[118th Congress Public Law 187]
[From the U.S. Government Publishing Office]
[[Page 2637]]
SOURCE CODE HARMONIZATION AND
REUSE IN INFORMATION TECHNOLOGY ACT
[[Page 138 STAT. 2638]]
Public Law 118-187
118th Congress
An Act
To require governmentwide source code sharing, and for other
purposes. <<NOTE: Dec. 23, 2024 - [H.R. 9566]>>
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled, <<NOTE: Source code
Harmonization And Reuse in Information Technology Act. 44 USC 3501
note.>>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Source code Harmonization And Reuse
in Information Technology Act'' or the ``SHARE IT Act''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given that
term in section 3502 of title 44, United States Code.
(2) Appropriate congressional committees.--The term
``appropriate congressional committees'' means the Committee on
Homeland Security and Governmental Affairs of the Senate and the
Committee on Oversight and Accountability of the House of
Representatives.
(3) Custom-developed code.--The term ``custom-developed
code''--
(A) means source code that is--
(i) produced in the performance of a contract
with an agency or is otherwise exclusively funded
by the Federal Government; or
(ii) developed by a Federal employee as part
of the official duties of the employee;
(B) includes--
(i) source code, or segregable portions of
source code, for which the Federal Government
could obtain unlimited rights under part 27 of the
Federal Acquisition Regulation or any relevant
supplemental acquisition regulations of an agency;
and
(ii) source code written for a software
project, module, plugin, script, middleware, or
application programming interface; and
(C) does not include--
(i) source code that is solely exploratory or
disposable in nature, including source code
written by a developer experimenting with a new
language or library; or
(ii) commercial computer software, commercial
off-the-shelf software, or configuration scripts
for such software.
[[Page 138 STAT. 2639]]
(4) Federal employee.--The term ``Federal employee'' has the
meaning given the term in section 2105(a) of title 5, United
States Code.
(5) Metadata.--The term ``metadata'', with respect to
custom-developed code--
(A) has the meaning given that term in section 3502
of title 44, United States Code; and
(B) includes--
(i) information on whether the custom-
developed code was--
(I) produced pursuant to a contract;
or
(II) shared in a public or private
repository;
(ii) any contract number under which the
custom-developed code was produced; and
(iii) any hyperlink to the repository in such
the code was shared.
(6) Private repository.--The term ``private repository''
means a software storage location--
(A) that contains source code, documentation,
configuration scripts, as appropriate, revision history,
and other files; and
(B) access to which is restricted to only authorized
users.
(7) Public repository.--The term ``public repository'' means
a software storage location--
(A) that contains source code, documentation,
configuration scripts, as appropriate, revision history,
and other files; and
(B) access to which is open to the public.
(8) Software.--The term ``software'' has the meaning given
the term ``computer software'' in section 2.101 of title 48,
Code of Federal Regulations, or any successor regulation.
(9) Source code.--The term ``source code'' means a
collection of computer commands written in a computer
programming language that a computer can execute as a piece of
software.
SEC. 3. <<NOTE: Deadlines. Public information.>> SOFTWARE REUSE.
(a) Sharing.--Not later than 210 days after the date of enactment of
this Act, the head of each agency shall ensure that the custom-developed
code of the agency and other key technical components of the code
(including documentation, data models, schemas, metadata, architecture
designs, configuration scripts, and artifacts required to develop,
build, test, and deploy the code) of the code are--
(1) stored at not less than 1 public repository or private
repository;
(2) accessible to Federal employees via procedures developed
under subsection (d)(1)(A)(ii)(III); and
(3) owned by the agency.
(b) Software Reuse Rights in Procurement Contracts.--The head of an
agency that enters into a contract for the custom development of
software shall acquire and exercise rights sufficient to enable the
governmentwide access to, sharing of, use of, and modification of any
custom-developed code created in the development of such software.
(c) Discovery.--Not later than 210 days after the date of enactment
of this Act, the head of each agency shall make metadata
[[Page 138 STAT. 2640]]
created on or after such date for the custom-developed code of the
agency publicly accessible.
(d) Accountability Mechanisms.--
(1) Agency cios. <<NOTE: Policies.>> --Not later than 180
days after the date of enactment of this Act, the Chief
Information Officer of each agency, in consultation with the
Chief Acquisition Officer, or similar official, of the agency
and the Administrator of the Office of Electronic Government,
shall develop an agency-wide policy that--
(A) implements the requirements of this Act,
including--
(i) ensuring that custom-developed code
follows the best practices established by the
Director of the Office and Management and Budget
under paragraph (3) for operating repositories and
version control systems to keep track of changes
and to facilitate collaboration among multiple
developers; and
(ii) <<NOTE: Procedures.>> managing the
sharing of custom-developed code under subsection
(b), and the public accessibility of metadata
under subsection (c), including developing--
(I) <<NOTE: Determination.>>
procedures to determine whether any
custom-developed code meets the
conditions under section 4(b) for an
exemption under this Act;
(II) procedures for making metadata
for custom-developed code publicly
accessible pursuant to subsection (c);
(III) procedures for Federal
employees to gain access to public
repositories and private repositories
that contain custom developed source
code; and
(IV) <<NOTE: Standards.>> standardized
reporting practices across the agency to
capture key information relating to a
contract under which custom-developed
source code was produced for reporting
statistics about the contract; and
(B) corrects or amends any policies of the agency
that are inconsistent with the requirements of this Act.
(2) Administrator of the office of electronic government.--
(A) Minimum standard reporting requirements.--Not
later than 120 days after the date of enactment of this
Act, the Administrator of the Office of Electronic
Government shall establish minimum standard reporting
requirements for the Chief Information Officers of
agencies, which shall include information relating to--
(i) measuring the frequency of reuse of code,
including access and modification under subsection
(b);
(ii) whether the shared code is maintained;
(iii) whether there is a feedback mechanism
for improvements to or community development of
the shared code; and
(iv) the number and circumstances of all
exemptions granted under section 4(a)(2).
(B) Reporting requirement.--
(i) <<NOTE: Time period.>> Requirement.--Not
later than 1 year after the date of the enactment
of this Act, and annually thereafter, the
Administrator of the Office of Electronic
[[Page 138 STAT. 2641]]
Government shall publish on a centralized website
a report on the implementation of this Act that
includes--
(I) <<NOTE: List.>> a complete list
of all exemptions granted under section
4(a)(2); and
(II) <<NOTE: Updates.>> information
showing whether each agency has updated
the acquisition and other policies of
the agency to be compliant with this
Act.
(ii) Open government data asset.--The report
under clause (i) shall be maintained as an open
Government data asset (as defined in section 3502
of title 44, United States Code).
(3) Guidance.--The Director of the Office of Management and
Budget shall issue guidance, consistent with the purpose of this
Act, that establishes best practices and uniform procedures
across agencies for the purposes of implementing this
subsection.
SEC. 4. EXEMPTIONS.
(a) In General.--
(1) <<NOTE: Applicability.>> Automatic.--
(A) In general.--This Act shall not apply to
classified source code or source code developed
primarily for use in a national security system (as
defined in section 11103 of title 40, United States
Code).
(B) National security.--An exemption from the
requirements under section 3 shall apply to classified
source code or source code developed--
(i) primarily for use in a national security
system (as defined in section 11103 of title 40,
United States Code); or
(ii) by an agency, or part of an agency, that
is an element of the intelligence community (as
defined in section 3(4) of the National Security
Act of 1947 (50 U.S.C. 3003(4)).
(C) Freedom of information act.--An exemption from
the requirements under section 3 shall apply to source
code the disclosure of which is exempt under section
552(b) of title 5, United States Code (commonly known as
the ``Freedom of Information Act'').
(2) Discretionary.--
(A) Exemption and guidance.--
(i) In general.--The Chief Information Officer
of an agency, in consultation with the Federal
Privacy Council, or any successor thereto, may
exempt from the requirements of section 3 any
source code for which a limited exemption
described in subparagraph (B) applies.
(ii) Guidance required.--The Federal Privacy
Council shall provide guidance to the Chief
Information Officer of each agency relating to the
limited exemption described in subparagraph
(B)(ii) to ensure consistent application of this
paragraph across agencies.
(B) Limited exemptions.--The limited exemptions
described in this paragraph are the following:
(i) The head of the agency is prohibited from
providing the source code to another individual or
entity
[[Page 138 STAT. 2642]]
under another Federal law or regulation, including
under--
(I) the Export Administration
Regulations;
(II) the International Traffic in
Arms Regulations;
(III) the regulations of the
Transportation Security Administration
relating to the protection of Sensitive
Security Information; and
(IV) the Federal laws and
regulations governing the sharing of
classified information not covered by
the exemption in paragraph (1).
(ii) The sharing or public accessibility of
the source code would create an identifiable risk
to the privacy of an individual.
(b) Reports Required.--
(1) Agency reporting.--Not later than December 31 of each
year, the Chief Information Officer of an agency shall submit to
the Administrator of the Office of Electronic Government a
report of the source code of the agency to which an exemption
under paragraph (1) or (2) of subsection (a) applied during the
fiscal year ending on September 30 of that year with a brief
narrative justification of each exemption.
(2) Annual report to congress.--Not later than 1 year after
the date of enactment of this Act, and annually thereafter, the
Administrator of the Office of Electronic Government shall
submit to the appropriate congressional committees a report on
all exemptions granted under paragraph (1) or (2) of subsection
(a) by each agency, including a compilation of all information,
including the narrative justification, relating to each such
exemption.
(3) Form.--The reports under paragraphs (1) and (2) shall be
submitted in unclassified form, with a classified annex as
appropriate.
SEC. 5. <<NOTE: Assessment.>> GAO REPORT.
Not later than 2 years after the date of enactment of this Act, the
Comptroller General of the United States shall submit to Congress a
report that includes an assessment of the implementation of this Act.
SEC. 6. RULE OF CONSTRUCTION.
Nothing in this Act may be construed as requiring the disclosure of
information or records that are exempt from public disclosure under
section 552 of title 5, United States Code (commonly known as the
``Freedom of Information Act'').
SEC. 7. <<NOTE: Deadlines.>> APPLICATION.
This Act shall apply to custom-developed code that is developed or
revised--
(1) by a Federal employee not less than 180 days after the
date of enactment of this Act; or
(2) <<NOTE: Contracts.>> under a contract awarded pursuant
to a solicitation issued not less than 180 days after the date
of enactment of this Act.
[[Page 138 STAT. 2643]]
SEC. 8. <<NOTE: Deadline.>> REVISION OF FEDERAL ACQUISITION
REGULATION.
Not later than 1 year after the date of enactment of this Act, the
Federal Acquisition Regulation shall be revised as necessary to
implement the provisions of this Act.
SEC. 9. NO ADDITIONAL FUNDING.
No additional funds are authorized to be appropriated to carry out
this Act.
Approved December 23, 2024.
LEGISLATIVE HISTORY--H.R. 9566:
---------------------------------------------------------------------------
CONGRESSIONAL RECORD, Vol. 170 (2024):
Dec. 4, considered and passed House.
Dec. 17, considered and passed Senate.
<all>