The Open Source Maturity Model

The Open Source Maturity Model (OSMM) is a framework that helps organizations assess and improve their use of open source software. The primary purpose of the OSMM is to provide a structured way for organizations to evaluate their open source practices and identify areas for improvement. The model consists of a set of maturity levels, each with a defined set of characteristics and activities that an organization must achieve to move to the next level.

Why Have an Open Source Maturity Model?

• The OSMM framework can help organizations to better understand the benefits and risks of using open source software and to establish policies and procedures to manage these effectively.
• The model can also be used as a tool for benchmarking an organization's open source maturity against that of other organizations in the same industry or sector.
• The OSMM can provide guidance to organizations on how to improve their open source practices and to align these with their overall business objectives.
• The ultimate goal of an OSMM is to enable organizations to maximize the benefits of open source software while managing the associated risks and costs effectively.
• Since there are lots of Activities in this body of knowledge, the maturity levels provide some guidance about the order to tackle activities. Organisastions beginning their open source journey are advised to start with activities categorized as Level 1 and proceed from there.

Existing Maturity Models

There are two pre-existing published open source maturity models at the time of writing which are both fairly similar. The OSBOK attempts to synthesize these into a single whole:

• In December 2021, The OSPO Alliance published on the OW2 site the "OW2 Open Source Good Governance Initiative which is a 5-level maturity model

• In February 2022, the TODO Group (a sub-foundation of the Linux Foundation) published "The Evolution of the Open Source Program Office (OSPO)" describing a five-level OSPO maturity model (Stages 0-4) based on its work with Bloomberg, Comcast and Porsche.

Fortunately, there is common agreement between these two models about what practices are expected at each level. Here, we adopt a 1-5 numbering scheme as this is more consistent with the original and most well-known maturity model, CMMI.

The Five Levels

Level 1: Ad-Hoc Usage

At this level, an organization has ad hoc or informal practices for managing open source software. There is no formal policy or process in place for managing open source software, and its use is left up to individual developers. The organization has limited visibility into open source use and does not keep track of the software used.

Level 1 (OSMM)OSMM

Level 2: Compliance

At this level, an organization has established some practices for managing open source software. The organization has some visibility into open source use and there are limited controls in place to manage open source software and to ensure compliance with licenses.

Level 2 (OSMM)OSMM

Level 3: Culture & Ecosystem

At this level, an organization has established proactive practices for managing open source software. The organization has a comprehensive policy in place for managing open source software, and it is consistently applied across the organization. The organization has a comprehensive inventory of open source software in use and manages it effectively. The organisation will begin to contribute to existing open source projects that it finds strategically useful. That is, becoming part of the open source community.

Level 3 (OSMM)OSMM

Level 4: Engagement & Hosting

At this level, an organization has a well-managed process for open source software. Open source is culturally embedded in the organisation and its value is understood. At this level the organisation itself is contributing to open source software.

Level 4 (OSMM)OSMM

Level 5: Leadership & Strategy

At this level, an organization has an optimized process for managing open source software. The organization has a continuous improvement process in place for open source software management, and it is well integrated with the overall software development process. The organization also has a strategy for consuming open source, contributing to open source software projects and engaging with the open source community.

Level 5 (OSMM)OSMM

Measuring Levels

Each level of the Open Source Maturity Model corresponds to a different set of activities. And, each activity is associated with a single maturity level.

This means it is possible for an organization to be making progress on multiple levels at the same time: they might be performing all of the activities at Level 1 and Level 2 and some of the activities of each of levels 3 to 5.

Only by completing all the activities at a given level and the levels below can an organization be regarded to be operating at that level. (Unless there is some convincing reason for omitting to perform a given activity.)

FINOS OSMM Survey

The FINOS OSMM Survey can be answered in different ways: as an individual, a function or the whole organisation. The survey aims to:

• Establish which activities the respondent is performing.
• Provide a maturity level corresponding to these activities.
• Give suggestions to the respondent about which activities need further work to move to a higher maturity level.

NB: The FINOS OSMM Survey is currently in beta. Feedback on this would be greatly appreciated.