New research highlights open source as critical to agency innovation

As federal agencies continue to prioritize efficiency, innovation, and value in their digital initiatives, open-source software continues to be a key enabler of these goals.

A recent report from ICF highlights both the growing momentum and existing barriers to open-source adoption in federal IT. While fewer than four in ten federal IT decision-makers currently describe their agencies as “core users” of open-source development, nearly all respondents (97%) expect its use to expand significantly in the coming years.

This shift reflects a broader recognition that open-source solutions can enhance interoperability, reduce costs, and accelerate modernization efforts. By leveraging open-source software, agencies can reduce proprietary constraints, foster cross-agency collaboration, and improve responsiveness to mission needs.

As digital modernization initiatives move forward, agencies have an opportunity to rethink outdated assumptions about open-source technology. With strong security frameworks, policy support, and a growing talent pool, open-source development can be a strategic advantage.

The benefits of open-source development

There are significant benefits to open-source development, as many agencies and IT leaders have already learned. In many cases, the agencies require highly customized solutions to extremely complex problems that are unique to the federal government space. In these cases, no commercial solution is available to fill the gap. Respondents to the MeriTalk and ICF survey indicated the myriad ways working with open-source platforms has advanced their agencies’ missions and goals. In open-ended responses, they said that open-source platforms:

• “provided cost-effective, customized solutions.”
• “fostered a culture of knowledge-sharing within our team.”
• “reduced [our] dependency on specific vendors, providing greater flexibility and control over our systems.”
• “provided us with the freedom to innovate, experiment, and refine our strategies.”

Federal agencies that have leveraged open-source development see significant improvements in efficiency and service delivery. The Centers for Medicare and Medicaid Services (CMS) is one example.

Case study: CMS’ iQIES modernization

CMS’ decades-old Quality Improvement and Evaluation System (iQIES) was designed to improve the quality of patient care in nursing homes, hospices, and other healthcare settings through provider assessments and surveys. We partnered with CMS to modernize iQIES through the use of open-source software, delivering a powerful cloud-based application with an intuitive user experience. The platform is now used by thousands of healthcare providers and surveyors across every U.S. state and territory, and CMS has a greater ability to help patients receive the quality care they deserve.

The use of open-source software allows iQIES to evolve to meet the highly specific needs of the federal government without licensing fees, which helps keep costs down. This is particularly important for a large-scale project like iQIES that supports approximately 330,000 providers across 39 healthcare categories and manages over 278 million clinical assessments.

Choosing to build vs. buy

The first question in federal acquisitions should be whether to build vs. buy. Buying an out-of-the-box solution has many advantages, including leveraging potentially decades of pre-existing innovation. This must be weighed against the needs of the government, licensing cost, costs to customize a COTS (commercial-off-the-shelf) solution, the changing needs of the government over time, and vendor lock-in. In many cases, government needs are very specific, and there simply is no off-the-shelf solution to meet them. In other cases, the government must weigh whether their needs will be changing over time, and whether the off-the-shelf solution will be able to adapt at all as federal policy changes. Building a custom solution using open-source software can address all of these challenges.

Addressing cybersecurity concerns

Despite its many benefits, some federal agencies remain cautious about open-source, cloud-based, and AI-assisted software due to security concerns. In fact, 63% of federal IT leaders cite security vulnerabilities as a key barrier to adopting or expanding open-source development.

High-profile vulnerabilities, such as the 2021 Log4j incident, highlight the need for vigilance. However, commercial products suffer from security issues as well, such as with the 2020 Solarwinds incident. With proactive security measures, regular updates, and strong community oversight, open-source software is equally as secure—if not more so—than proprietary alternatives. Agency IT leaders have an opportunity to embrace open source while implementing best practices that safeguard sensitive data.

While policies and regulations are essential for maintaining the security and reliability of government technology, they don’t have to slow innovation—especially when it comes to open-source adoption. With the right tools and strategies, agencies can balance security with agility. Automated solutions for managing software bills of materials (SBOMs), vulnerability scanning, and penetration testing help IT teams proactively address security risks while ensuring compliance without stalling progress. Equally important is the management of open-source licenses; tracking and adhering to these licenses not only safeguards legal compliance but also supports responsible use of community-driven solutions. By leveraging these technologies, agencies can confidently integrate open-source solutions while maintaining strong security postures and regulatory adherence.

Choosing the right open-source partner

As they work to deliver innovation, efficiency, and value, federal agencies should seek partners who can not only advise on how best to develop open-source solutions but also execute those solutions. These partners must be able to integrate people, processes, and technologies to build and deploy a minimally viable product (MVP), as well as scale new solutions to the enterprise. Furthermore, these partners must also help the agency do so with guardrails that keep data protected per the appropriate FISMA regulatory standards. This can be challenging, but it’s a challenge that ICF engineers, developers, and policy experts are working on every day.