By Aaron Pava & Mike Gifford
When the Centers for Medicare & Medicaid Services (CMS) saved millions by choosing open source solutions over proprietary alternatives, they weren’t breaking procurement rules; they were following them. Yet many government agencies still treat open source software as risky custom development rather than what it actually is: commercial off-the-shelf (COTS) software.
The recent April 2025 Executive Order, “Ensuring Commercial, Cost-Effective Solutions in Federal Contracts” emphasizes the need to prioritize COTS over “custom-developed” when procuring products and services. This prioritization toward existing commercial solutions makes sense for speed, savings, and innovation. Highly specialized, government-unique systems are generally harder to maintain, less secure, and often lead to expensive vendor lock-in and fees.
How the Government Defines FOSS vs COTS
The U.S. government’s own definitions unambiguously affirm that Free and Open Source Software (FOSS) is indeed commercial off-the-shelf. The Office of the Chief Information Officer of the Department of Defense (DoD) provides clear guidance in its FAQ, as detailed in its Open Source Software Frequently Asked Questions. This position aligns perfectly with Federal Acquisition Regulation (FAR) 2.101, which defines a “’commercial product’ as any product customarily used by the public that ‘has been sold, leased, or licensed to the general public.” Open source licenses, by their very nature, are the ultimate embodiment of licensing to the public, solidifying OSS’s status as a commercial offering.
Treating Free and Open Source Software (FOSS or OSS) as something separate from COTS solutions creates a false choice for government agencies. Open source software is commercial and off-the-shelf, and it actually offers real advantages that matter for government use. Open source eliminates licensing fees, prevents vendor lock-in, and gives you complete visibility into the code. You get better value and more flexibility than proprietary alternatives.
The DoD has made this point clear in its official guidance. If an open source software (OSS) solution is:
- Released under an open source license,
- Maintained by a vendor or active community, and
- Ready to use without changes,
then it qualifies as COTS software.
The guidance also goes further to state that ignoring OSS in procurement could wrongly exclude a large part of the commercial market. For procurement teams, considering open source COTS isn’t just permissible, it’s a strategic imperative.
Open Source Delivers Value, Faster
Open source COTS gives agencies something proprietary software rarely can: speed without trade-offs. You start from a mature base, not a blank slate, which lets agencies “try before they buy.” This transparency lets you thoroughly evaluate software functionality and fit before procurement, unlike proprietary offerings where it’s often unclear how much modification you’ll need for basic functionality. Development timelines shrink dramatically because you inherit upstream security patches, peer-reviewed code, and a global contributor network, freeing you from restrictive vendor roadmaps.
Open source COTS also encourages modularity. You can integrate only what you need, swap components when requirements change, and avoid getting locked into long-term licensing deals. This collaborative model contributes to an estimated global supply-side value of open source software exceeding $8.8 trillion annually, representing immense shared cost-savings and innovation.
Commercial Support Makes It Easy
Concerned about support, documentation, or security? Commercial open source software (COSS) vendors provide enterprise-grade support for open source COTS solutions, including:
- SLAs and helpdesk support
- Security hardening and patch management
- Training and implementation assistance
- Roadmap alignment with federal standards
These vendors operate like any other traditional COTS provider, except you have greater transparency, code access, and long-term control over your technology stack. Best of all, if you’re unsatisfied with one vendor’s support, competitive alternatives exist (unlike proprietary lock-in scenarios.)
Why Agencies Should Default to Open Source COTS
The 2025 Executive Order asks agencies to default to commercial solutions that are affordable, efficient, and proven. Open source COTS clearly meet these requirements. When an open source platform is the best technical solution, the fact that there are zero licensing fees means that agencies will pay for only the support services they need and keep control of their data instead of getting trapped in proprietary systems.
The benefits are clear:
- No per-seat licenses
- No forced upgrades just to stay supported
- No mystery code. You see exactly what you’re getting.
And best of all, unlike expensive custom-builds, open source COTS lets the public sector share and reuse software across departments, agencies, and jurisdictions. That’s the real multiplier.
The Custom Build Security Trap
Custom software builds are risky, expensive, and less secure. Open source COTS gives you transparency and control, which means agencies can host and manage applications in their own secure environments and meet compliance requirements.
Open source COTS isn’t a compromise, it’s often the best solution available. It has commercial support, security hardening, and has been tested by global communities. You should only consider proprietary COTS when it has a clear technical advantage. Those exceptions exist, but they’re rare.
Outdated views of open source still linger and lead to poor procurement decisions. Some still think it’s insecure, lacks commercial support, or is built by amateurs in basements. Others assume it’s not enterprise-ready or that no one’s accountable when things go wrong. None of that’s true.
For another perspective on custom development vs. COTS solutions, including the benefits of open source, see Waldo Jaquith’s recent post on the topic.
Commercially supported open source software gets hardened through transparent, community-driven security processes. The most popular open source projects are continuously reviewed by knowledgeable developers. Bugs get found and fixed quickly, often in days rather than months. Most of the world’s servers run on Linux precisely because it’s secure, reliable, and cost-efficient.
In contrast, proprietary vendors rely on small internal teams. These teams release security fixes in slower, opaque update cycles. The security case for open source COTS isn’t speculative — it’s proven through real-world use in critical infrastructure worldwide.
Moving Forward
Government agencies need to stop treating open source COTS as experimental and start using it as the procurement standard it’s become in industry.
To align with modern policy and maximize value, agencies should:
- Recognize that open source COTS meets the definition of commercial software
- Update acquisition training to clarify how open source COTS fulfills the requirements of DoD guidance and the White House’s directive to prioritize affordable, efficient commercial solutions
- Evaluate total value. Zero licensing fees mean you can invest directly in the features you want, tailored support, and long-term control, plus benefits like reuse and community-driven security
- Clearly document the rationale when selecting custom or proprietary solutions over viable open source COTS options
Your agency’s next major software procurement doesn’t have to be expensive custom development or restrictive proprietary solutions. Open source COTS is a third option that’s already proven, government-approved, and ready to use.
Mike Gifford is a Senior Strategist at CivicActions and a thought leader on digital accessibility in the public sector. Previously, he was the Founder and President of OpenConcept Consulting Inc., a web development agency specializing in building open source solutions for the open web. OpenConcept was an impact driven company and Certified B Corporation. Like CivicActions, OpenConcept worked extensively with the Drupal CMS. Mike was also part of the Government of Canada’s Open Source Advisory Board. Mike spearheaded accessibility improvements in Drupal since 2008, and officially became a Drupal Core Accessibility Maintainer in 2012.
Aaron Pava is Co-founder and Chief Development Officer of CivicActions, where he drives strategic growth, culture, and partnerships for the mission-driven digital government consultancy. He previously served at the United States Digital Service, helping transform federal procurement practices through culture change and policy reform. Aaron co-founded the Digital Services Coalition, Technologists for Public Good, and served as Executive Director of the Agile Government Leaders Association. With over 25 years of technology and consulting expertise, he champions free and open source software solutions for government agencies including NSF, CMS, VA, and GSA. Aaron is deeply committed to modernizing federal procurement, digital services delivery, and open practices adoption, bringing unique leadership perspectives to government transformation.
Leave a Reply
You must be logged in to post a comment.