Developing software for the U.S. government can help a company to dramatically fuel its growth. However, organizations doing business with the government are bound by certain rules and regulations that may not be applicable to business conducted within the private sector. For example, the Antideficiency Act, which puts a cap on spending based on the amount available in the appropriation or fund, may conflict with certain commercial license clauses. FAR and DFARS requirements may present a conflict with commercial clauses as well. The same challenges can extend to usage of open source code. With the prevalence of open source usage, companies need to be well aware of their products’ third-party open source dependencies as well as the third-party transitive dependencies. The government has strict due diligence protocols and may take a fine-toothed comb to reviewing the open source dependencies and their licenses that any company going into agreement with the government is using. Why? To ensure there is no license clause so objectionable as to be a deal-breaker.
In response to potential deal-breaker scenarios, a new regulation went into effect on August 13, 2020–a U.S. federal government contract ban forbidding the government from buying goods and services from companies that use products from the following five Chinese companies: Huawei, ZTE, Hytera, Hangzhou, and Dahua. There were already plenty of reasons for software companies to perform comprehensive scans and analyses of their product codebases prior to this new law going into effect, such as the threats posed by vulnerabilities in open source components as well as forced code disclosure due to copyleft license restrictions, but it did offer another compelling reason to do so. The U.S. federal government accounts for 8.6% of all IT spending in the U.S., which is the largest single vertical market for IT. Not knowing what is inside their code may cost software companies the chance to win lucrative federal contracts for their products or services.
This new law may be the first of many that the government imposes to target certain nations or sectors it deems may pose risks to national security. The burgeoning field of SCA (Software Composition Analysis) offers a solution to the potentially expanding challenge of complying with government regulations. Via a product like Code Insight, you can scan a codebase for various types of indicators and target your analysis based on your needs. For example, you can target search strings like “huawei,” “zte,” and “dahua” to ensure there are no dependencies on products from blacklisted companies inside your code. Additionally, Code Insight allows for copyright string detection that can be used to identify whether any particular company’s copyrights are found within your code base. Having a proper process in place to ensure total awareness of commercial and open source component usage can reduce or eliminate any roadblocks to a smooth business transaction with the government.