Environmental Protection Agency (EPA).
The Environmental Protection Agency (EPA) is adding a new clause to the EPAAR addressing open source software requirements, including EPA's ability to share open source software developed under its procurements.
This final rule is effective on August 3, 2020.
The EPA has established a docket for this action under Docket ID No. EPA-HQ-OARM-2018-0743. All documents in the docket are listed on the https://www.regulations.gov website. Although listed in the index, some information is not publicly available, e.g., CBI or other information whose disclosure is restricted by statute. Certain other material, such as copyrighted material, is not placed on the internet and will be publicly available only in hard copy form. Publicly available docket materials are available electronically through http://www.regulations.gov.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Thomas Valentino, Policy, Training, and Oversight Division, Office of Acquisition Solutions (3802R), Environmental Protection Agency, 1200 Pennsylvania Ave. NW, Washington, DC 20460; telephone number: 202-564-4522; email address: firstname.lastname@example.org.
End Further Info
Start Supplemental Information
The EPA is writing a new EPAAR clause to address open source software requirements at EPA, so that the EPA can share custom-developed code as open source code developed under its procurements, in accordance with Office of Management and Budget's (OMB) Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software. In meeting the requirements of Memorandum M-16-21 the EPA will be providing an enterprise code inventory indicating if the new code (source code or code) was custom-developed for, or by, the agency; or if the code is available for Federal reuse; or if the code is available publicly as open source code; or if the code cannot be made available due to specific exceptions. On October 18, 2019 (84 FR 55894) EPA sought comments on the proposed rule and received four comments. One commenter stated that a single location to access open-source code would be easier to access and manage. The EPA agrees, and participates in the https://code.gov/ platform provided by the General Services Administration (GSA) to host open-source code. Another commenter stated that protecting our nation's computer systems should be a high Start Printed Page 46557priority, and the EPA agrees. The EPA also agrees with the commenter who stated that this rule strikes a balance between government benefit and risk. The EPA addressed the broad final comment by providing procedures at https://www.usa.gov/complaint-against-government that outlines how to file complaints.
II. Final Rule
The final rule creates EPA Acquisition Regulation (EPAAR) Part 1539, Acquisition of Information Technology, and adds Subpart 1539.2, Open Source Software; and § 1539.2071, Contract clause. EPAAR Subpart 1552.2, Texts of Provisions and Clauses, is amended by adding EPAAR § 1552.239-71, Open Source Software.
1. EPAAR Subpart 1539.2 adds the new subpart.
2. EPAAR § 1539.2071 adds the prescription for use of § 1552.239-71 in all procurements where open-source software development/custom development of software will be required.
3. EPAAR § 1552.239-71, Open Source Software, provides the terms and conditions for open source software code development and use.
III. Statutory and Executive Order Reviews
A. Executive Order 12866: Regulatory Planning and Review
This action is not a “significant regulatory action” under the terms of Executive Order (E.O.) 12866 (58 FR 51735, October 4, 1993) and therefore, not subject to review under the E.O.
B. Paperwork Reduction Act
This action does not impose an information collection burden under the provisions of the Paperwork Reduction Act, 44 U.S.C. 3501 et seq. No information is collected under this action.
C. Regulatory Flexibility Act (RFA), as Amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 601 et seq.
The Regulatory Flexibility Act generally requires an agency to prepare a regulatory flexibility analysis of any rule subject to notice and comment rulemaking requirements under the Administrative Procedure Act or any other statute; unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. Small entities include small businesses, small organizations, and small governmental jurisdictions.
For purposes of assessing the impact of today's final rule on small entities, “small entity” is defined as: (1) A small business that meets the definition of a small business found in the Small Business Act and codified at 13 CFR 121.201; (2) a small governmental jurisdiction that is a government of a city, county, town, school district or special district with a population of less than 50,000; and (3) a small organization that is any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.
After considering the economic impacts of this rule on small entities, I certify that this action will not have a significant economic impact on a substantial number of small entities. This action creates a new EPAAR clause and does not impose requirements involving capital investment, implementing procedures, or record keeping. This rule will not have a significant economic impact on small entities.
D. Unfunded Mandates Reform Act
Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public Law 104-4, establishes requirements for Federal agencies to assess the effects of their regulatory actions on State, Local, and Tribal governments and the private sector.
This rule contains no Federal mandates (under the regulatory provisions of the Title II of the UMRA) for State, Local, and Tribal governments or the private sector. The rule imposes no enforceable duty on any State, Local or Tribal governments or the private sector. Thus, the rule is not subject to the requirements of Sections 202 and 205 of the UMRA.
Executive Order 13132, entitled “Federalism” (64 FR 43255, August 10, 1999), requires EPA to develop an accountable process to ensure “meaningful and timely input by State and Local officials in the development of regulatory policies that have federalism implications.” “Policies that have federalism implications” is defined in the Executive Order to include regulations that have “substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government.”
This rule does not have federalism implications. It will not have substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government as specified in Executive Order 13132.
F. Executive Order 13175: Consultation and Coordination With Indian Tribal Governments
Executive Order 13175, entitled “Consultation and Coordination with Indian Tribal Governments” (65 FR 67249, November 9, 2000), requires EPA to develop an accountable process to ensure “meaningful and timely input by tribal officials in the development of regulatory policies that have tribal implications.” This rule does not have tribal implications as specified in Executive Order 13175.
G. Executive Order 13045: Protection of Children From Environmental Health and Safety Risks
Executive Order 13045, entitled “Protection of Children from Environmental Health and Safety Risks” (62 FR 19885, April 23, 1997), applies to any rule that: (1) Is determined to be economically significant as defined under Executive Order 12886, and (2) concerns an environmental health or safety risk that may have a proportionate effect on children. This rule is not subject to Executive Order 13045 because it is not an economically significant rule as defined by Executive Order 12866, and because it does not involve decisions on environmental health or safety risks.
H. Executive Order 13211: Actions That Significantly Affect Energy Supply, Distribution, or Use
This final rule is not subject to Executive Order 13211, “Actions Concerning Regulations That Significantly Affect Energy Supply, Distribution of Use” (66 FR 28335 (May 22, 2001), because it is not a significant regulatory action under Executive Order 12866.
I. National Technology Transfer and Advancement Act of 1995 (NTTAA)
Section 12(d) (15 U.S.C 272 note) of NTTA, Public Law 104-113, directs EPA to use voluntary consensus standards in its regulatory activities unless to do so would be inconsistent with applicable law or otherwise impractical. Voluntary consensus standards are technical standards (e.g., materials specifications, test methods, sampling procedures and business practices) that are developed or adopted by voluntary consensus standards bodies. The NTTA directs EPA to provide Congress, through OMB, Start Printed Page 46558explanations when the Agency decides not to use available and applicable voluntary consensus standards.
This rulemaking does not involve technical standards. Therefore, EPA is not considering the use of any voluntary consensus standards.
J. Executive Order 12898: Federal Actions To Address Environmental Justice in Minority Populations and Low-Income Populations
Executive Order (E.O.) 12898 (59 FR 7629 (February 16, 1994) establishes federal executive policy on environmental justice. Its main provision directs federal agencies, to the greatest extent practicable and permitted by law, to make environmental justice part of their mission by identifying and addressing, as appropriate, disproportionately high and adverse human health or environmental effects of their programs, policies, and activities on minority populations and low-income populations in the United States.
EPA has determined that this final rule will not have disproportionately high and adverse human health or environmental effects on minority or low-income populations because it does not affect the level of protection provided to human health or the environment. This rulemaking does not involve human health or environmental effects.
Start List of Subjects
End List of Subjects
- Environmental protection
- Government procurement
- Reporting and recordkeeping requirements
Director, Office of Acquisition Solutions.
For the reasons set forth in the preamble, EPA adds 48 CFR part 1539 and amends 48 CFR part 1552 as follows:
Start Amendment Part
1. Add part 1539 to read as follows: End Amendment Part
PART 1539—ACQUISITION OF INFORMATION TECHNOLOGY
Subpart 1539.2—Open Source Software
- Contract clause
Subpart 1539.2—Open Source Software
(a) Contracting Officers shall use clause 1552.239-71, Open Source Software, for all procurements where open-source software development/custom development of software will be required; including, but not limited to, multi-agency contracts, Federal Supply Schedule orders, Governmentwide Acquisition Contracts, interagency agreements, cooperative agreements and student services contracts.
(b) In addition to clause 1552.239-71, Contracting Officers must also select the appropriate version * of Federal Acquisition Regulation (FAR) clause 52.227-14, Rights in Data—General, to include in the subject procurement in accordance with FAR 27.409. (* Important note: Alternate IV of clause 52.227-14 is NOT suitable for open-source software procurement use because it gives the contractor blanket permission to assert copyright.)
PART 1552—SOLICITATION PROVISIONS AND CONTRACT CLAUSES
Start Amendment Part
4. Authority: The authority citations for part 1552 continue to read as follows: End Amendment Part
Start Amendment Part
5. Amend Subpart 1552.2, Texts of Provisions and Clauses, by adding § 1552.239-71 to read as follows:End Amendment Part
End Supplemental Information
Open Source Software.
As prescribed in § 1539.2071, insert the following clause:
Open Source Software (AUG 2020)
“Custom-Developed Code” means code that is first produced in the performance of a federal contract or is otherwise fully funded by the federal government. It includes code, or segregable portions of code, for which the government could obtain unlimited rights under Federal Acquisition Regulation (FAR) Part 27 and relevant agency FAR Supplements. Custom-developed code also includes code developed by agency employees as part of their official duties. Custom-developed code may include, but is not limited to, code written for software projects, modules, plugins, scripts, middleware and Application Programming Interfaces (API); it does not, however, include code that is truly exploratory or disposable in nature, such as that written by a developer experimenting with a new language or library.
“Open Source Software (OSS)” means software that can be accessed, used, modified and shared by anyone. OSS is often distributed under licenses that comply with the definition of “Open Source” provided by the Open Source Initiative at https://opensource.org/osd or equivalent, and/or that meet the definition of “Free Software” provided by the Free Software Foundation at: https://www.gnu.org/philosophy/free-sw.html or equivalent.
“Software” means: (i) Computer programs that comprise a series of instructions, rules, routines or statements, regardless of the media in which recorded, that allow or cause a computer to perform a specific operation or series of operations; and (ii) recorded information comprising source code listings, design details, algorithms, processes, flow charts, formulas and related material that would enable the computer program to be produced, created or compiled. Software does not include computer databases or computer software documentation.
“Source Code” means computer commands written in a computer programming language that is meant to be read by people. Generally, source code is a higher-level representation of computer commands written by people, but must be assembled, interpreted or compiled before a computer can execute the code as a program.
(b)(1) Policy. It is the EPA policy that new custom-developed code be made broadly available for reuse across the federal government, subject to the exceptions provided in (b)(3). The policy does not apply retroactively so it does not require existing custom-developed code also be made available for Government-wide reuse or as OSS. However, making such code available for government-wide reuse or as OSS, to the extent practicable, is strongly encouraged. The EPA also supports the Office of Management and Budget's (OMB) Federal Source Code Policy provided in OMB Memorandum M-16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software, by:
(i) Providing an enterprise code inventory (e.g., code.json file) that lists new and applicable custom-developed code for, or by, the EPA;
(ii) Indicating whether the code is available for Federal reuse; or
(iii) Indicating if the code is available publicly as OSS.
(2) Exemption: Source code developed for National Security Systems (NSS), as defined in 40 U.S.C. 11103, is exempt from the requirements herein.
(3) Exceptions: Exceptions may be applied in specific instances to exempt EPA from sharing custom-developed code with other government agencies. Any exceptions used must be approved and documented by the Chief Information Officer (CIO) or his or her designee for the purposes of ensuring effective oversight and management of IT resources. For excepted software, EPA must provide OMB a brief narrative justification for each exception, with redactions as appropriate. Applicable exceptions are as follows:
(i) The sharing of the source code is restricted by law or regulation, including—but not limited to—patent or intellectual property law, the Export Asset Regulations, the International Traffic in Arms Regulation and the federal laws and regulations governing classified information.
(ii) The sharing of the source code would create an identifiable risk to the detriment of national security, confidentiality of government information or individual privacy.Start Printed Page 46559
(iii) The sharing of the source code would create an identifiable risk to the stability, security or integrity of EPA's systems or personnel.
(iv) The sharing of the source code would create an identifiable risk to EPA mission, programs or operations.
(v) The CIO believes it is in the national interest to exempt sharing the source code.
(c) The Contractor shall deliver to the Contracting Officer (CO) or Contracting Officer's Representative (COR) the underlying source code, license file, related files, build instructions, software user's guides, automated test suites, and other associated documentation as applicable.
(d) In accordance with OMB Memorandum M-16-21 the Government asserts its unlimited rights—including rights to reproduction, reuse, modification and distribution of the custom source code, associated documentation, and related files—for reuse across the federal government and as open source software for the public. These unlimited rights described above attach to all code furnished in the performance of the contract, unless the parties expressly agree otherwise in the contract.
(e) The Contractor is prohibited from reselling code developed under this contract without express written consent of the EPA Contracting Officer. The Contractor must provide at least 30 days advance notice if it intends to resell code developed under this contract.
(f) Technical guidance for EPA's OSS Policy should conform with the “EPA's Open Source Code Guidance” that will be maintained by the Office of Mission Support (OMS) at https://developer.epa.gov/guide/open-source-code/ or equivalent.
(g) The Contractor shall identify all deliverables and asserted restrictions as follows:
(1) The Contractor shall use open source license either:
(i) Identified in the contract, or
(ii) developed using one of the following licenses: (a) Creative Commons Zero (CC0); (b) MIT license; (c) GNU General Public License version 3 (GPL v3); (4) Lesser General Public License 2.1 (LGPL-2.1); (5) Apache 2.0 license; or (6) other open source license subject to Agency approval.
(2) The Contractor shall provide a copy of the proposed commercial license agreement to the Contracting Officer prior to contracting for commercial data/software.
(3) The Contractor shall identify any data that will be delivered with restrictions.
(4) The Contractor shall deliver the data package as specified by the EPA.
(5) The Contractor shall deliver the source code to the EPA-specified version control repository and source code management system.
(h) The Contractor shall comply with software and data rights requirements and provide all licenses for software dependencies as follows:
(1) The Contractor shall ensure all deliverables are appropriately marked with the applicable restrictive legends.
(2) The EPA is deemed to have received unlimited rights when data or software is delivered by the Contractor with restrictive markings omitted.
(3) If the delivery is made with restrictive markings that are not authorized by the contract, then the marking is characterized as “nonconforming.” In accordance with Federal Acquisition Regulation (FAR) 46.407, Nonconforming supplies or services, the Contractor will be given the chance to correct or replace the nonconforming supplies within the required delivery schedule. If the Contractor is unable to deliver conforming supplies, then the EPA is deemed to have received unlimited rights to the nonconforming supplies.
(i) The Contractor shall include this clause in all subcontracts that include custom-developed code requirements.
(End of clause)
[FR Doc. 2020-15772 Filed 7-31-20; 8:45 am]
BILLING CODE 6560-50-P