OpenChain ISO/IEC 5230:2020 is an international standard that outlines elements of a successful open source license compliance program. Organizations whose license compliance programs satisfy the standard’s requirements can earn the designation OpenChain Conformant.
ISO/IEC 5230:2020 was prepared by the Joint Development Foundation (a project of the Linux Foundation), submitted to ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission), and then published in December, 2020. It integrated feedback from more than 200 contributors and aims to be inclusive of the broad range of organizations that use open source software.
According to the Linux Foundation, the OpenChain Specification was developed with four primary goals in mind:
- Build Trust: Encourage the use of open source in constructing software solutions that are shared with others (with a focus on license compliance).
- Keep it Simple: The standard’s developers included practical use cases and kept the content relatively short and to the point.
- Focus on the What and Why: A wide variety of organizations use open source software, so the team that developed ISO/IEC 5230 did its best to build flexibility into the standard. It generally avoids being too prescriptive in areas like “how” and “when” to implement elements of a license compliance program, instead focusing on different practices to solve a given requirement — the “what” and “why.”
- Function as an Open Development Initiative: Just as the very nature of open source software is collaborative, so, too, was the process the Linux Foundation used to develop the OpenChain Specification.
The end result was a nine-page document built around a set of 13 core requirements that compliance programs must satisfy to earn OpenChain Conformance.
In this blog, we’ll offer several key takeaways on OpenChain ISO/IEC 5230:2020, including requirements for compliance program participants, how to meet the needs of external stakeholders, and, ultimately, how to become a conformant organization.
OpenChain ISO/IEC 5230:2020: Internal Requirements
A number of requirements in the OpenChain Specification standard govern internal policies, procedures, and staffing for license compliance programs. These include:
- Strong documentation: Policies that govern an organization’s use of open source software should be documented so all program participants are aware of them.
- Clear roles and responsibilities: Participants should have clarity around their role in an open source license compliance program, and they should have the expertise to successfully carry out their duties. Additionally, information on program participant roles and responsibilities should be distributed to all relevant stakeholders across the company.
- A defined review process: The organization should implement a defined process to review and understand the obligations that stem from various open source licenses.
OpenChain ISO/IEC 5230:2020: Satisfying External Stakeholders
One of the themes in the OpenChain Specification is there are both internal and external elements to becoming a conforming organization. The internal component is enabling all internal stakeholders (across teams like legal, engineering, architecture, and program management) with strong policies, trainings, resources, goals, and processes.
Requirements dealing with external stakeholders cater to two types of audiences: people that own and contribute to the open source projects your organization uses and customers that receive your final product. These requirements can be broadly grouped into three categories:
- Develop a process: The OpenChain Specification requires organizations to make clear to the public how interested parties can make open source compliance-related inquiries.
- Identify participants: Open source compliance program participants should have clear roles and responsibilities that govern who in your organization responds to third-party inquiries.
- Create formal documentation: Organizations should document the process and participants for successfully completing license compliance program tasks.
OpenChain ISO/IEC 5230:2020: Key Capabilities
Many of the ISO OpenChain Specification requirements are related to documenting processes and procedures that govern open source use as well as ensuring compliance program participants have clarity around roles and responsibilities.
It’s no surprise, then, that the third piece of the puzzle is for organizations to ensure they empower program participants to actually execute the daily and weekly responsibilities of open source license compliance.
For example, Requirement 3.3.1 notes that conformant organizations must have a process for creating and managing a software bill of materials. Requirement 3.3.2 highlights several common use cases (distributing licenses in binary form, distributing licenses in source form, integrating with other open source libraries to trigger additional licensing obligations, among others) that compliance program offices must be able to satisfy.
This is where automation can help. Software composition analysis tools enable compliance teams to create bills of materials and ensure compliance with licensing obligations in a fraction of the time of manual processes.
How to Become OpenChain Conformant
As an official OpenChain Tooling Vendor, FOSSA supports organizations on their path to OpenChain Conformance. For more information on using FOSSA to fulfill OpenChain requirements, please visit our dedicated OpenChain webpage.