Open Source Procurement Checklist

This checklist is intended to guide procurement officers in evaluating open source software (OSS) solutions during digital government acquisitions. It helps ensure that decisions are legally sound, sustainable, and aligned with public value.

Is the solution built on or extending OSS?
- Confirm whether the proposed solution incorporates or builds upon existing OSS projects.
Is the OSS license OSI-approved?
- Ensure the software is licensed under a license approved by the Open Source Initiative (OSI).
- Common examples include MIT, Apache-2.0, GPLv3, AGPLv3, BSD, and MPL.
Is the OSS widely used and maintained?
- Look for evidence of:
  - Active issue tracking
  - Recent commits or releases
  - Multiple contributors and a governance model
Does the vendor offer support, updates, and patching?
- Confirm whether the vendor provides ongoing maintenance, security patches, and update services.
Are upstream contributions part of the delivery plan?
- Determine whether improvements made under the contract will be contributed back to the upstream OSS project, in alignment with community norms and licensing.
Is a software bill of materials (SBOM) included?
- Require an SBOM listing all open source components and dependencies, their versions, and license types.
Are licensing obligations understood and documented?
- Identify whether:
  - Copyleft obligations (e.g., GPL, AGPL and MPL) have been reviewed
  - License compatibility has been assessed
  - Attribution or disclosure requirements are met
Has the agency retained rights to reuse and modify the software?
- Ensure contract deliverables include source code with rights to:
  - Use, study, modify, and redistribute
  - Reuse in future projects or across agencies

Use this checklist during pre-award evaluations and when drafting solicitations to promote better public outcomes through secure, maintainable, and transparent open source adoption.