Skip to main content
U.S. flag
An official website of the United States government

Risk Management of Free and Open Source Software FFIEC Guidance

Summary: The Federal Financial Institutions Examination Council (FFIEC) has issued the attached guidance to help institutions identify and implement appropriate risk-management practices when using "free and open source software" (FOSS). 

Highlights: 

  • FOSS refers to software that users are allowed to run, study, modify and redistribute without paying a licensing fee. Well-known examples are the Linux operating system, Apache Web server and mySQL database.
  • The use of FOSS is increasing in the mainstream information technology and financial services communities.
  • The federal regulatory agencies believe that using FOSS does not impose risks to institutions that are fundamentally different from risks presented by proprietary or self-developed software. However, acquiring and using FOSS necessitates that institutions implement unique risk-management practices.
  • This guidance supplements the FFIEC IT Examination Handbook's Development and Acquisition Booklet by addressing strategic, operational and legal risk considerations in acquiring and using FOSS.

Distribution: 
FDIC-Supervised Banks (Commercial and Savings) 

Suggested Routing: 
Chief Executive Officer 
Chief Technology Officer 
Chief Information Officer 

Note: 
For your reference, FDIC Financial Institution Letters (FILs) may be accessed from the FDIC's Web site at www.fdic.gov/news/financial-institution-letters/2004/index.html

To receive FILs electronically, please visit http://www.fdic.gov/about/subscriptions/fil.html

Paper copies of FDIC FILs may be obtained through the FDIC's Public Information Center, 801 17th Street, NW, Room 100, Washington, DC 20434 (1-877-275-3342 or (703) 562-2200).


Additional Related Topics:

  • FFIEC IT Examination Handbook, Development and Acquisition Booklet
FIL-114-2004
Attachment(s)
Contact(s)

Last Updated: October 21, 2004