Environmental Protection Agency Acquisition Regulation (EPAAR); Open Source Software, 46556-46559 [2020-15772]

Agencies

• ENVIRONMENTAL PROTECTION AGENCY

[Federal Register Volume 85, Number 149 (Monday, August 3, 2020)]
[Rules and Regulations]
[Pages 46556-46559]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-15772]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

48 CFR Parts 1539 and 1552

[EPA-HQ-OARM-2018-0743; FRL-10011-94-OMS]


Environmental Protection Agency Acquisition Regulation (EPAAR); 
Open Source Software

AGENCY: Environmental Protection Agency (EPA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Environmental Protection Agency (EPA) is adding a new 
clause to the EPAAR addressing open source software requirements, 
including EPA's ability to share open source software developed under 
its procurements.

DATES: This final rule is effective on August 3, 2020.

ADDRESSES: The EPA has established a docket for this action under 
Docket ID No. EPA-HQ-OARM-2018-0743. All documents in the docket are 
listed on the https://www.regulations.gov website. Although listed in 
the index, some information is not publicly available, e.g., CBI or 
other information whose disclosure is restricted by statute. Certain 
other material, such as copyrighted material, is not placed on the 
internet and will be publicly available only in hard copy form. 
Publicly available docket materials are available electronically 
through https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: Thomas Valentino, Policy, Training, 
and Oversight Division, Office of Acquisition Solutions (3802R), 
Environmental Protection Agency, 1200 Pennsylvania Ave. NW, Washington, 
DC 20460; telephone number: 202-564-4522; email address: 
[email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    The EPA is writing a new EPAAR clause to address open source 
software requirements at EPA, so that the EPA can share custom-
developed code as open source code developed under its procurements, in 
accordance with Office of Management and Budget's (OMB) Memorandum M-
16-21, Federal Source Code Policy: Achieving Efficiency, Transparency, 
and Innovation through Reusable and Open Source Software. In meeting 
the requirements of Memorandum M-16-21 the EPA will be providing an 
enterprise code inventory indicating if the new code (source code or 
code) was custom-developed for, or by, the agency; or if the code is 
available for Federal reuse; or if the code is available publicly as 
open source code; or if the code cannot be made available due to 
specific exceptions. On October 18, 2019 (84 FR 55894) EPA sought 
comments on the proposed rule and received four comments. One commenter 
stated that a single location to access open-source code would be 
easier to access and manage. The EPA agrees, and participates in the 
https://code.gov/ platform provided by the General Services 
Administration (GSA) to host open-source code. Another commenter stated 
that protecting our nation's computer systems should be a high

[[Page 46557]]

priority, and the EPA agrees. The EPA also agrees with the commenter 
who stated that this rule strikes a balance between government benefit 
and risk. The EPA addressed the broad final comment by providing 
procedures at https://www.usa.gov/complaint-against-government that 
outlines how to file complaints.

II. Final Rule

    The final rule creates EPA Acquisition Regulation (EPAAR) Part 
1539, Acquisition of Information Technology, and adds Subpart 1539.2, 
Open Source Software; and Sec.  1539.2071, Contract clause. EPAAR 
Subpart 1552.2, Texts of Provisions and Clauses, is amended by adding 
EPAAR Sec.  1552.239-71, Open Source Software.
    1. EPAAR Subpart 1539.2 adds the new subpart.
    2. EPAAR Sec.  1539.2071 adds the prescription for use of Sec.  
1552.239-71 in all procurements where open-source software development/
custom development of software will be required.
    3. EPAAR Sec.  1552.239-71, Open Source Software, provides the 
terms and conditions for open source software code development and use.

III. Statutory and Executive Order Reviews

A. Executive Order 12866: Regulatory Planning and Review

    This action is not a ``significant regulatory action'' under the 
terms of Executive Order (E.O.) 12866 (58 FR 51735, October 4, 1993) 
and therefore, not subject to review under the E.O.

B. Paperwork Reduction Act

    This action does not impose an information collection burden under 
the provisions of the Paperwork Reduction Act, 44 U.S.C. 3501 et seq. 
No information is collected under this action.

C. Regulatory Flexibility Act (RFA), as Amended by the Small Business 
Regulatory Enforcement Fairness Act of 1996 (SBREFA), 5 U.S.C. 601 et 
seq.

    The Regulatory Flexibility Act generally requires an agency to 
prepare a regulatory flexibility analysis of any rule subject to notice 
and comment rulemaking requirements under the Administrative Procedure 
Act or any other statute; unless the agency certifies that the rule 
will not have a significant economic impact on a substantial number of 
small entities. Small entities include small businesses, small 
organizations, and small governmental jurisdictions.
    For purposes of assessing the impact of today's final rule on small 
entities, ``small entity'' is defined as: (1) A small business that 
meets the definition of a small business found in the Small Business 
Act and codified at 13 CFR 121.201; (2) a small governmental 
jurisdiction that is a government of a city, county, town, school 
district or special district with a population of less than 50,000; and 
(3) a small organization that is any not-for-profit enterprise which is 
independently owned and operated and is not dominant in its field.
    After considering the economic impacts of this rule on small 
entities, I certify that this action will not have a significant 
economic impact on a substantial number of small entities. This action 
creates a new EPAAR clause and does not impose requirements involving 
capital investment, implementing procedures, or record keeping. This 
rule will not have a significant economic impact on small entities.

D. Unfunded Mandates Reform Act

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public 
Law 104-4, establishes requirements for Federal agencies to assess the 
effects of their regulatory actions on State, Local, and Tribal 
governments and the private sector.
    This rule contains no Federal mandates (under the regulatory 
provisions of the Title II of the UMRA) for State, Local, and Tribal 
governments or the private sector. The rule imposes no enforceable duty 
on any State, Local or Tribal governments or the private sector. Thus, 
the rule is not subject to the requirements of Sections 202 and 205 of 
the UMRA.

E. Executive Order 13132: Federalism

    Executive Order 13132, entitled ``Federalism'' (64 FR 43255, August 
10, 1999), requires EPA to develop an accountable process to ensure 
``meaningful and timely input by State and Local officials in the 
development of regulatory policies that have federalism implications.'' 
``Policies that have federalism implications'' is defined in the 
Executive Order to include regulations that have ``substantial direct 
effects on the States, on the relationship between the national 
government and the States, or on the distribution of power and 
responsibilities among the various levels of government.''
    This rule does not have federalism implications. It will not have 
substantial direct effects on the States, on the relationship between 
the national government and the States, or on the distribution of power 
and responsibilities among the various levels of government as 
specified in Executive Order 13132.

F. Executive Order 13175: Consultation and Coordination With Indian 
Tribal Governments

    Executive Order 13175, entitled ``Consultation and Coordination 
with Indian Tribal Governments'' (65 FR 67249, November 9, 2000), 
requires EPA to develop an accountable process to ensure ``meaningful 
and timely input by tribal officials in the development of regulatory 
policies that have tribal implications.'' This rule does not have 
tribal implications as specified in Executive Order 13175.

G. Executive Order 13045: Protection of Children From Environmental 
Health and Safety Risks

    Executive Order 13045, entitled ``Protection of Children from 
Environmental Health and Safety Risks'' (62 FR 19885, April 23, 1997), 
applies to any rule that: (1) Is determined to be economically 
significant as defined under Executive Order 12886, and (2) concerns an 
environmental health or safety risk that may have a proportionate 
effect on children. This rule is not subject to Executive Order 13045 
because it is not an economically significant rule as defined by 
Executive Order 12866, and because it does not involve decisions on 
environmental health or safety risks.

H. Executive Order 13211: Actions That Significantly Affect Energy 
Supply, Distribution, or Use

    This final rule is not subject to Executive Order 13211, ``Actions 
Concerning Regulations That Significantly Affect Energy Supply, 
Distribution of Use'' (66 FR 28335 (May 22, 2001), because it is not a 
significant regulatory action under Executive Order 12866.

I. National Technology Transfer and Advancement Act of 1995 (NTTAA)

    Section 12(d) (15 U.S.C 272 note) of NTTA, Public Law 104-113, 
directs EPA to use voluntary consensus standards in its regulatory 
activities unless to do so would be inconsistent with applicable law or 
otherwise impractical. Voluntary consensus standards are technical 
standards (e.g., materials specifications, test methods, sampling 
procedures and business practices) that are developed or adopted by 
voluntary consensus standards bodies. The NTTA directs EPA to provide 
Congress, through OMB,

[[Page 46558]]

explanations when the Agency decides not to use available and 
applicable voluntary consensus standards.
    This rulemaking does not involve technical standards. Therefore, 
EPA is not considering the use of any voluntary consensus standards.

J. Executive Order 12898: Federal Actions To Address Environmental 
Justice in Minority Populations and Low-Income Populations

    Executive Order (E.O.) 12898 (59 FR 7629 (February 16, 1994) 
establishes federal executive policy on environmental justice. Its main 
provision directs federal agencies, to the greatest extent practicable 
and permitted by law, to make environmental justice part of their 
mission by identifying and addressing, as appropriate, 
disproportionately high and adverse human health or environmental 
effects of their programs, policies, and activities on minority 
populations and low-income populations in the United States.
    EPA has determined that this final rule will not have 
disproportionately high and adverse human health or environmental 
effects on minority or low-income populations because it does not 
affect the level of protection provided to human health or the 
environment. This rulemaking does not involve human health or 
environmental effects.

List of Subjects in 48 CFR Parts 1539 and 1552

    Environmental protection, Government procurement, Reporting and 
recordkeeping requirements.

Kimberly Patrick,
Director, Office of Acquisition Solutions.

    For the reasons set forth in the preamble, EPA adds 48 CFR part 
1539 and amends 48 CFR part 1552 as follows:

0
1. Add part 1539 to read as follows:

PART 1539--ACQUISITION OF INFORMATION TECHNOLOGY

Subpart 1539.2--Open Source Software

Sec.
1539.2071 Contract clause

    Authority:  5 U.S.C. 301 and 41 U.S.C. 418b.

Subpart 1539.2--Open Source Software


Sec.  1539.2071   Contract clause.

    (a) Contracting Officers shall use clause 1552.239-71, Open Source 
Software, for all procurements where open-source software development/
custom development of software will be required; including, but not 
limited to, multi-agency contracts, Federal Supply Schedule orders, 
Governmentwide Acquisition Contracts, interagency agreements, 
cooperative agreements and student services contracts.
    (b) In addition to clause 1552.239-71, Contracting Officers must 
also select the appropriate version * of Federal Acquisition Regulation 
(FAR) clause 52.227-14, Rights in Data--General, to include in the 
subject procurement in accordance with FAR 27.409. (* Important note: 
Alternate IV of clause 52.227-14 is NOT suitable for open-source 
software procurement use because it gives the contractor blanket 
permission to assert copyright.)

PART 1552--SOLICITATION PROVISIONS AND CONTRACT CLAUSES

0
4. Authority: The authority citations for part 1552 continue to read as 
follows:

    Authority:  5 U.S.C. 301 and 41 U.S.C. 418b.


0
5. Amend Subpart 1552.2, Texts of Provisions and Clauses, by adding 
Sec.  1552.239-71 to read as follows:


Sec.  1552.239-71   Open Source Software.

    As prescribed in Sec.  1539.2071, insert the following clause:

Open Source Software (AUG 2020)

    (a) Definitions.
    ``Custom-Developed Code'' means code that is first produced in 
the performance of a federal contract or is otherwise fully funded 
by the federal government. It includes code, or segregable portions 
of code, for which the government could obtain unlimited rights 
under Federal Acquisition Regulation (FAR) Part 27 and relevant 
agency FAR Supplements. Custom-developed code also includes code 
developed by agency employees as part of their official duties. 
Custom-developed code may include, but is not limited to, code 
written for software projects, modules, plugins, scripts, middleware 
and Application Programming Interfaces (API); it does not, however, 
include code that is truly exploratory or disposable in nature, such 
as that written by a developer experimenting with a new language or 
library.
    ``Open Source Software (OSS)'' means software that can be 
accessed, used, modified and shared by anyone. OSS is often 
distributed under licenses that comply with the definition of ``Open 
Source'' provided by the Open Source Initiative at https://opensource.org/osd or equivalent, and/or that meet the definition of 
``Free Software'' provided by the Free Software Foundation at: 
https://www.gnu.org/philosophy/free-sw.html or equivalent.
    ``Software'' means: (i) Computer programs that comprise a series 
of instructions, rules, routines or statements, regardless of the 
media in which recorded, that allow or cause a computer to perform a 
specific operation or series of operations; and (ii) recorded 
information comprising source code listings, design details, 
algorithms, processes, flow charts, formulas and related material 
that would enable the computer program to be produced, created or 
compiled. Software does not include computer databases or computer 
software documentation.
    ``Source Code'' means computer commands written in a computer 
programming language that is meant to be read by people. Generally, 
source code is a higher-level representation of computer commands 
written by people, but must be assembled, interpreted or compiled 
before a computer can execute the code as a program.
    (b)(1) Policy. It is the EPA policy that new custom-developed 
code be made broadly available for reuse across the federal 
government, subject to the exceptions provided in (b)(3). The policy 
does not apply retroactively so it does not require existing custom-
developed code also be made available for Government-wide reuse or 
as OSS. However, making such code available for government-wide 
reuse or as OSS, to the extent practicable, is strongly encouraged. 
The EPA also supports the Office of Management and Budget's (OMB) 
Federal Source Code Policy provided in OMB Memorandum M-16-21, 
Federal Source Code Policy: Achieving Efficiency, Transparency, and 
Innovation through Reusable and Open Source Software, by:
    (i) Providing an enterprise code inventory (e.g., code.json 
file) that lists new and applicable custom-developed code for, or 
by, the EPA;
    (ii) Indicating whether the code is available for Federal reuse; 
or
    (iii) Indicating if the code is available publicly as OSS.
    (2) Exemption: Source code developed for National Security 
Systems (NSS), as defined in 40 U.S.C. 11103, is exempt from the 
requirements herein.
    (3) Exceptions: Exceptions may be applied in specific instances 
to exempt EPA from sharing custom-developed code with other 
government agencies. Any exceptions used must be approved and 
documented by the Chief Information Officer (CIO) or his or her 
designee for the purposes of ensuring effective oversight and 
management of IT resources. For excepted software, EPA must provide 
OMB a brief narrative justification for each exception, with 
redactions as appropriate. Applicable exceptions are as follows:
    (i) The sharing of the source code is restricted by law or 
regulation, including--but not limited to--patent or intellectual 
property law, the Export Asset Regulations, the International 
Traffic in Arms Regulation and the federal laws and regulations 
governing classified information.
    (ii) The sharing of the source code would create an identifiable 
risk to the detriment of national security, confidentiality of 
government information or individual privacy.

[[Page 46559]]

    (iii) The sharing of the source code would create an 
identifiable risk to the stability, security or integrity of EPA's 
systems or personnel.
    (iv) The sharing of the source code would create an identifiable 
risk to EPA mission, programs or operations.
    (v) The CIO believes it is in the national interest to exempt 
sharing the source code.
    (c) The Contractor shall deliver to the Contracting Officer (CO) 
or Contracting Officer's Representative (COR) the underlying source 
code, license file, related files, build instructions, software 
user's guides, automated test suites, and other associated 
documentation as applicable.
    (d) In accordance with OMB Memorandum M-16-21 the Government 
asserts its unlimited rights--including rights to reproduction, 
reuse, modification and distribution of the custom source code, 
associated documentation, and related files--for reuse across the 
federal government and as open source software for the public. These 
unlimited rights described above attach to all code furnished in the 
performance of the contract, unless the parties expressly agree 
otherwise in the contract.
    (e) The Contractor is prohibited from reselling code developed 
under this contract without express written consent of the EPA 
Contracting Officer. The Contractor must provide at least 30 days 
advance notice if it intends to resell code developed under this 
contract.
    (f) Technical guidance for EPA's OSS Policy should conform with 
the ``EPA's Open Source Code Guidance'' that will be maintained by 
the Office of Mission Support (OMS) at https://developer.epa.gov/guide/open-source-code/ or equivalent.
    (g) The Contractor shall identify all deliverables and asserted 
restrictions as follows:
    (1) The Contractor shall use open source license either:
    (i) Identified in the contract, or
    (ii) developed using one of the following licenses: (a) Creative 
Commons Zero (CC0); (b) MIT license; (c) GNU General Public License 
version 3 (GPL v3); (4) Lesser General Public License 2.1 (LGPL-
2.1); (5) Apache 2.0 license; or (6) other open source license 
subject to Agency approval.
    (2) The Contractor shall provide a copy of the proposed 
commercial license agreement to the Contracting Officer prior to 
contracting for commercial data/software.
    (3) The Contractor shall identify any data that will be 
delivered with restrictions.
    (4) The Contractor shall deliver the data package as specified 
by the EPA.
    (5) The Contractor shall deliver the source code to the EPA-
specified version control repository and source code management 
system.
    (h) The Contractor shall comply with software and data rights 
requirements and provide all licenses for software dependencies as 
follows:
    (1) The Contractor shall ensure all deliverables are 
appropriately marked with the applicable restrictive legends.
    (2) The EPA is deemed to have received unlimited rights when 
data or software is delivered by the Contractor with restrictive 
markings omitted.
    (3) If the delivery is made with restrictive markings that are 
not authorized by the contract, then the marking is characterized as 
``nonconforming.'' In accordance with Federal Acquisition Regulation 
(FAR) 46.407, Nonconforming supplies or services, the Contractor 
will be given the chance to correct or replace the nonconforming 
supplies within the required delivery schedule. If the Contractor is 
unable to deliver conforming supplies, then the EPA is deemed to 
have received unlimited rights to the nonconforming supplies.
    (i) The Contractor shall include this clause in all subcontracts 
that include custom-developed code requirements.

(End of clause)

[FR Doc. 2020-15772 Filed 7-31-20; 8:45 am]
BILLING CODE 6560-50-P