In general, we work in the open by default.
Read CISA's open source policy for the official policy of CISA and more details about what "open by default" means.
Read CISA's open source team practices for guidance on how CISA puts this open-by-default policy into practice, and how we handle the narrow situations where we may delay or withhold the release of source code.
This policy was originally copied from 18F which was forked from the Consumer Financial Protection Bureau's policy. Thanks also to @benbalter for his insights regarding CFPB's initial policy.