Open source

ANSSI actively contributes to the open-source ecosystem by sharing various projects. These initiatives are limited to specific domains, as the development of software for external actors is not ANSSI’s first priority.

The publication of projects allows ANSSI to:

• share its technical and scientific capabilities, using this reach to attract new talent and maintain its expertise;
• provide transparency with regards to the operational tools it uses when assisting beneficiaries;
• support its partners’ ecosystem by sharing its tools;
• improve cooperation between partners via interoperable means.

Beyond the (Opens a new window) legal framework [2], ANSSI also chose to apply an open-source approach to its technical work, promoting technological development through various projects. These initiatives demonstrate that open source can be a credible tool to sustain dynamics of development and diffusion.

For the publication of its source code, ANSSI selected licences from a (Opens a new window) list of licences authorised by decree. From this list, the choice of licence is determined by the intended purpose of each project, with a preference for permissive licences (particularly Apache 2.0) to limit restrictions when reusing the source code (including in commercial settings). If reusing and integrating source code in a proprietary model is considered a threat to the publication’s target objective, then a licence with a reciprocity requirement (such as the GNU GPL family) is used.

ANSSI has defined several categories of projects published in open source, requiring varying levels of support and engagement to ensure their maintenance.

• Doctrinal projects disseminating elements of the Agency’s doctrine or accompanying its publication: technology demonstrator, reference implementation, source code used to produce a scientific article or to generate data (research artefacts), content providing a concrete illustration of the Agency’s recommendations (“actionables”), etc. These projects are shared for informational purposes and maintained by ANSSI over the period of relevance of the article or of the associated recommendation. Users, integrators, and contributors may make them their own, to reproduce research results or to implement recommendations, bearing in mind that they do not come with ANSSI’s support.
• Internal tools: projects developed to meet ANSSI’s internal needs, published for the sake of transparency or to share useful resources with the ecosystem. Depending on the specific framework of each project, external contributions may be integrated without systematic guarantees or user support.
• External tools: tools provided to ANSSI’s beneficiaries and partners (such as the CERTs), directly accessible or via the services provided by ANSSI. Governance over these projects is ensured internally, their reuse is encouraged, and support may be provided to beneficiaries and partners should the Agency’s resources allow for it.

ANSSI primarily publishes projects within the (Opens a new window) ANSSI-FR Github organisation. Some large-scale projects, or projects whose maintenance is intended to be shared, are hosted in dedicated Github organisations, (Opens a new window) referenced from the main Github organisation.

For each of these projects, a “level of openness” is attributed to the source code, on the basis of a (Opens a new window) classification established by the interministerial directorate in charge of digital affairs (DINUM):

· Level A – contributive: the source code is published, external contributions are actively sought and processed.

· Level B – open: the source code is published, external contributions are processed but not actively sought.

· Level C – published: the source code is published but external contributions are not processed.

Open-source project transfer cases

Though the development of software is not ANSSI’s first priority, it does publish open-source projects which may be likened to industrial products or which might be used to develop solutions. When ANSSI must withdraw from a project but nonetheless wishes to ensure its sustainability, it may initiate the transfer of its governance to identify an external actor capable of continuing the work.

Any external actor interested in taking over a project may reach out to its maintainers or otherwise contact the following addresses: industries@ssi.gouv.fr or opensource@ssi.gouv.fr.

ANSSI’s agents contribute to open-source projects maintained by external actors, in various contexts and as part of the Agency’s missions.

These contributions may be made to open-source projects of interest used by the Agency’s beneficiaries. Whenever possible, the Agency contributes as upstream as possible to optimise the use of resources and amplify positive effects on the cybersecurity of the digital ecosystem. For example, it may contribute to the security of base infrastructure components and operating system kernels (such as the Linux kernel).

Contributions may also help to improve the cybersecurity of software used by security researchers in the academic field or in the Agency’s sphere of operational partners.

Lastly, opportunistic contributions are more particularly made to projects used internally by the Agency (see “Using open-source solutions”). These contributions can range from simple bug fixes to adaptations intended to conform them to specific use cases (e.g. operating in isolation mode, disconnected from the Internet), or to new uses (e.g. the inclusion of new cryptographic algorithms).

These efforts allow ANSSI to develop expertise in the software concerned, and their publication contributes to the promotion of the Agency’s work.

The Agency’s contribution to public open-source projects also allows it to expand its field of action:

• it reduces its teams’ workload by avoiding the reproduction of specific adaptations in parallel with a project’s public evolutions [3];

the improvement of a product’s security (or of its features – for a security tool, for example) not only benefits ministries and operators of vital importance (OIV), but also ANSSI’s partners and the entire community of users.

Open-source actors across the digital ecosystem

ANSSI’s investment in open source is not isolated; rather, it is made in conjunction with numerous actors of the digital ecosystem:

• Organisations using ANSSI’s services, namely central and territorial administrations, regulated operators such as operators of vital importance. These organisations use free software and may sometimes themselves develop open-source products.
• Digital solution providers, namely firms or business entities, individual or community developers, foundations. These actors may be vendors (of open-source products, or of products using open-source software), or service providers using free software.
• The field of higher education [4], of research and of open science (national research organisations, universities and engineering schools, mutualisation organisations), and the French education system.
• ANSSI’s partners, and the (Opens a new window) interministerial directorate in charge of digital affairs (DINUM) more particularly, responsible for defining and steering the State’s digital strategy. It guides administrations in the use and publication of open-source software, coordinates the (Opens a new window) Open Source and Digital Commons division, and heads the Council of Free Software ( (Opens a new window) Conseil logiciels libres).
• ANSSI’s counterparts, National security agencies such as the (Opens a new window) Bundesamt für Sicherheit in der Informationstechnik (BSI), or international organisations such as the (Opens a new window) European Union Agency for Cybersecurity (ENISA) and the European Commission, responsible for core regulations like the Cyber Resilience Act (CRA).

The latter two actors, more particularly, have instigated developments in public policy pertaining to digital commons which may impact all citizens. It is also at the political level that questions of digital sovereignty, of independence, and of the mastery technological means[PY1] – which include open source – are addressed.

Open source as a lever for action in ANSSI’s industrial policy

ANSSI’s industrial policy seeks to ensure that the digital ecosystem provides users with suitable and secure cybersecurity solutions which are adapted to their needs. While free software has become central to digital value chains, the link between open source and ANSSI’s industrial policy is recent and still in development. Open source has the potential to support the Agency’s industrial policy, by promoting innovation, engaging foundations, and bringing actors together.

Security evaluations

Since 2017, ANSSI has been funding open-source software security evaluations with the intention of improving the security of software components used directly by the Agency’s beneficiaries, or indirectly via their integration in commercial products.

Each year, ANSSI selects open-source software to undergo ad hoc security audits or security evaluations based on the First Level Security Certification (CSPN) scheme. Any identified vulnerabilities are reported to the project maintainer, allowing the Agency to facilitate remediation.

ANSSI demonstrates a pragmatic approach to the use of free software, based on its different infrastructure, IT, and business needs.

It does not shun the use of proprietary software when it is necessary, but believes free software to offer a number of advantages – notably with regards to transparency and to the mastery of digital environments – and to allow the effective management of dependencies on external actors. (Opens a new window) Article 16 of the Law for a Digital Republic (Loi pour une République numérique) states that administrations “encourage the use of free software and open formats during the development, purchase, or use of all or part of these information systems”.

The use of free software allows the Agency to maintain a mastery of its business digital infrastructure, achieved through the transparency provided by the availability of the source code and by the possibility for third-parties to use it. This limits the risks of dependence, along with the risks associated with strategy changes within the commercial entities which control the software. It is possible to analyse the source code and dependencies [5] or to have them analysed, to modify the code or have it be modified to meet specific needs [6] and, in some extreme cases, to take over the maintenance of a project if it has been abandoned or if it is headed in a direction which appears to be inconsistent with ANSSI’s usage.

The development and maintenance of software are both specific tasks, and free software may be used in a commercial setting. It can be useful for ANSSI to delegate these tasks to specialised companies, in an incredibly rich (French and European) ecosystem. In this context, contract documents should emphasise the importance of access to source code under a free software licence, or of the obtention of patrimonial rights[LGF1] [PY2] . This should also facilitate the pooling of various resources provided by entities to request modifications which will ultimately be publicly accessible.

To this end, ANSSI may draw on various resources (which can be accessed by the entire administration) :

• the document « (Opens a new window) ANSSI Essentials - How to select an open-source software » can inform the choice of free software with a selection of security criteria;
• a document ( (Opens a new window) conseils à la rédaction de clauses de propriété intellectuelle pour les marchés de développement et de maintenance de logiciels libres, only available in French) by the Agency in charge of the intangible heritage of the state (APIE) provides assistance for the drafting of public contracts;
• the interministerial market for free software support and expertise, which state departments – including ANSSI – may use for short-term services;
• DINUM’s (Opens a new window) recommendations (only available in French) on the use of free software;
• The Prime Minister’s circular: « (Opens a new window) Orientations des usages des logiciels libres dans l’administration (only available in French) ».