ISO/IEC DIS 5230: OpenChain Specification is an international standard that outlines elements of a successful open source license compliance program. Organizations whose license compliance programs satisfy the standard’s requirements can earn the designation OpenChain Conformant.
ISO/IEC DIS 5230 was prepared by the Joint Development Foundation (a project of the Linux Foundation), submitted to ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission), and then published in December, 2020. It integrated feedback from more than 200 contributors and aims to be inclusive of the broad range of organizations that use open source software.
According to the Linux Foundation, the OpenChain Specification was developed with four primary goals in mind:
- Build Trust: Encourage the use of open source in constructing software solutions that are shared with others (with a focus on license compliance).
- Keep it Simple: The standard’s developers included practical use cases and kept the content relatively short and to the point.
- Focus on the What and Why: A wide variety of organizations use open source software, so the team that developed ISO/IEC 5230 did its best to build flexibility into the standard. It generally avoids being too prescriptive in areas like “how” and “when” to implement elements of a license compliance program, instead focusing on different practices to solve a given requirement — the “what” and “why.”
- Function as an Open Development Initiative: Just as the very nature of open source software is collaborative, so, too, was the process the Linux Foundation used to develop the OpenChain Specification.
The end result was a nine-page document built around a set of 13 core requirements that compliance programs must satisfy to earn OpenChain Conformance.
In this blog, we’ll offer several key takeaways on ISO/IEC DIS 5230: OpenChain Specification. including requirements for compliance program participants, how to meet the needs of external stakeholders, and, ultimately, how to become a conformant organization.
ISO/IEC DIS 5230 OpenChain Specification: Internal Requirements
A number of requirements in the OpenChain Specification standard govern internal policies, procedures, and staffing for license compliance programs. These include:
- Strong documentation: Policies that govern an organization’s use of open source software should be documented so all program participants are aware of them.
- Clear roles and responsibilities: Participants should have clarity around their role in an open source license compliance program, and they should have the expertise to successfully carry out their duties. Additionally, information on program participant roles and responsibilities should be distributed to all relevant stakeholders across the company.
- A defined review process: The organization should implement a defined process to review and understand the obligations that stem from various open source licenses.
ISO/IEC DIS 5230 OpenChain Specification: Satisfying External Stakeholders
One of the themes in the OpenChain Specification is there are both internal and external elements to becoming a conforming organization. The internal component is enabling all internal stakeholders (across teams like legal, engineering, architecture, and program management) with strong policies, trainings, resources, goals, and processes.
Requirements dealing with external stakeholders cater to two types of audiences: people that own and contribute to the open source projects your organization uses and customers that receive your final product. These requirements can be broadly grouped into three categories:
- Develop a process: The OpenChain Specification requires organizations to make clear to the public how interested parties can make open source compliance-related inquiries.
- Identify participants: Open source compliance program participants should have clear roles and responsibilities that govern who in your organization responds to third-party inquiries.
- Create formal documentation: Organizations should document the process and participants for successfully completing license compliance program tasks.
ISO/IEC DIS 5230 OpenChain Specification: Key Capabilities
Many of the ISO OpenChain Specification requirements are related to documenting processes and procedures that govern open source use as well as ensuring compliance program participants have clarity around roles and responsibilities.
It’s no surprise, then, that the third piece of the puzzle is for organizations to ensure they empower program participants to actually execute the daily and weekly responsibilities of open source license compliance.
For example, Requirement 3.3.1 notes that conformant organizations must have a process for creating and managing a software bill of materials. Requirement 3.3.2 highlights several common use cases (distributing licenses in binary form, distributing licenses in source form, integrating with other open source libraries to trigger additional licensing obligations, among others) that compliance program offices must be able to satisfy.
This is where automation can help. Software composition analysis tools enable compliance teams to create bills of materials and ensure compliance with licensing obligations in a fraction of the time of manual processes.
How to Become ISO/IEC DIS 5230 Conformant
The first step to becoming an OpenChain Specification Conformant license compliance program is to download and carefully review a copy of the standard. You can do this by visiting ISO’s website.
Once you’ve satisfied all requirements, including necessary documentation, visit the OpenChain Specification website to explore different options for conformance. (Organizations can take advantage of a relatively straightforward self-certification process should they so choose.)
And, if you’re looking for more insight on building a best-in-class license compliance program, download our checklist: Creating an Open Source Compliance Program: Auditing Your Company’s Use of Open Source.