SEC Open Source Policy

Purpose

This document establishes the Securities and Exchange Commission’s (SEC) policy on open source software development and publication, and communicates the responsibilities to the agency for compliance with both Office of Management and Budget (OMB) Memorandum M-16-21 and the Source code Harmonization And Reuse in Information Technology (SHARE IT) Act.

Background

The SEC has taken an open-first approach to data, application programming interfaces, and source code. In 2016, OMB published Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software, directing agencies to share software code developed by and for the government under an open source license.

In addition, on December 23, 2024, the Source code Harmonization And Reuse in Information Technology (SHARE IT) Act was enacted, which mandates agencies to share custom-developed source code across government in a public or private repository and publish lists of custom-developed code publicly.

Applicability

This policy applies to all SEC officers, employees, special Government employees, detailees, interns, scholars, fellows, secondees, volunteers, and contractors.

Policy

This policy requires the SEC to account for and publish its open source code in accordance with OMB Memorandum M-16-21, and:

a. Promotes the SEC’s vision of “being open” through development and acquisition practices.

b. Promotes a posture of being “open by default” by requiring new custom code to be released as a Minimum Viable Product (MVP), engaging the public before releasing, and drawing upon the public’s knowledge to improve the project. Justification will be required for new custom code that does not follow these guidelines.

c. Incorporates the SEC’s Open Source Implementation guidelines and Open Source Checklist to ensure the proper considerations are made before going live with a public software project.

d. Requires that a standard, secure open source code development process be in place at the SEC that all organizations will follow. This process can be accomplished multiple ways, such as performing automated code scanning or code reviews.

e. Adheres to releasing open source code through a public-facing software version control platform, including code developed by the SEC staff and contractors.

f. Implements OMB’s three-step software analysis outlined in M-16-21:

1. Conduct Strategic Analysis and Analyze Alternatives, prioritizing the use of existing Federal software solutions;
2. Consider Existing Commercial Solutions, if Commercial Off-The-Shelf (COTS) software can fulfill the requirements; and
3. Consider Custom Development only when the previous two steps cannot fulfill the requirement, while open sourcing custom code and establishing the necessary rights in contract language.

Specific contract requirements will be developed through collaboration between the SEC’s Office of Acquisitions, General Counsel, and Office of Information Technology and will be subsequently communicated to the agency.

g. Requires that a metadata file be included in each project’s source code repository. The metadata file will contain information about the project that can be included in the SEC’s code inventory.

Responsibilities

a. The SEC’s Chief Information Officer (CIO) is responsible for establishing an internal policy that incorporates M-16-21 and SHARE IT Act requirements and publishing it on https://www.sec.gov/digitalstrategy.

b. The CIO is responsible for identifying a standard Version Control System. SEC Divisions and Offices are responsible for moving to the standard Version Control System, with the support of the Office of Information Technology (OIT).

c. The CIO must ensure that custom-developed source code is stored in accessible repositories, both public and private, as required by the SHARE IT Act.

d. SEC Divisions and Offices are responsible for being “open first” by requiring new custom code to be released as a MVP, engaging the public before releasing, and drawing upon the public’s knowledge to improve the project. Project teams will utilize existing processes such as the Authority to Operate process to determine the application’s level of strategic importance in terms of integrity, confidentiality and availability. Project teams should also consider the business value that open sourcing all or part of the code base provides towards meeting the objectives of the program. Sufficient justification will be required for new custom code that does not follow these guidelines.

e. SEC Divisions and Offices are responsible for inventorying all custom code developed for or by the SEC using a standard JSON file format with metadata criteria established by OMB.

f. SEC Divisions and Offices are responsible for publishing all new open source code and including it in the SEC’s code inventory, barring sufficient justification as outlined in 5.c.

g. OIT and the SEC Office of Public Affairs are jointly responsible for publishing the inventory at www.sec.gov/code.json.

Exemptions

The SHARE IT Act allows for several limited exemptions from sharing source code:

i. Classified source code or source code developed for a national security system, or by an agency or part of an agency that is an element of the intelligence community;

ii. Source code which is exempt from disclosure under the Freedom of Information Act;

iii. If the sharing or discovery of the source code is restricted by Federal law or regulation, including the Export Administration Regulations, the International Traffic in Arms Regulations, regulations of the Transportation Security Administration relating to the protection of Sensitive Security Information, and the Federal laws and regulations governing classified information; or

iv. If the sharing or discovery of the source code would create an identifiable risk to individual privacy.

Any such exemptions must be documented and submitted to the SEC Chief Information Officer for approval. Approved exemptions will be reported to OMB annually in accordance with the law.

Authority

OMB Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software, August 8, 2016

Source code Harmonization And Reuse in Information Technology Act (SHARE IT Act) (PL 118-187), December 23, 2024

Signature

David Bottom

Chief Information Officer

U.S. Securities and Exchange Commission