In 2013 the Linux Foundation started the OpenChain Project led by Shane Coughlan. The project sought to define an effective specification for open source license compliance throughout the software supply chain.
In December 2020 OpenChain was ratified and published as an international standard: ISO/IEC 5230:2020. Therefore, ISO/IEC 5230:2020 and the Open Chain specification are functionally identical.
The standard defines the key requirements of a quality open source license compliance program, which builds trust between organisations exchanging software solutions composed of open source software.
This ‘trust’ is founded on the fact that an organisation’s conformant program indicates to others that it has been designed to achieve license compliance for the open source software it shares.
Microsoft announced its conformance to the OpenChain ISO 5230 standard back in 2019. Many other organisations have also publicly announced OpenChain conformant programs including Arm, Cisco, Siemens and Uber.
OpenChain ISO 5230 is a flexible standard that can be integrated into various workflows. For example, the standard can be leveraged as a requirement in the merger and acquisition (M&A) due diligence process and for the supply chain of software services
OpenChain ISO 5230 in Mergers & Acquisitions (M&A)
During the M&A process, legal teams carry out technical due diligence against the target organisations software. This process assesses the risk associated with the organisation deriving from its software. At the pre-deal stage venture capitalists and other investors also carry out technical due diligence against the investee for the same reasons.
As part of this assessment, the target organisation will need to demonstrate the amount of control, they have over their use of open source software. Following this assessment terms may be put into the contract to mitigate any risks.
The OpenChain ISO 5230 standard will play a growing role in M&A transactions because of the widespread adoption of open source software, the growing number of transactions in the technology sector and the fact that more and more organisations who do not regard themselves as technology businesses effectively are. This is because every day companies are hiring software engineers to develop solutions or are outsourcing solutions to transform their business practices and to improve customer satisfaction.
Conformance to the OpenChain ISO 5230 standard has the potential to reduce friction in these transactions. This is because a lot of the information required during the due diligence process will be ready to hand. Therefore, using the OpenChain standard requirements as part of the due diligence process provides a clear picture of the target organisation and any risks posed by open source software, to the purchaser or investor.
At Source Code Control Ltd we are increasingly seeing investors requiring that investee’s become OpenChain ISO 5230 conformant as a condition of ongoing investment. Conformance to the OpenChain ISO 5230 standard is a great governance mechanism to ensure that the investee is not veering off the path of open source license compliance before the investor exits.
OpenChain in Procurement & Outsourced Software Development
The OpenChain ISO 5230 standard was designed for procurement and outsourcing activities where software is involved, and where the products or solutions will be applied to business-critical areas or sold.
Using the OpenChain ISO 5230 standard in a typical procurement and outsourcing workflow quickly identifies which companies are aligned around industry-wide open source compliance best practices and which are not.
When a supplier conforms to ISO/IEC 5230:2020 this provides various assurances:
– This company has an open source policy
– Their relevant staff have completed open source software training
– They have a process for addressing compliance in inbound software
– They have a process for addressing compliance during internal development
– They have a process for addressing compliance for outbound products and services
– They have documentation on how this is accomplished
– Everything is structured in the same manner as every other company using this industry standard
OpenChain conformant organisations gain a competitive advantage in the sales process for their solutions. For example, a company issues a request for proposal (RFP) to acquire a software solution. The procurement organisation short lists suppliers. If one of the suppliers is OpenChain conformant they are demonstrating they are managing their supply chain and not passing on a risk. On top of that they can supply an accurate Software Bill of Materials (SBoM). If the other shortlisted organisations are unable to demonstrate this, there will be a question mark over the quality of their software development processes. This is a demonstration of the objective of OpenChain in building trust in software supply chains. This could be looked at from the acquirer of software solutions viewpoint. OpenChain is one of the benchmarks they can use to vet suppliers for supplying trustworthy solutions.
Open Source at Scania
OpenChain ISO 5230 was designed to be used in the software procurement process across many industries, and now we are starting to see how the ISO standard will be used going forward.
In May 2021, Scania announced a big improvement to the professional management of their outsourced software solutions. Scania has clearly defined its expectations when open source is part of a delivery.
A corporate standard has been issued which mandates that suppliers must conform to ISO/IEC 5230:2020. Conformance allows Scania to trust that their suppliers have a professional management program in place, for their use of open source software.
If in the process of developing a solution for Scania, a supplier makes modifications to open source components, Scania specify they would like to see those modifications contributed to the open source project. This process is known as upstreaming. Upstreaming encourages participation in open source projects which increases innovation through collaboration and ultimately strengthens the original open source project.
Finally, Scania asks that suppliers provide any Software Bill of Materials (SBoM’s) in the ISO/IEC DIS 5962 (SPDX) format. SPDX is an open standard for communicating an SBoM. This format eliminates unnecessary work efforts by providing a common format for companies and suppliers to share open source software composition data between teams or a along a supply chain.