is to increase the collective quality, security, access and subsequent value of software resources and practices used within US Government and public-sector systems. To accomplish this goal, the Trusted Code Initiative will establish a series of complementary activities that establish a “fair market” for Trusted Code resources, code development and analysis processes, products and services.

These activities (tasks) include:

 

1. Trusted Code Foundation

Establish an independent, vendor and agency-agnostic non-profit 501 (c) (3) Trusted Code Foundation to oversee governance and management of the Trusted Code Initiative program;

2. Resource & Standards Council

Establish Trusted standards and practices that define and provide guidance for development, analysis and maintenance of Trusted Code resources;

3. Documentation, Training and Education

Administer the development and distribution of technical, administrative, support and training documentation materials for Trusted Code assets to encourage adoption and enhance workforce quality;

4. Support Services & Program Management

Provide access to technical and administrative support services for Trusted Code resources provide directly to government agencies in coordination with commercial suppliers and open source community subject matter experts; 

5. Collaborative Development Laboratory

Serve as a platform-agnostic collaboration laboratory for government and commercial vendors to develop or combine Trusted Code resources within a secured environment so the resulting product or “Trusted Stack” retains the integrity of the individual components and the Trusted Code designation.

6. Analysis & Vulnerability Monitoring

Create a Trusted Code Analysis and Scoring process to accurately measure the administrative, vulnerability and policy compliance status of Trusted Code assets;

7. Information & Software Assurance Management

Coordinate the selection, management and joint funding of government-sanctioned information and software assurance accreditation programs for commodity Trusted software applications; and

8. Secure Hosting and Distribution Network

Establish a “secured” hosting and distribution network to ensure the integrity of Trusted Code resources.


Program Activity Details

1. Trusted Code Foundation

Independent, Public/Private Consortium

Purpose: To serve as an independent, vendor-agnostic consortium of public and private-sector entities to advance quality, assurance and access to Trusted software within government and commercial technology systems.

Objectives: Provide a means for communication, interaction, strategic planning, community outreach for the Trusted Code Initiative.  Transparency in communication between Initiative members and other members of the public, government, industry and development communities of interest promotes trust in the program and its objectives.

Participants:  The consortium is primarily a venue for participating members of the Initiative to interact and communicate, but also provides a “belly button” for interested parties to interact with the effort.  Consortium also serves as venue for meetings, conferences, events and forum to conduct organizational business.

Managed by:  Consortium activities will be operated/administered by Trusted Code Foundation staff and managed by Foundation Board and committee members selected by Foundation governance rules from participating Initiative members.

Outcome/Deliverables:  Establishment of a formal, independent, non-profit 501 (c)(3) corporation to serve as the administrative body for the Initiative.  An administrative structure and forum from which the organization can conduct business and interact with members and non-member entities. Regular business meetings and other activities as required to conduct business of the organization.

Funding: Primary funding of the administrative body will be derived from membership fees required for formal participation in the effort.  Fee structure to be set by the Foundation's Board of Directors and managed within budget and in accordance to 501 (c) regulations. Secondary funding from fees garnered from Foundation services and activities and administered by the Board.

Time Line: Activity 1 - Trusted Code Foundation (TCF): formalize corporate structure, submit IRS 501(c)(3) documentation; confirm participating partners, determine initial funding requirements; elect Board of Directors (BOD) and other administrative boards; BOD to govern administrative aspects of TCF.  BOD to refine 1 – 3 – 5 yrs strategic plan and deliverable objectives.


2. Resource and Standards Council

Governance & Oversight

Objectives: Establish a network of actively engaged stakeholder representatives from government, industry, research and open source software communities who lead the efforts of the Trusted Code Foundation.

Participants: Council members must represent each sector of the government technology marketplace, with the primary leadership role being directed by representatives of the government.  

Government is the ultimate consumer of Trusted Code deliverables and must assume leadership role to identify short and long-term strategic goals and objectives, manage issues of policy and regulation, and ensure the Foundation's activities and agenda remain vendor and technology agnostic.

Managed by:  Council activities will be self-administered with support from Foundation staff as required.

Outcomes/Deliverables:  The primary responsibility of the Trusted Code Resource Council is to serve as the administrators and maintainers of the “Trusted Code” standard.  The value of the Trusted Code definition will be determined by the entities who choose to participate and their actions.  This body will determine the success or failure of the Trusted Code Initiative.

Funding: Council members will serve on a volunteer basis.  Administrative activities for staff shall be provided through the Foundation's general fund.  The Foundation's Board of Directors shall establish the structure and obligations of the Council as required to successfully conduct its activities.

Time Line: Activity 2 - Trusted Standards Council (TSC): establish Trusted Code Standards Council from active participating TCF members.  TSC to set definition of “Trusted Code” and identify initial target program activities. Manages task-specific committee activities.


3. Documentation, Training and Education

Consistent Support Materials

Objectives:

  • To continually research and explore technologies, techniques and practices that support the development and adoption of Trusted Code technologies within the public and private-sector marketplace.
  • To seek best practices, lessons learned, communities of interest as well as needs, challenges and obstacles that face the development, adoption and successful management of Trusted Code within public sector systems.
  • To establish a baseline for documentation requirements for Trusted Code resources, methods and practices to support in the adoption, support and training of implementers, students and members of the technology workforce.
  • To educate government, industry and open source software communities on the goals, objectives, opportunities and benefits of Trusted open source software and other Trusted Code Initiative activities.

Participants: The Foundation will manage the collection and dissemination of information through the organization's network of members, program participants, as well as through publicly-accessible resource outlets and media.  Reports, documentation, pilot programs, lessons learned and other demonstration activities will be coordinated by the Foundation but will utilize all possible resources and engage all interested parties.

Information will be made freely available through the Foundation publicly-accessible web site (TrustedCodeFoundation.org or other URL as directed by the Foundation Board).

Managed by:  Administrative and editorial control will be managed by the Trusted Code Foundation to ensure consistency and quality of materials.  Editorial content, training programs, etc. will be sublet as necessary to achieve most efficient process.

Outcome/Deliverables: Consistent series of best practice reports, lessons learned, testimonials from Government users and commercial implementors as well as from academic and professional R&D entities.

Consistent documentation collected from each step of the Trusted Code development, assurance, code scanning and report process.  All (publicly-available) documentation will be maintained and made available as support materials through the Trusted Code repository.

Funding: Funding for R&D research will be provided through the Foundation's general operating fund collected from membership dues, special membership activities and from fees collected as part of value-added services provided by the Foundation.

Time Line: Activity 3 - Trusted Documentation & Training committee to establish baseline for documentation requirements for Trusted Code resource.  Training efforts rely on documentation of specific programs and follow in development and delivery.


4. Support Services and Program Management

Access to Support and Implementation Resources

Purpose: Provide technical and administrative support services for Trusted Code resources to government agencies in coordination with commercial suppliers and open source community subject matter experts.

Objectives: Provide access to technical support to government agencies for Trusted Code software resources to adhere to existing procurement regulations.

Participants: Technical and administrative support to be provide through Trusted Code Foundation in coordination with commercial vendors and open source development community  subject matter experts.  Support services are NOT to represent exclusive access, but to encourage participation by vendors and suppliers and encourage competition within the government vendor marketplace. 

Managed by: Various levels of technical and administrative support to be provided directly through Trusted Code Foundation. Additional support to be provided through independent commercial entities.

Outcome/Deliverables: To ensure that technical support services are available for every Trusted Code software resource.

Funding: Funding for support activities will be generated through fees charged for activities conducted.

Time Line: Activity 4 - Direct or indirect support services for all Trusted Code resources will be a requirement for any software resource to be designated as “Trusted Code.”


 5. Collaborative Development Laboratory

Secure, Platform-neutral Development Environment

Purpose: To serve as a platform-agnostic collaboration laboratory for government and commercial vendors to develop or combine Trusted Code resources within a secured environment so the resulting product or “Trusted Stack” retains the integrity of the individual components.

Participants: Enterprise-grade commercial providers have expressed interest in fielding this element of the Trusted Code environment.  Appropriate Government partners would be invited to participate in the development of this elements of the Initiative. 

Managed by:  Administrative oversight of the Laboratory would be management by the Trusted Code Foundation Board of Directors.

Outcome/Deliverables:  A virtual vendor, technology and platform-agnostic laboratory to host development and collaborative projects utilizing the tools and resources available through the Trusted Code Initiative.

Time Line: Activity 5 - Trusted Code Collaborative Development Laboratory to serve as an interactive platform-agnostic collaboration laboratory for government and commercial vendors to develop or combine Trusted Code resources within a secured environment so the resulting product or “Trusted Stack” retains the integrity of the individual components.

Development of this task will begin upon securing adequate funding and support of the concept.

Estimated project beta working environment is approximately 36 months.


6. Code Analysis and Vulnerability Monitoring

Regular Code Review, Scoring and Update

Purpose: Develop and administer methodologies and practices that scan, analyze and measure security, vulnerability, administrative/license compliance and status of Trusted Code assets and resources and provide customized/unique reports, updates and vulnerability scoring on the status of each elements as defined within each deployed environment.

Objectives: To leverage existing scanning, analysis and vulnerability processes and products in order to provide customized results for subscribing clients and general information for public access consumption.

Participants: The primary objective of the Trusted Code Initiative is to serve the broadest needs of the Government's enterprise technology network.  This will require close participation by Government representatives to identify the specific problem sets, challenges and solution models that will address their needs.  Likewise, commercial stakeholders will serve to help formulate solutions to address these needs.  The Trusted Code Foundation will serve as the “common table” from which discussion and collaboration will occur.

Managed by:  Administration of activities will be managed by Trusted Code staff in conjunction with public and private-sector stakeholders.

Outcome/Deliverables:  Key to the Trusted Code Analysis and Monitoring solution is to clearly identify the needs of targeted Government and industry consumers.  This focus will initiate from a needs analysis and solution set with Trusted Code Foundation's Government and Commercial participating members.  As the Trusted Code solutions grow, solutions as a service will be offered to non-member entities.

The intention is to identify categories of common needs within Federal, state and local government entities and provide the updates to this primary audience through a Blanket Purchase Agreement (BPA) or similar mechanism.

Funding: Initial funding will be provided by Government and commercial stakeholders. The model must clearly identify a value and viable business model so the activities can become self-sustainable.

Time Line: TBD

Analysis & Vulnerability Scanning Model Example 1: FAIL

Software component is submitted to Trusted Code Foundation for analysis.

There is a nominal fee to off-set expense of scanning code against variety of commercial (and government) scanning engines.

Upon completion of scan, a report is generated and provided only to the Submitter.  The report identifies all vulnerabilities and provides a cumulative score for the code package.

The Submitter is encouraged to correct the flaws and resubmit the code for (one) additional scan at no charge. 

Objective is to identify vulnerabilities and provide incentive for Submitter to correct flaws and resubmit code for review.  By providing the report only to the Submitter, corrections can be addressed to enhance the quality of the code without initial stigma. However, code fails to qualify after additional scans, a report will be post to the Trusted Code Repository so the presence of vulnerabilities will be available to anyone using Trusted Code system.

Analysis & Vulnerability Scanning Example 2: PASS

Software component is submitted to Trusted Code Foundation for analysis.

There is a nominal fee to off-set expense of scanning code against variety of commercial (and government) scanning engines.


Upon completion of scan, a report is generated and provided only to the Submitter.  The report identifies all vulnerabilities and provides a cumulative score for the code package.

If the code package is scored above a pre-determined level, and additional documentation and support requirements are met, then code is included in Trusted Code Repository and available for download by public and private sector adopters.

Additional requirements for code to receive Trusted Code designation are listed in graphic.


Access to Trusted Code

In order to make Trusted Code resources as broadly available to public and private sector adopters, the Trusted Code Initiative will offer two options for adoption.  One option consists of a free/no cost analysis report which provides a cumulative score from all scanning engines utilized by the Trusted Code process.  The second option is a fee-based, value-added report that provides the adopter in-depth analysis and detail from each of the scanning engines and provides a series of customizable reports to be configured by the adopter.


Both options include the free (no cost) access to the code with respect to existing software licenses attached to the code before it enters the Trusted Code process. 

The Trusted Code Initiative has no preference for the software license that is attached to the code and will respect open source, proprietary and dual license configurations.  It is not the the responsibility or objective of the Trusted Code Initiative to dictate how the copyright holder licenses their code.

The fee-based report option allows the Trusted Code Initiative to fairly compensate those commercial entities whose business model is based on the scanning, analysis and reporting on software.  The Trusted Code Initiative does not intend to compete with any commercial entity, but to provide additional opportunities for them to provide their unique services to interested potential government and commercial customers.

This method is also essential in enabling the Trusted Code Initiative to become a functional, self-sustaining entity and not depend on government funding for operation.


7. Information and Software Assurance Management

Purpose: To serve as an independent coordination body to help manage the Information and Software (IA/SwA) Assurance validation process for commodity software resources.  Various Government policies dictate the acquisition, security and maintenance of most software resources.  The Trusted Code Foundation recognizes any software that has obtained government-sanctioned accreditation as “Trusted.”  However, there are many commodity software assets that are currently in use, or would serve as a technical and economically efficient alternative solution for government users if the software would achieve appropriate government-sanctioned accreditation.

Objectives: To coordinate and manage the IA/SwA validation process for designated software resources.

Participants: Foundation member representatives will be responsible for identifying which commodity software assets will be candidates for appropriate validation.  While Foundation members will be responsible for asset selection, funding support for the validation efforts will be open to participation from non-Foundation members. 

Managed by:  Administration of activities will be managed by Trusted Code staff in conjunction with public and private-sector stakeholders.

Outcome/Deliverables:  Increase the number of commodity alternative software solutions that have successfully achieve appropriate government-sanctioned IA/SwA validation.

A defined roadmap for each Trusted Code Asset the provide short and long-term objectives and time lines for the updates, modification, evaluation and revalidation schedules, as well as define the technical goals and strategic objectives from both the public and private-sector technology consumers and the product and development community representatives to help both sides to best plan and apply resources to meet common long-term objectives.

Funding: Funding to support the management of IA/SwA processes will be distributed by those Foundation and non-Foundation members who have a vested interest in the successful development and validation of each Trusted Code asset.

Time Line: Activity 7 - Trusted Standards Council (TSC): establish Trusted Code Standards Council from active participating TCF members.  TSC to set definition of “Trusted Code” and identify initial target program activities. Manages task-specific committee activities.

Completion of task between twelve to eighteen months of operation.


8. Trusted Code Hosting and Distribution Network

Purpose: Establish and maintain a “secured” hosting and cloud-based distribution network to ensure the quality and integrity of all Trusted Code assets.

Objectives: Create a secured repository that hosts all assets designated as Trusted Code and provide a cloud-based distribution network that ensures that all assets are delivered from the repository to the user securely.

Participants: An initial FedRAMP-certified Trusted Code Foundation commercial entity will serve as the core to the hosting and distribution network.  Additional commercial vendors are currently collaborating to ensure the solution will be both secured and scalable to meet Government security requirements and enterprise-level distribution bandwidth.

Managed by:  Coordination of the activities will be managed by Trusted Code staff.  Implementation for each element of the solution will be deployed by commercial Foundation members.  Government security, distribution and related requirements will be coordinated with appropriate Government agency representatives.

Outcome/Deliverables:  An independent, enterprise-level hosting and distribution network to ensure quality, security and access to Trusted Code resources.

Confidence in the Trusted Code brand for government and commercial adopters.

Readily available Trusted Code resources for Federal, state and local government agencies.

Funding: Funding support for the infrastructure will be provided in part by the membership dues from each Trusted Code Foundation member entities.  Additional funding for support will be collected as fees as a service from non-Foundation members.

Time Line: Activity 8 - Trusted (secured) Hosting and Distribution Network (sHDN): all Trusted Code resources to be hosted (or mirrored from provider's secured repository) and access provided through TCF-maintained “secured” repository and distribution network.  Hosted Trusted Code resources to be “hashed” internally to maintain integrity of code and product update release.

Estimated completion and launch of publicly accessible is approximately eighteen months.  The rapid deployment schedule is due to the fact that all of the infrastructure is currently in place and actively serving government and commercial clients.  The cloud-based infrastructure network is FedRAMP certified.


Frequently Asked Questions

1. What is "Trusted Code"?

The Trusted Code Initiative defines “Trusted Code” as open source software components, applications, development methods and practices that address the unique procurement, administrative and security requirements associated with Federal Government enterprise systems.

Trusted Code resources must meet the following criteria: 1) appropriately validated or affirmed by a government-sanctioned accreditation process; 2)  deployed, or available for deployment, within a government technology system and affirmed by a government user or their designated representative; or, 3) or designated as “Trusted” by a government-sanctioned entity.

 1.1)   is appropriately validated or affirmed by a government-sanctioned accreditation process;

This includes all commercial and/or community-supported open source solutions that have achieved validation in accordance to policies such as the National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11; National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products is issued by the National Security Telecommunications and Information Systems Security Committee (NSTISSC).1

Commercially or community-supported open source software products that have obtained these validations will automatically be considered as “Trusted Code” and are not required to pass any additional requirements under the Trusted Code Initiative.

These software products or components are not required to be included in the Trusted Code repository, but can be linked to their existing hosting facility as long as the code is verified and its validation is current.

Examples of this would be Red Hat Enterprise Linux by Red Hat, SUSE Linux Enterprise Desktop by SUSE, or the FIPS 140-2 Validated OpenSSL Cryptographic Modules.

1.2)   is deployed within a government technology system and affirmed by a government user or their designated representative;

This includes any open source software component, application or application suite that is currently deployed within a government technology system, with the caveat that at least one government agency or their designated representative much confirm and affirm the deployed solution.

This criteria is to demonstrate a viable solution and provide a reference point for other government agencies who might consider the solution as part of their system.

The affirming government entity is not required to host or maintain the Trusted Code, but must “vouch” for its usefulness and functionality.  There is no liability or expectation assumed on the part of the “vouching” government entity or their representative.

An example of this is the Defense Information Systems Agency's (DISA) Open Source Corporate Management Information System (OSCMIS)(media article description).  OSCMIS, an open source Federal workflow management application suite, was developed and is currently deployed within DISA and manages the agency's 16,000 combat support personnel worldwide.  DISA makes a version of the OSCMIS suite available under an open source license, but does not provide support for instances outside of the agency's critical mission path.

1.3)   is designated as “Trusted” by a government-sanctioned entity.

There are many open source software components that are available as viable alternative solutions to government agencies, but are not directly subject to existing accreditation policy regulations.

To consider these open source components, or applications, as “Trusted Code,” the Trusted Code Initiative will establish a criteria to define and designate such software assets as “Trusted.”

This process will be determined and governed by government, commercial and community representatives of the Trusted Code Foundation as the (to be established) appropriate organizational Board of Directors designate.

Additional questions to be addressed as the Trusted Code Initiative evolves:

2. What is the difference between Trusted Code and other open source software that is used within government systems?

3. How does a software component become "Trusted"?

4. Who regulates the definition and standard for "Trusted Code"?

5. Who can submit a component to become Trusted?

6. Who pays for Trusted Code?

7. Who can access Trusted Code?

8. Is Trusted Code secure? 

9. What are the export (ITAR) issues regarding Trusted Code?

10. Who can service and support Trusted Code resources?

11. How and where are Trusted Code resources hosted and distributed?  Who has access?

12. Which code scanning engines are used as part of the Trusted Code Analysis and Vulnerability Monitoring?

13. How often are Trusted Code assets scanned?

14. What is included in the Free and "for Fee" Vulnerability Report?

15. Who determines which Trusted Code resources are included in Information Assurance validation efforts? 

16. Who can participate in the IA validation process?  What does it cost?  Who has access after the code is validated?

17. Which IA and SwA validations are included or considered?

18. Which Government Agencies are participating in the Trusted Code Initiative?

19. Who serves on the Trusted Code Foundation Board and other committees?

20. What are the qualifications or criteria required to participate in the Trusted Code Foundation?

21.  Are Trusted Code resources 508 compliant? 

22. What is the long-term strategy for the Trusted Code Initiative?

23. What are the reporting processes and policies for the Trusted Code Foundation?

24. What open source licenses are recognized or recommended by the Trusted Code Initiative?

25. Are non-open source software resources considered for Trusted Code designation?

26. Which open source development communities are participating in the Trusted Code Initiative?

27. How long is the Trusted Code designation valid for a component?

28. What other efforts are similar to the Trusted Code Initiative?  What are the differences?

29. When are the Trusted Code Foundation Board of Directors and other activities scheduled?  Are they open to the public?

30. Who owns the Trusted Code Foundation?

31. Who sponsors the Trusted Code Initiative?

32.  Who pays for the Information Assurance validation processes for Trusted Code components?

33. Is there a fee to belong to the Trusted Code Foundation?

34. What is the governance structure of the Trusted Code Foundation?