Cisco Systems, a global leader in networking hardware, integrates thousands of third-party and open-source components across its product ecosystem. To ensure compliance, mitigate legal risks, and maintain product integrity, Cisco required a partner to strengthen their Open Source Governance and License Compliance Program. This case study details how our Open Source Governance Audit transformed their compliance posture.
Before engaging our consultancy, Cisco faced several critical challenges in managing open-source usage across their distributed codebases for firmware and cloud solutions:
No unified inventory existed, creating uncertainty around license obligations and version usage.
The inclusion of GPL/LGPL components meant Cisco risked missing source code disclosure obligations, failing to publish modifications, and violating redistribution requirements.
Customers increasingly demanded stronger compliance evidence, including verified SBOMs (Software Bill of Materials) and license proofs. This necessitated a professional, audit-ready approach to License Compliance.
Cisco engaged our consultancy to conduct a full Open Source Governance Audit focusing on a specific product family. Our objective was to deliver audit-ready documentation and establish a repeatable, defensible compliance process.
Complete inventory of all OSS components used.
License discovery and risk categorization (permissive vs. reciprocal).
Source code retrieval for all reciprocal licenses (GPL, LGPL, AGPL).
Compliance report and SBOM creation.
Governance framework and internal best practices.
We executed a comprehensive technical and legal compliance effort focused on verifiable evidence:
We performed a deep technical audit, identifying all open-source libraries present in Cisco's codebase, including transitive dependencies, using static analysis and code scanning tools.
Every license was verified against SPDX identifiers and classified into Permissive, Reciprocal/Copyleft, and Proprietary risk categories.
For all reciprocal licenses, we provided the exact source code, full patch history of internal modifications, and consolidated source tarballs ready for immediate disclosure. This ensured Cisco met all legal obligations for redistribution.
We delivered a sustainable compliance process, including an OSS intake workflow, a clear license policy, and internal guidelines for engineers. This forms a crucial part of our overall AI Governance Solutions framework.
The structured Open Source Governance Audit achieved verifiable, high-impact results, ensuring Cisco can ship products confidently:
Cisco gained a complete and verified inventory of all OSS components, eliminating all "unknown" license usage.
All reciprocal licenses now have associated source code bundles and disclosures, ensuring safe redistribution and drastically reducing legal exposure.
Cisco can now confidently share verified SBOM documents and license reports, which boosted enterprise confidence and shortened compliance reviews.
Cisco gained a sustainable compliance process for future products and releases, integrating compliance checks into engineering workflows.
Through a structured and detailed Open Source Governance Audit, we helped Cisco achieve complete visibility, license compliance, and control. Our work ensured that Cisco can confidently ship products without legal risk—maintaining trust with customers, auditors, and partners worldwide.
Ready for your Compliance Audit?
