A tool devised by the National Security Agency to "maintain a specific security posture" is now available as an open source project -- the first offering on the agency's recently inaugurated GitHub page.
Less clear, given NSA's reputation, is whether anyone outside of a government agency operating under a mandate will use it.
Aside from its controversial origins, SIMP appears to be a fairly straightforward project. It uses Puppet and Ruby to provide automated security management on systems running Red Hat Enterprise Linux 6.6 or 7.1, as well as matching versions of CentOS. The automation follows existing automation guidelines devised by Red Hat and is in compliance with protocols laid down by NIST.
SIMP's release is part of an ongoing NSA project, the Technology Transfer Program (TTP), that allows its work to be reused by other government agencies and the private sector. The TTP, which has been around since 2006, declassifies technologies developed for previous operations and shares them, typically by way of NDAs and licensing agreements.
The NSA has signaled its willingness to use open source and public computing resources before. Earlier this year it described how it was using the OpenFlow SDN system for its internal operations, citing OpenFlow's highly granular controls. OpenStack and Hadoop are also part of its tool set, and the agency has released some of the work it's done with the former -- again, on GitHub.
Likewise, SIMP's maintainers are using several familiar public tools on the project -- not only GitHub, but also Google Groups, Gerrithub, HipChat, and JIRA.
All of this is unlikely to lower suspicions of anything bearing NSA's thumbprint. SIMP will need to gain a third-party imprimatur -- for instance, an independent code audit -- before anyone will use it, unless required to do so.