The Python Software Foundation (PSF) has announced it will reject a $1.5 million federal grant from the National Science Foundation (NSF) due to contract stipulations regarding diversity, equity, and inclusion (DEI) initiatives. The foundation stated that the terms imposed by the administration would restrict its broader operational activities beyond the scope of the funded research, which aimed to improve cybersecurity for open-source software.
Loren Crary, deputy executive director at the PSF, confirmed the decision Wednesday, explaining that the contract language demanded the foundation cease all DEI-related programs. This blanket restriction, she said, extended beyond the specific cybersecurity research project, impacting the PSF’s overall mission to foster a diverse and international community of Python programmers. The grant’s rejection raises concerns about the future of national cybersecurity research and the impact of federal policy on non-profit organizations.
Impact of DEI Mandates on Cybersecurity Research
The proposed NSF grant, under solicitation NSF-24-608, was specifically intended to fund projects focused on the “Safety, Security, and Privacy of Open Source Ecosystems.” The program aims to catalyze improvements in open-source software and its supply chains, capabilities the ecosystem currently lacks the resources to undertake independently. The PSF’s project sought to develop automated tooling to enhance the review process for code packages uploaded to PyPI, the largest repository for Python software.
According to Crary, the grant terms included a clause that prohibited the PSF from “advanc[ing] or promot[ing] DEI, or discriminatory equity ideology in violation of Federal anti-discrimination laws.” This effectively would have barred the foundation from continuing its existing DEI-focused initiatives, separate from the funded research. The PSF’s established mission statement explicitly includes supporting and facilitating the growth of a diverse and international community of Python programmers.
Financial and Operational Risks
Beyond the DEI restrictions, the grant agreement also included a “claw back” provision. This would have allowed the government to reclaim funds that had already been approved and disbursed. Crary highlighted this as an “enormous, open-ended financial risk” for the foundation, which operates on an annual budget of $5 million.
“We’re disappointed to have been put in the position where we had to make this decision,” Crary wrote on the PSF’s website, “because we believe our proposed project would offer invaluable advances to the Python and greater open source community, protecting millions of PyPI users from attempted supply-chain attacks.” The proposed tooling was designed to identify malware based on capability analysis and could have been transferable to other open-source package registries like NPM and Crates.io.
The foundation viewed accepting the contract language as a “betrayal” of its core principles. The $1.5 million grant would have been the largest in the organization’s history, nearly a third of its annual operating budget. Without this funding, the development of the proposed automated code review tools and related investigations into open-source software supply chain security may be delayed or significantly scaled back.
When approached for comment regarding the grant rejection and the impact of federal DEI policies on research funding, the NSF provided an automated response indicating a lapse in government funding had resulted in most NSF staff being unavailable. This response, indicating a potential broader issue with government operations, does not address the specific concerns raised by the Python Software Foundation regarding federal contract language.
The next steps for the PSF involve seeking alternative funding sources to continue its cybersecurity research. It remains to be seen if other organizations will face similar contractual challenges related to DEI stipulations, and how these federal requirements might shape future cybersecurity initiatives involving open-source communities.