Checklist: establishing an open source compliance program

Strategy

Document your open source strategy covering the following areas, as relevant:

Strategic objectives: what benefits you intend to realize through using and engaging with open source, and how.
Compliance strategy: high-level strategy for ensuring open source compliance across enterprise, including the process for implementing that strategy.
Communications stategy: how to and who will respond to open source compliance inquiries from customers, the public, and open source projects.
Legal & risk strategy: how legal risk will be managed as part of the open source strategy and when legal review will be required.
M&A/corporate development: how open source compliance fits in to M&A and corporate development strategies.
Software procurement: how open source diligence will be managed for new software procurement (and audits of oustanding procurement).

Establish policies for open source engagement that cover:

Usage of open source in internal development
Contribution to third-party projects
Distribution of open source withing proprietary products
Publication of in-house open source projects
Auditing existing products and codebases for open source
Fulfillment of open source license obligations, including process for responding to requests for source code, where applicable

Establish a core open source review team, typically consisting of participants from:

Establish a cross-functional open source policy team with representatives from every area affected by open source policies, including:

Establish reporting & approval chains for key open source-related issues:

Put in place software tools to manage key open source management processes:

Approval workflows: managing and automating the initiation, review, and approval of requests subject to open source policies, e.g. to use/incorporate a new open source component or license, modify an open source component, release a project as open source, etc.
Project management: tracking usage of and modification of open source components within an internal development project.
Inventory management: tracking open source components in use across versions and projects.
Code review: enforcing and facilitating review of open source contributions and open source usage in products prior to contribution or publication.
Compliance automation and audit: see TBD Open Source Compliance Toolchain Checklist.

Institute training and documentation to increase awareness of and compliance with open source processes, including:

Formal training on intellectual property, open source licensing and risk, internal policies and processes, and industry practices.
High-level review of policies and guidelines in new employee orientation.
Comprehensive, accessible documentation of policies, processes, systems, and guidelines relevant to engineers
Presentations from internal and external speakers on open source success stories, best practices, etc.

Publish materials communicating your open source strategy, policies, and related content as applicable, including:

Where appropriate, align policies and processes with, and participate in, industry open source compliance-related initiatives, such as: