[Senate Report 118-213]
[From the U.S. Government Publishing Office]
Calendar No. 491
118th Congress } { Report
SENATE
2d Session } { 118-213
_______________________________________________________________________
SOURCE CODE HARMONIZATION AND
REUSE IN INFORMATION TECHNOLOGY (SHARE IT) ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 3594
TO REQUIRE GOVERNMENTWIDE SOURCE CODE SHARING,
AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
September 9, 2024.--Ordered to be printed
_______
U.S. GOVERNMENT PUBLISHING OFFICE
49-010 WASHINGTON : 2024
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
JON OSSOFF, Georgia RICK SCOTT, Florida
RICHARD BLUMENTHAL, Connecticut JOSH HAWLEY, Missouri
LAPHONZA R. BUTLER, California ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Alan S. Kahn, Chief Counsel
Michelle M. Benecke, Senior Counsel
Tiffany Ann Shujath, U.S. Department of Homeland Security Detailee
William E. Henderson III, Minority Staff Director
Christina N. Salazar, Minority Chief Counsel
Andrew J. Hopkins, Minority Counsel
Kendal B. Tigner, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 491
118th Congress } { Report
SENATE
2d Session } { 118-213
======================================================================
SOURCE CODE HARMONIZATION AND REUSE IN INFORMATION TECHNOLOGY (SHARE
IT) ACT
_______
September 9, 2024.--Ordered to be printed
_______
Mr. Peters, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 3594]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 3594), to require
governmentwide source code sharing, and for other purposes,
having considered the same, reports favorably thereon with an
amendment in the nature of a substitute and recommends that the
bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary.............................................. 1
II. Background and Need for the Legislation.......................... 2
III. Legislative History.............................................. 2
IV. Section-by-Section Analysis of the Bill, as Reported............. 3
V. Evaluation of Regulatory Impact.................................. 5
VI. Congressional Budget Office Cost Estimate........................ 6
VII. Changes in Existing Law Made by the Bill, as Reported............ 7
I. PURPOSE AND SUMMARY
S. 3594, the Source code Harmonization and Reuse in
Information Technology Act, or the SHARE IT Act, mandates the
sharing of custom-developed software source code across federal
agencies to maximize efficiency, enhance security, and foster
innovation in federal information technology. Many federal
agencies develop or buy custom software created for the agency.
In many cases, this software has the potential to be reused by
other agencies for performing the same or similar tasks.
However, many agencies only allow their own agency to use or
see this custom-developed software code, preventing other
agencies from realizing the software's benefits.
II. BACKGROUND AND NEED FOR THE LEGISLATION
Currently, the federal government spends $100 billion
annually purchasing information technology, which includes
``off-the-shelf'' software as well as software code that is
``custom-developed'' for agencies.\1\ Examples of custom code
include websites, public databases of government activity
(e.g., grants.gov), computer models for regulatory analyses,
and even mobile apps for making reservations at national parks.
However, agencies generally do not share custom software or its
underlying code with each other. This results in duplicative
government contracts and needless spending, as agencies will
frequently hire contractors to reproduce code that another
agency has already purchased.\2\ Additionally, if agencies
allow contractors to keep sole control of computer models used
for regulatory analysis, that code does not count as
``government records'' and thus is not subject to the Freedom
of Information Act.
---------------------------------------------------------------------------
\1\Government Accountability Office, Information Technology:
Digital Service Programs Need to Consistently Coordinate on Developing
Guidance for Agencies (GAO-22-104492) (Dec. 2021) (https://www.gao.gov/
assets/gao-22-104492.pdf).
\2\Office of Management and Budget, Memorandum for the Heads of
Departments and Agencies, Federal Source Code Policy: Achieving
Efficiency, Transparency, and Innovation through Reusable and Open
Source Software (Aug. 2016) (https://www.whitehouse.gov/wp-content/
uploads/legacy_drupal_files/omb/memoranda/2016/m_16_21.pdf).
---------------------------------------------------------------------------
In 2016, the Office of Management and Budget attempted to
address this issue by releasing a new federal source code
policy to direct federal agencies to share code with each
other.\3\ However, the policy lacked accountability mechanisms,
uniformity in procedures for accessing code, and requirements
to report agencies that refused to share their code. As a
result, after seven years and despite the best efforts of
Republican and Democratic administrations, thirteen federal
agencies still do not share the code they buy with other
government agencies.\4\
---------------------------------------------------------------------------
\3\Id.
\4\See, General Services Administration, Guidance, Agency
Compliance (https://code.gov/agency-compliance/compliance/dashboard/)
(accessed Feb. 13, 2024).
---------------------------------------------------------------------------
The SHARE IT Act would improve and update federal source
code policy. This bill would mandate federal code sharing by
requiring agencies to publicly list custom code they make or
buy and share that list with the rest of the government. The
Act includes the following exemptions, allowing agencies to not
disclose their code: for national security systems, classified
code, or code whose disclosure would create an identifiable
risk to individual privacy. The bill would also increase agency
accountability of code sharing, by requiring Chief Information
Officers to oversee their agencies' code sharing and submit
annual reports to Congress documenting their compliance.
III. LEGISLATIVE HISTORY
Senator Ted Cruz (R-TX) introduced S. 3594, the Source code
Harmonization and Reuse in Information Technology Act, on
January 16, 2024, with original cosponsor Senator Gary Peters
(D-MI). The bill was referred to the Committee on Homeland
Security and Governmental Affairs.
The Committee considered S. 3594 at a business meeting on
January 31, 2024. At the business meeting, Chairman Peters
offered a substitute amendment to the bill, as well as a
modification to the substitute amendment. The Peters substitute
amendment, as modified, clarified the definition of ``custom-
developed code'' and added requirements regarding reporting and
exemptions from sharing source code. These included requiring:
a narrative justification for each national security exemption;
consultation with the Federal Privacy Council on use of a
limited privacy-related exemption and guidance to agencies on
use of this exemption; and a Government Accountability Office
report to Congress on the effectiveness of this Act.
The Committee adopted the modification to the amendment,
and the Peters substitute amendment as modified, by unanimous
consent, with Senators Peters, Carper, Hassan, Rosen, Ossoff,
Paul, Lankford, Romney, Scott, and Marshall present. The bill,
as amended by the Peters substitute amendment as modified, was
ordered reported favorably by roll call vote of 10 yeas to 0
nays, with Senators Peters, Carper, Hassan, Rosen, Ossoff,
Paul, Lankford, Romney, Scott, and Marshall voting in the
affirmative. Senators Sinema, Blumenthal, Butler, Johnson, and
Hawley voted yea by proxy, for the record only.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section establishes the short title of the bill as the
``Source code Harmonization And Reuse in Information Technology
Act'' or the ``SHARE IT Act.''
Section 2. Findings; purpose
This section provides findings, including an evaluation of
current code sharing practices across government, such as: (1)
duplicative purchasing efforts; (2) cost inefficiencies of
current code sharing practice; (3) impacts of creating
fragmented technology; (4) slow adoption of code sharing best
practices; and (5) security vulnerabilities. This section also
highlights successful code sharing pilots, demonstrating the
need for Congress to enact legislation mandating the sharing of
custom-developed code across agencies.
This section also establishes the overarching purpose of
the Act: to require agencies to share custom-developed code
between themselves to maximize efficiency, minimize
duplication, and enhance security and innovation across the
federal government.
Section 3. Definitions
This section defines the terms ``agency,'' ``appropriate
congressional committees,'' ``custom-developed code,''
``federal employee,'' ``metadata,'' ``private repository,''
``public repository,'' ``software,'' and ``source code.''
Section 4. Software reuse
Subsection (a) requires the head of each agency to ensure
that (1) custom-developed code of the agency is contained in a
public or private repository, (2) the code is accessible to
federal employees, and (3) the custom-developed software code
and related documentation is owned by the agency.
Subsection (b) requires agency heads to ensure that
agencies use best practices in contract administration to
ensure that contracts for custom software allow for government-
wide access, execution, and modification to custom code related
to software.
Subsection (c) requires agencies to make metadata for
custom-developed code accessible to the public.
Subsection (d) requires agencies' Chief Information
Officers (CIOs) to work with Chief Acquisition Officers and the
Federal CIO to develop agency-wide policy on guidance for
complying with requirements of this Act. The policy includes
(1) ensuring best practices in repositing custom-developed
code; (2) developing procedures for managing the sharing and
discovery of source code; and (3) identifying individuals who
are responsible for carrying out the Act's requirements.
One year after the Act's enactment, the Federal CIO would
also be responsible for developing a framework for ensuring
that new software supports existing digital priorities in the
federal government. Additionally, the Federal CIO, in
coordination with the National Institute of Standards and
Technology Director, would establish minimum reporting
requirement standards for agency CIOs on measurement of code
reuse frequency, maintenance of shared code, mechanisms of
improving and developing shared code, and circumstances of
granted exemptions in the Act.
Section 5. Scope and applicability
Subsection (a) applies the requirements set forth in
Section 4 to all custom-developed code that is developed or
revised 180 days or more after the bill's enactment.
Subsection (b) provides automatic exemptions from the
requirements set forth in Section 4, for the following cases:
(1) classified source code or source code developed for a
national security system or by elements of the intelligence
community; (2) source code for which disclosure is exempt under
the Freedom of Information Act; and (3) limited exemptions
under discretion of agency CIOs, in consultation with and based
on guidance issued by the Federal Privacy Council.
The subsection also creates several reporting requirements.
The subsection requires agency CIOs to submit annual reports to
the Office of Electronic Government, providing information on--
and justification for--any automatic or discretionary
exemptions made under this Act during the previous fiscal year,
with a classified annex as appropriate. The subsection also
requires the Office of Electronic Government, starting a year
after enactment, to submit annual reports to the appropriate
congressional committees on implementation of the Act. This
report would include information related to automatic and
discretionary exemptions made; a table tracking compliance with
this Act; evaluation of agencies' compliance with the Office of
Electronic Government framework described in section
4(d)(2)(A); and a classified annex as appropriate.
Section 6. Guidance
This section requires the Director of the Office of
Management and Budget to issue guidance, consistent with the
purpose of this Act, that establishes best practices and
uniform procedures across agencies in establishing
accountability mechanisms as required by section 4(d).
Section 7. GAO Report on information technology practices
Subsection (a) requires the Comptroller General to submit a
report to Congress, within one year of enactment, that
includes: (1) an assessment of duplicative software procurement
across and within agencies, including estimates of the
frequency, severity, and dollar value of the duplicative
software procurement; (2) barriers to agency use of cloud-based
platforms for software development, along with recommendations
for addressing those barriers; (3) how source code sharing and
open-source software collaboration can improve cybersecurity at
agencies; and (4) other relevant matters, as determined by the
Comptroller General.
Subsection (b) requires the Comptroller General to submit
to the appropriate congressional committees, within two years
of enactment, a report that includes an assessment of the
implementation of this Act, and other relevant matters as
determined by the Comptroller General.
Section 8. Rule of construction
This section establishes a rule of construction that
nothing in this Act shall be construed to require the
disclosure of information or records that are exempt from
public disclosure under the Freedom of Information Act.
Section 9. No Additional funding
This section provides that no additional funds are
authorized to be appropriated to carry out this Act.
Section 10. GAO Report on effectiveness
This section requires the Comptroller General to submit to
appropriate congressional committees a report on the
effectiveness of this Act, within 540 days from the date of
enactment.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
S. 3594 would require federal agencies to share their
custom-developed software code with other federal agencies and
the public. Under the bill, the Office of Electronic Government
(E-Gov) would assess federal practices for sharing software
code and develop procedures for reusing code across the federal
government. The bill also would require each agency to develop
an implementation policy governing software sharing practices
and would require E-Gov and the Government Accountability
Office to report to the Congress on the effectiveness of
federal software sharing.
OMB Memorandum M-16-21, Federal Source Code Policy, issued
on August 8, 2016, requires federal agencies to create software
inventories and make custom-developed code available for
government-wide reuse. Thus, because most of the software
sharing activities that would be required under S. 3594 will be
completed under current law, CBO estimates that satisfying
those requirements would cost less than $500,000. On the basis
of costs for similar activities, CBO estimates that satisfying
the policy development and reporting requirements of S. 3594
would cost $2 million over the 2024-2029 period. Such spending
would be subject to the availability of appropriated funds.
The costs of the legislation, detailed in Table 1, fall
within budget function 800 (general government).
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 3594
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------------
2024 2025 2026 2027 2028 2029 2024-2029
----------------------------------------------------------------------------------------------------------------
Estimated Authorization.............................. * 2 * * * * 2
Estimated Outlays.................................... * 2 * * * * 2
----------------------------------------------------------------------------------------------------------------
* = between zero and $500,000.
Enacting the bill could affect direct spending by some
agencies that are allowed to use fees, receipts from the sale
of goods, and other collections to cover operating costs. CBO
estimates that any net changes in direct spending by those
agencies would be negligible because most of them can adjust
amounts collected to reflect changes in operating costs.
The CBO staff contact for this estimate is Aldo Prosperi.
The estimate was reviewed by Christina Hawley Anthony, Deputy
Director of Budget Analysis.
Phillip L. Swagel,
Director, Congressional Budget Office.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
This legislation would make no change in existing law,
within the meaning of clauses (a) and (b) of subparagraph 12 of
rule XXVI of the Standing Rules of the Senate, because this
legislation would not repeal or amend any provision of current
law.
[all]