In particular, will it be directly linked with proprietary or classified code? If this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. LenelS2 OnGuard and Milestone XProtect jointly added to U.S. Air Force If the government has received copyright (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply) then the government can release the software as open source software. For local guidance, Airmen are encouraged to . As with all commercial items, the DoD must comply with the items license when using the item. Enables families, visitors and the public to locate gravesites, events or other points of interest throughout the cemetery. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network . In addition, ignoring OSS would not be lawful; U.S. law specifically requires consideration of commercial software (including extant OSS, regardless of exactly which license it uses), and specifically instructs departments to pass this requirement to consider commercial items down to contractors and their suppliers at all tiers. The release may also be limited by patent and trademark law. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. This need for legal analysis is one reason why creating new OSS licenses is strongly discouraged: It can be extremely difficult, costly, and time-consuming to analyze the interplay of many different licenses. BSD TCP/IP suite - Provided the basis of the Internet, Greatly increased costs, due to the effort of self-maintaining its own version, Inability to use improvements (including security patches and innovations) by others, where it uses a non-standard version instead of the version being actively maintained, Greatly increased cost, due to having to bear the, Inability to use improvements (including security patches and innovations) by others, since they do not have the opportunity to aid in its development, Obsolescence due to the development and release of a competing commercial (e.g., OSS) project. Volume II of its third edition, section 6.C.3, describes in detail this prohibition on voluntary services. This includes the, Strongly Protective (aka strong copyleft): These licenses prevent the software from becoming proprietary, and instead enforce a share and share alike approach. The related FAR 52.227-2 (Notice and Assistance Regarding Patent and Copyright Infringement), as prescribed by FAR 27.201-2(b), requires the contractor to report to the Contracting Officer each notice or claim of patent/copyright infrigement in reasonable written detail. To provide Cybersecurity tools to . Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Rachel Cohen joined Air Force Times as senior reporter in March 2021. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, for analysis purposes, posed the hypothetical question of what would happen if OSS software were banned in the DoD, and found that OSS plays a far more critical role in the DoD than has been generally recognized (especially in) Infrastructure Support, Software Development, Security, and Research. Q: Is there a name for software whose source code is publicly available, but does not meet the definition of open source software? In most cases, this GPL license term is not a problem. The United States Air Force operates a service called "Iron Bank", which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. BIG-IP logout page - Cyber If you know of an existing proprietary product meets your needs, searching for its name plus open source source may help. Administration/Format. Thus, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator. Certain FAR clause alternatives (such as FAR 52.227-17) require the contractor to assign the copyright to the government. Q: Where can I release open source software that are new projects to the public? Curtiss-Wright Receives Security Authorization from U.S. Air Force for FROM: Air Force Authorizing Official . Many programs and DAAs do choose to use commercial support, and in many cases that is the best approach. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND GUARDIANS OF THE HIGH FRONTIER. Air Force - (618)-229-6976, DSN 779. Q: Does the DoD already use open source software? 2518(4)(B) says that, An article is a product of a country or instrumentality only if (i) it is wholly the growth, product, or manufacture of that country or instrumentality, or (ii) in the case of an article which consists in whole or in part of materials from another country or instrumentality, it has been substantially transformed into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was so transformed. The CBP also pointed out a ruling (Data General v. United States, 4 CIT 182 (1982)), that programming a PROM performed a substantial transformation. Performance Statements are plain language and avoid using uncommon acronyms and abbreviations. Yes. OpenSSL - SSL/cryptographic library implementation, GNAT - Ada compiler suite (technically this is part of gcc), perl, Python, PHP, Ruby - Scripting languages, Samba - Windows - Unix/Linux interoperability. Home page of Tinker Air Force Base However, often software can be split into various components, some of which are classified and some of which are not, and it is to these unclassified portions that this text addresses. It also notes that OSS is a disruptive technology, in particular, that it is a move away from a product to a service based industry. OTD is an approach to software/system development in which developers (in multiple organizations) collaboratively develop and maintain software or a system in a decentralized fashion. However, software written entirely by federal government employees as part of their official duties can be released as public domain software. Atty Gen.51 (1913)) that has become the leading case construing 31 U.S.C. AFCENT/A1RR will publish approved local supplements to the Air Force Reporting The NSA/CSS Evaluated Products Lists equipment that meets NSA specifications. Choose a license that has passed legal reviews and is clearly accepted as an OSS license. SAF/AQC 1060 Air Force Pentagon Washington, DC 20330-1060 (571) 256-2397 DSN 260-2397 Fax: (571) 256-2431 Fax: DSN 260-2431 Featured Links. PDF Community College of the Air forCe - Air University This assessment is slated to conclude in the fourth quarter of this fiscal year (FY2022) and all updates to the DoDIN APL process are expected to be published and available by March 2023. For at least 7 years, Borlands Interbase (a proprietary database program) had embedded in it a back door; the username politically, password correct, would immediately give the requestor complete control over the database, a fact unknown to its users. Q: Is there a large risk to DoD contractors that widely-used OSS violates enforceable software patents? PDF Administrative Change to AFI 38-206, Additional Duty Management Whether or not this was intentional, it certainly had the same form as a malicious back door. Continuous and broad peer-review, enabled by publicly available source code, improves software reliability and security through the identification and elimination of defects that might otherwise go unrecognized by the core development team. Users can get their software directly from the trusted repository, or get it through distributors who acquire it (and provide additional value such as integration with other components, testing, special configuration, support, and so on). Spouse's information if you have one. In practice, commercial software (OSS or not) tends to be developed globally, especially when you consider their developers and supply chains. Marines - (703) 432-1134, DSN 378. Examples include GPL applications running on proprietary operating systems or wrappers, and GPL applications that use proprietary components explicitly marked as non-GPL. 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation defines Commercial computer software as software developed or regularly used for non-governmental purposes which: (i) Has been sold, leased, or licensed to the public; (ii) Has been offered for sale, lease, or license to the public; (iii) Has not been offered, sold, leased, or licensed to the public but will be available for commercial sale, lease, or license in time to satisfy the delivery requirements of this contract; or (iv) Satisfies a criterion expressed in paragraph (a)(1)(i), (ii), or (iii) of this clause and would require only minor modification to meet the requirements of this contract.. With practically no exceptions, successful open standards for software have OSS implementations. In addition, widely-used licenses and OSS projects often include additional mechanisms to counter this risk. In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. The GPL and government unlimited rights terms have similar goals, but differ in details. As noted in the article Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), the intent of the memo was not to issue a blanket requirement that all open source software come bundled with contractor support or else it cant be used If a Defense agency is able to sustain the open source software with its own skills and talents then that can be enough to satisfy the intent of the memo. In addition, How robust the support plan need be can also vary on the nature of the software itself For command and control software, the degree would have to be greater than for something thats not so critical to mission execution. Air Force, U.S. Navy, and U.S. Marine Corps, and to participating agencies in-volved with supportability analysis sum-maries and provisioning/item selection functions by, or for, Department of Defense weapons systems, equipment, publications, software and hardware, training, training devices, and support equipment. Feb. 4, 2022 |. This makes the expectations clear to all parties, which may be especially important as personnel change. PITTSFORD, N.Y., June 8, 2021 . Approved Software - ACCA - Air Conditioning Contractors of America In many cases, yes, but this depends on the specific contract and circumstances. In the DoD, the GIG Technical Guidance Federation is a useful resource for identifying recommended standards (which tend to be open standards). can be competed, and the cost of some improvements may be borne by other users of the software. The services focus on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and . REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C&A) Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. Lock-in tends to raise costs substantially, reduces long-term value (including functionality, innovation, and reliability), and can become a serious security problem (since the supplier has little incentive to provide a secure product and to quickly fix problems found later). Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. More recent decisions, such as the 1982 decision B-204326 by the U.S. Comptroller General, continue to confirm this distinction between gratuitous and voluntary service. Use a widely-used existing license. disa.meade.ie.list.approved-products-certification-office@mail.mil. PDF Army Regulation 700 - 82 SECNAVINST 4410.23A AFMAN 21 106 You may only claim that a trademark is registered if it is actually registered. Yes. Once the government has unlimited rights, it may release that software to the public under any terms it wishes - including by using the GPL. However, this approach should not be taken lightly. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". However, if youre going to rely on the OSS community, you must make sure that the OSS community for that product is active, and that you have suitably qualified staff to implement the upgrades/enhancements developed by the community. These include: If you are looking for smaller pieces of code to reuse, search engines specifically for code may be helpful. Only some developers are allowed to modify the trusted repository directly: the trusted developers. Widely-used programs include the Apache web server, Firefox web browser, Linux kernel, and many other programs. Q: Is there an approved, recommended or Generally Recognized as Safe/Mature list of Open Source Software? AEW and AEG/CCs may publish supplements to AFI 1-1, Air Force Standards, to address issues of community standards. Thus, GPLed compilers can compile classified programs (since the compilers treat the classified program as data), and a GPLed implementation of a virtual machine (VM) can execute classified software (since the VM implementation runs the software as data). The Air Force's program comes with a slight caveat: it's actually called Bring Your Own Approved Device (BYOAD); airmen won't be able to . What is its relationship to OSS? Clarifying Guidance Regarding Open Source Software (OSS) states that "Software items, including code fixes and enhancements, developed for the Government should be released to the public (such as under an open source license) when all of the following conditions are met: The government or contractor must determine the answer to these questions: Source: Publicly Releasing Open Source Software Developed for the U.S. Government. Typically this will include source code version management system, a mailing list, and an issue tracker. Commander offers insight during Black History celebration at Oklahoma Capitol. Certification Report Security Target. After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. Navy - 1-877-418-6824. Commercially-available software that is not open source software is typically called proprietary or closed source software. The certification affirms that the Air Force OTI is authorized to use ASTi's products, which now appear in the OTI Evaluated/Approved Products List (OTI E/APL). The FAR and DFARS specifically permit different agreements to be struck, within certain boundaries, and other agencies have other supplements. Patent examiners have relatively little time to review each patent, and do not have effective access to most prior art in software, which may lead them to grant patents for previously-published inventions or obvious inventions. (See also Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011.). Q: Is open source software the same as open systems/open standards? Reasons for taking this approach vary. Approved software is listed on the DCMA Approved Software List. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, did suggest developing a Generally Recognized As Safe (GRAS) list, but such a list has not been developed. Estimating the Total Development Cost of a Linux Distribution estimates that the Fedora 9 Linux distribution, which contains over 5,000 software packages, represents about $10.8 billion of development effort in 2008 dollars. The red book explains its purpose; since an agency cannot directly obligate in excess or advance of its appropriations, it should not be able to accomplish the same thing indirectly by accepting ostensibly voluntary services and then presenting Congress with the bill, in the hope that Congress will recognize a moral obligation to pay for the benefits conferred. (Note that such software would often be classifed.). DOD Mobile Apps Gallery - U.S. Department of Defense This does not mean that existing OSS elements should always be chosen, but it means that they must be considered. No changes since that date. The U.S. government can often directly combine GPL and proprietary, classified, or export-controlled software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government. Adtek Acculoads. Q: When can the U.S. federal government or its contractors publicly release, as OSS, software developed with government funds? Other laws must still be obeyed. Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). However, sometimes OGOTS/GOSS software is later released as OSS. DoD ESI is pleased to announce the Cybersecurity Multi-Award Blanket Purchase Agreements (BPAs) for Appgate, CyberArk, Exabeam, Fidelis Security, Firemon, Forcepoint, Fortinet, Illumio, LogRhythm, Okta, Ping Identity, Racktop Systems, RedSeal, Sailpoint, Tychon and Varonis Systems. But what is radically different is that a user can actually make a change to the program itself (either directly, or by hiring someone to do it). Prior art invalidates patents. Open standards make it easier for users to (later) adopt an open source software program, because users of open standards arent locked into a particular implementation. Resources for further information include: In brief, the MIT and 2-clause BSD license are dominated by the 3-clause BSD license, which are all dominated by the LGPL licenses, which are all dominated by the GPL licenses. Also, since there are a limited number of users, there is limited opportunity to gain from user innovation - which again can lead to obsolescence. In the Intelligence Community (IC), the term open source typically refers to overt, publicly available sources (as opposed to covert or classified sources). No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. Want to keep teleworking? Here's the Air Force's new ground rules Software might not infringe on a patent when it was released, yet the same software may later infringe on a patent if the patent was granted after the softwares release. A choice of venue clause is a clause that states where a dispute is to be resolved (e.g., which court). Even where there is GOTS/classified software, such software is typically only a portion of the entire system, with other components implemented through COTS components. Note that merely being released by a US firm is no guarantee that there is no malicious embedded code. The MITRE study did identify some of many OSS programs that the DoD is already using, and may prove helpful. NSA Evaluated Products Lists (EPLs) + 9-12 - National Security Agency For example, the LGPL permits the covered software (usually a library) to be embedded in a larger work under many different licenses (including proprietary licenses), subject to certain conditions. African nations hold Women, Peace and Security Panel at AACS 2023. U.S. law governing federal procurement U.S. Code Title 41, Chapter 7, Section 103 defines commercial product as a product, other than real property, that- (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public . Execution Mixing GPL and other software can run at the same time on the same computer or network. Part of the ADA, Pub.L. For DoD contractors, if the standard DFARS contract clauses are used (in particular DFARS 252.227-7014) then the contractor who developed the software retains the copyright to the software and has the right to release it to others, even if the software was developed exclusively with government funds. It is only when the OSS is modified that additional OSS terms come into play, depending on the OSS license. In many cases, weakly protective licenses are used for common libraries, while strongly protective licenses are used for applications. 1.1.4. It's Official: Most Zoom Versions Now Off-Limits to the Military There are two versions of the GPL in widespread use: version 2 and version 3. If there are reviewers from many different backgrounds (e.g., different countries), this can also reduce certain risks. However, this cost-sharing is done in a rather different way than in proprietary development. At project start, the project creators (who create the initial trusted repository) are the trusted developers, and they determine who else may become a trusted developer of this initial trusted repository. This risk is mitigated by reviewing software (in particular, for classification and export control issues) before public release. Q: What are antonyms for open source software? dress & appearance Policy. Classified software should already be marked as such, of course. Q: Can government employees develop software as part of their official duties and release it under an open source license? Many projects, particularly the large number of projects managed by the Free Software Foundation (FSF), ask for an employers disclaimer from the contributors employer in a number of circumstances. Very Important Notes: The Public version of DoD Cyber Exchange has limited content. This Open Source Software FAQ was originally developed on Intellipedia, using a variety of web browsers including Mozilla Firefox. This list was generated on Friday, March 3, 2023, at 5:54 PM. The IDA Open Source Migration Guidelines recommend: It also suggests that the following questions need to be addressed: It also recommends ensuring that decisions made now, even if they do not relate directly to a migration, should not further tie an Administration to proprietary file formats and protocols. Common licenses for each type are: - Permissive: MIT, BSD-new, Apache 2.0 - Weakly protective: LGPL (version 2 or 3) - Strongly protective: GPL (version 2 or 3). Air Force Command and Control at the Start of the New Millennium. Wikipedia maintains an encyclopedia using approaches similar to open source software approaches. Export control laws are often not specifically noted in OSS licenses, but nevertheless these laws also govern when and how software may be released. Proprietary COTS tend to be lower cost than GOTS, since the cost of development and maintenance is typically shared among a larger number of users (who typically pay to receive licenses to use the product). In contrast, typical proprietary software costs are per-seat, not per-improvement or service. 75 Years of Dedicated Service. They can obtain this by receiving certain authorization clauses in their contracts. The regulation is available at. If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. OSS and Security/Software Assurance/System Assurance/Supply Chain Risk Management. The public release also makes it easy to have copies of versions in many places, and to compare those versions, making it easy for many people to review changes. Choose a license that best meets your goals. The 2009 DoD CIO memo on open source software says, in attachment 2, 2(d), The use of any software without appropriate maintenance and support presents an information assurance risk. In some cases, the sources of information for OSS differ. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. 37 African nations, US kickoff AACS 2023 in Senegal. These included the Linux kernel, the gcc compilation suite (including the GNAT Ada compiler), the OpenOffice.org office suite, the emacs text editor, the Nmap network scanner, OpenSSH and OpenSSH for encryption, and Samba for Unix/Linux/Windows interoperability. OSS implementations can help create and keep open standards open. You can support OSS either through a commercial organization, or you can self-support OSS; in either case, you can use community support as an aid. Its flexibility is as high as GOTS, since it can be arbitrarily modified. Comfortable shoes. Licenses that meet all the criteria above include the MIT license, revised BSD license, the Apache 2.0 license (though Apache 2.0 is only compatible with GPL version 3 not GPL version 2), the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. If the OSS is intended for use on Linux/Unix systems, follow standard source installation release practices so that it is easier for users to install. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. Permissive: These licenses permit the software to become proprietary (i.e., not OSS). Examples include: If you know of others who have similar needs, ask them for leads. Q: How do GOTS, Proprietary COTS, and OSS COTS compare? DSEI 2021, ExCel, LONDON, UK - 14 September 2021 - Curtiss-Wright's Defense Solutions division (Bays 22-26 ExCeL Exhibition Centre), a trusted supplier of tactical data link (TDL) software and hardware solutions engineered to succeed, announced that it has received certification from . Boundary Protection Devices and Systems - 41 Certified Products. This regulation only applies to the US Army, but may be a useful reference for others. Most of the Air Force runs on excel VBA because of this. Q: Do choice of venue clauses automatically disqualify OSS licences?