Open systems and open standards counter dependency on a single supplier, though only if there is a competing marketplace of replaceable components. Whether or not this was intentional, it certainly had the same form as a malicious back door. Similarly, delaying a components OSS release too long may doom it, if another OSS component is released first. By default, the government has the necessary rights if it does not permit the contractor to assert copyright, but it loses those rights if the government permits the contractor to assert copyright. Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). Q: What policies address the use of open source software (OSS) in the Department of Defense? In particular, U.S. law (10 USC 2377) requires a preference for commercial products for procurement of supplies or services. Typically, obtaining rights granted by the license can only be obtained when the requestor agrees to certain conditions. Adtek Acculoads. Q: When can the U.S. federal government or its contractors publicly release, as OSS, software developed with government funds? This regulation only applies to the US Army, but may be a useful reference for others. This resource contains Facility-Related Control Systems (FRCS) guidance, reference materials, checklists and templates.The DoD has adopted the Risk Management Framework (RMF) for all Information Technology and Operational Technology networks, components and devices to include FRCS. The GTG-F is a collection of web-based applications supporting the continuing evolution of the Department of Defense (DoD) Information Technology Standards. This statute says that, An officer or employee of the United States Government or of the District of Columbia government may not accept voluntary services for either government or employ personal services exceeding that authorized by law except for emergencies involving the safety of human life or the protection of property., The US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book) explains federal appropriation law. Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. In 2017, the United States District Court for the Northern District of California, in Artifex Software, Inc.v. Hancom, Inc., issued a ruling confirming the enforceability of the GNU General Public License. It is impossible to completely eliminate all risks; instead, focus on reducing risks to acceptable levels. The World Health Organization (WHO) is a specialized agency of the United Nations responsible for international public health. This is important for releasing OSS, because the government can release software as OSS if it has unlimited rights. Conversely, if it widely-used, has many developers, and so on, the likelihood of review increases. The doctrine of unclean hands, per law.com, is a legal doctrine which is a defense to a complaint, which states that a party who is asking for a judgment cannot have the help of the court if he/she has done anything unethical in relation to the subject of the lawsuit. Enforcing the GNU GPL by Eben Moglen is a brief essay that argues why the GNU General Public License (GPL), specifically, is enforceable. It's likely that peptides are in fact banned from the military, but until we get a straight answer we'll leave this question open-ended. An OTD project might be OSS, but it also might not be (it might be OGOTS/GOSS instead). If you are applying for a scholarship as a high school student, you must be accepted to the program and academic major that you indicate on your scholarship application. Q: What is the legal basis of OSS licenses? Going through our RMF/DICAP and cannot find the Air Force Approved Software List anywhere. By dominate, that means that when software is merged which have those pairs of licenses, the dominating license essentially governs the resulting combination because the dominating license essentially includes all the key terms of the other license. Even if an OTD project is not OSS itself, an OTD project will typically use, improve, or create OSS components. Do you have the necessary other intellectual rights (e.g., patents)? As more improvements are made, more people can use the product, creating more potential users as developers - like a snowball that gains mass as it rolls downhill. Even for many modifications (e.g., bug fixes) this causes no issues because in many cases the DoD has no interest in keeping those changes confidential. However, if the covered software/library is itself modified, then additional conditions are imposed. Open source software is also called Free software, libre software, Free/open source software (FOSS or F/OSS), and Free/Libre/Open Source Software (FLOSS). (Such terms might include open source software, but could also include other software). View the complete AFI 36-2903 for more details. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. All new software products must go through the systems change request approval process and complete a satisfactory risk assessment. Such developers need not be cleared, for example. U.S. law governing federal procurement U.S. Code Title 41, Section 103 defines commercial product as including a product, other than real property, that (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public. However, if youre going to rely on the OSS community, you must make sure that the OSS community for that product is active, and that you have suitably qualified staff to implement the upgrades/enhancements developed by the community. Direct deposit form. Around the Air Force: Accelerating the Legacy, Expanding Cyber Resiliency, Poppy Seed Warning. Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. . Document the projects purpose, scope, and major decisions - users must be able to quickly determine if this project might meet their needs. DoD contractors who always ignore components because they are OSS, or because they have a particular OSS license they dont prefer, risk losing projects to more competitive bidders. Commander offers insight during Black History celebration at Oklahoma Capitol. This can increase the number of potential users. It points to various studies related to market share, reliability, performance, scalability, security, and total cost of ownership. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. Once the government has unlimited rights, it may release that software to the public under any terms it wishes - including by using the GPL. 31 U.S.C. Running shoes. Air Force football finishes signing class with 28 three-star recruits, most in Mountain West. Q: Is there a name for software whose source code is publicly available, but does not meet the definition of open source software? Colleges & Your Majors. Navy - 1-877-418-6824. These decisions largely held that the GNU General Public License, version 2 was enforceable in a series of five related legal cases loosely referred to as Versata v. Ameriprise, although there were related suits against Versata by XimpleWare. Windows Services for UNIX 3.0 is a good example of commercial use of GPL application mixing. Include upgrade/maintenance costs, including indirect costs (such as hardware replacement if necessary to run updated software), in the TCO. There are valid business reasons, unrelated to security, that may lead a commercial company selling proprietary software to choose to hide source code (e.g., to reduce the risk of copyright infringement or the revelation of trade secrets). Prior art invalidates patents. Since OSS provides source code, there is no problem. Examples of OSS that are in widespread use include: There are many Linux distributions which provides suites of such software such as Red Hat Enterprise Linux, Fedora, SUSE, Debian and Ubuntu. Gartner Groups Mark Driver stated in November 2010 that, Open source is ubiquitous, its unavoidable having a policy against open source is impractical and places you at a competitive disadvantage.. FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO . At project start, the project creators (who create the initial trusted repository) are the trusted developers, and they determine who else may become a trusted developer of this initial trusted repository. Anyone who is considering this approach should obtain a determination from general counsel first (and please let the FAQ authors know!). Elite RHVAC. 1498, the exclusive remedy for patent or copyright infringement by or on behalf of the Government is a suit for monetary damages against the Government in the Court of Federal Claims. The NSA/CSS Evaluated Products Lists equipment that meets NSA specifications. OGOTS/GOSS software is often not OSS; software is only OSS if it meets the definition of OSS. Thus, in many cases a choice of venue clause is not an insurmountable barrier to acceptance of the software delivery by the government. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? Section 6.C.3.a notes that the voluntary services provision is not new; it first appeared, in almost identical form, back in 1884. Dynamic attacks (e.g., generating input patterns to probe for vulnerabilities and then sending that data to the program to execute) dont need source or binary. DoDIN Approved Products List. The WHO was established on 7 April 1948. - AF Form 1206, Nomination for Award (2 Aug 17) remains the standard AF award nomination form. This also pressures proprietary implementations to limit their prices, and such lower prices for proprietary software also encourages use of the standard. The Secretary of the Air Force approved the activation plan on 25 January 1972 and the college was established 1 April 1972 at Randolph AFB, Texas. It costs essentially nothing to download a file. Software might not infringe on a patent when it was released, yet the same software may later infringe on a patent if the patent was granted after the softwares release. Q: Can OSS licenses and approaches be used for material other than software? No, complying with OSS licenses is much easier than proprietary licenses if you only use the software in the same way that proprietary software is normally used. The GNU General Public License (GPL) is the most common OSS license; while you do not need to use the GPL, it is often unwise to choose a license incompatible with the majority of OSS. Community OSS support is never enough by itself to provide this support, because the OSS community cannot patch your servers or workstations for you. This page is an educational resource for government employees and government contractors to understand the policies and legal issues relating to the use of open source software (OSS) in the United States Department of Defense (DoD). The 2009 DoD CIO memo on open source software says, in attachment 2, 2(d), The use of any software without appropriate maintenance and support presents an information assurance risk. No. Adobe Acrobat Reader. Under the DFARS or the FAR, the government can release software as open source software once it receives unlimited rights to that software. Is it COTS? Yes, both the government and contractors may obtain and use trademarks, service marks, and/or certification marks for software, including OSS. The 2003 MITRE study section 1.3.4 outlines several ways to legally mix GPL with proprietary or classified software: Often such separation can occur by separating information into data and a program that uses it, or by defining distinct layers. 2021.04.30 2023.04.30 Apple Inc. Apple FileVault 2 on T2 systems running macOS Catalina 10.15: 11078 . If the intent of a contract is to develop software to be released as open source software, it is best to expressly include release as OSS as part of the contract. Open source software licenses grant more rights than proprietary software licenses, but they are still conditional licenses that require the user to obey certain terms. A service mark is "a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of a service rather than goods. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. For the DoD, the risks of failing to consider the use of OSS where appropriate are of increased cost, increased schedule, and/or reduced performance (including reduced innovation or security) to the DoD due to the failure to use the commercial software that best meets the needs (when that is the case). In some cases a DoD contractor may be required to transfer copyright to the government for works produced under contract (see DFARS 252.227-7020). As the program becomes more capable, more users are attracted to using it. However, often software can be split into various components, some of which are classified and some of which are not, and it is to these unclassified portions that this text addresses. disa.meade.ie.list.approved-products-certification-office@mail.mil. Users can get their software directly from the trusted repository, or get it through distributors who acquire it (and provide additional value such as integration with other components, testing, special configuration, support, and so on). In nearly all cases, OSS is commercial software, so the policies regarding commercial software continue to apply to OSS. Browse 817 acronyms and abbreviations related to the Air Force terminology and jargon. Q: Has the U.S. government released OSS projects or improvements? No. You can support OSS either through a commercial organization, or you can self-support OSS; in either case, you can use community support as an aid. These services must be genuinely generic in the sense that the applications that use them must not depend on the detailed design of the GPL software to work. The DoD already uses a wide variety of software licensed under the GPL. Thus, complex license management processes to track every installation or use of the software, or who is permitted to use the software, is completely unnecessary. A 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, identified many OSS programs that the DoD is already using that are licensed using the GPL. See GPL FAQ, Who has the power to enforce the GPL?. What is Open Technology Development (OTD)? As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. Clarifying Guidance Regarding Open Source Software (OSS), a list of licenses which have successfully gone through the approval process and comply with the Open Source Definition, publishes a list of licenses that meet the Free Software Definition, good licenses that Fedora has determined are open source software licenses, Federal Source Code Policy, OMB Memo 16-21, National Defense Authorization Act for FY2018, http://www.doncio.navy.mil/contentview.aspx?id=312, http://www.dtic.mil/dtic/tr/fulltext/u2/a450769.pdf, http://www.whitehouse.gov/omb/memoranda/fy04/m04-16.html, http://www.army.mil/usapa/epubs/pdf/r25_2.pdf, Defense Federal Acquisition Regulation Supplement (DFARS), 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation, European Interoperability Framework (EIF), Bruce Perens Open Standards: Principles and Practice, U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer, The Free-Libre / Open Source Software (FLOSS) License Slide, GPL linking exception term (such as the Classpath exception), Maintaining Permissive-Licensed Files in a GPL-Licensed Project: Guidelines for Developers (Software Freedom Law Center), Creative Commons does not recommend that you use one of their licenses for software, GPL FAQ, Can I use the GPL for something other than software?, GPL FAQ, Who has the power to enforce the GPL?, 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, Secure Programming for Linux and Unix HOWTO, in 2003 the Linux kernel development process resisted an attack, Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT, Gartner Groups Mark Driver stated in November 2010, Estimating the Total Development Cost of a Linux Distribution, Open Source Software for Imagery & Mapping (OSSIM), Open Source Alternatives (Ben Balter et al.). The good news is that, by definition, OSS provides its source code, enabling a more informed evaluation than is typically available for other kinds of COTS products. These lists apply to all NSA/CSS elements, contractors, and personnel, and pertains to all IS storage devices that they use. CCRA Certificate. Thus, avoid releasing software under only the original (4-clause) BSD license (which has been replaced by the new or revised 3-clause licence), the Academic Free License (AFL), the now-abandoned Common Public License 1.0 (CPL), the Open Software License (OSL), or the Mozilla Public License version 1.1 (MPL 1.1). An Open Source Community can update the codebase, but they cannot patch your servers. Thus, even this FAQ was developed using open source software. Launch video (9:47) In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. No. U.S. government contractors (including those in the DoD) are often indemnified from patent infringement by the U.S. government as part of their contract. Only some developers are allowed to modify the trusted repository directly: the trusted developers. No, although they work well together, and both are strategies for reducing vendor lock-in. Air Force ROTC is offered at over 1,100 colleges and universities in the continental United States, Puerto Rico and Hawaii. (Supports Block Load, Room-by-Room Load, Zone-by-Zone and Adequate Exposure Diversity or AED Calculations) Wrightsoft Right-J8. An agency that failed to consider open source software, and instead only considered proprietary software, would fail to comply with these laws, because it would unjustifiably exclude a significant part of the commercial market. In Wallace vs. FSF, Judge Daniel Tinder stated that the GPL encourages, rather than discourages, free competition and the distribution of computer operating systems and found no anti-trust issues with the GPL. The public release of the item is not restricted by other law or regulation, such as the Export Administration Regulations or the International Traffic in Arms Regulation, and the item qualifies for Distribution Statement A, per DoD Directive 5230.24 (reference (i)).". As always, if there are questions, consult your attorney to discuss your specific situation. Government employees may also modify existing open source software. Patents expire after 20 years, so any idea (invention) implemented in software publicly available for more than 20 years should not, in theory, be patentable. 75 Years of Dedicated Service. Parties are innocent until proven guilty, so if there. FROM: Air Force Authorizing Official . Currently there are no IO Certificates available for this Tracking Number. The Department of Defense (DoD) Software Modernization Strategy was approved Feb. 1. The government can typically release software as open source software once it has unlimited rights to the software. At the subsequent meeting of the Inter-Allied Council . MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . Even if source code is necessary (e.g., for source code analyzers), adequate source code can often be regenerated by disassemblers and decompilers sufficiently to search for vulnerabilities. If the contractor was required to transfer copyright to the government for works produced under contract (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply to it), then the government can release the software as open source software, because the government owns the copyright. Q: How should I create an open source software project? Q: How can I get support for OSS that already exists? The program available to the public may improve over time, through contributions not paid for by the U.S. government. Any reproduction of this computer software, or portions thereof, marked with this legend must also reproduce these markings.. . For example, a Code Analysis of the Linux Wireless Teams ath5k Driver found no license problems. For disposal or recycling per NSA/CSS Policy Manual 9-12, "Storage Device Sanitization and Destruction Manual": Information stored on these . The intended audience of this tool is emergency managers, first responders, and other homeland security professionals. 1342, Limitation on voluntary services. . The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. 75th Anniversary Article. SUBJECT: Software Applications Approval Process . Use a common OSS license well-known to be OSS (GPL, LGPL, MIT/X, BSD-new, Apache 2.0) dont write your own license. For more information, see the. Senior leaders across DoD see bridging the tactical edge and embedding resilience to scale as key issues moving forward. The example of Borlands InterBase/Firebird is instructive. Q: Is OSS commercial software? Export control laws are often not specifically noted in OSS licenses, but nevertheless these laws also govern when and how software may be released. Permissive: These licenses permit the software to become proprietary (i.e., not OSS). Thus, they are all strategies for sharing the development and maintenance costs of software, potentially reducing its cost. Yes, in general. Notepad, PowerShell, and Excel are great alternatives. It may be illegal to modify proprietary software, but that will normally not slow an attacker. The DoDIN APL is managed by the Approved Products Certification Office (APCO). What are good practices for use of OSS in a larger system? The Air Force's program comes with a slight caveat: it's actually called Bring Your Own Approved Device (BYOAD); airmen won't be able to . The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). As noted by the OSJTF definition for open systems, be sure to test such systems with more than one web browser (e.g., Google Chrome, Microsoft Edge and Firefox), to reduce the risk of vendor lock-in. Coronavirus (COVID-19) Update Information. Under U.S. copyright law, users must have permission (i.e. Also, since there are a limited number of users, there is limited opportunity to gain from user innovation - which again can lead to obsolescence. In the Intelligence Community (IC), the term open source typically refers to overt, publicly available sources (as opposed to covert or classified sources). Note that this also applies to proprietary software, which often have even stricter limits on if/how the software may be changed. Peterson AFB CO 80914-4420 . OSS licenses can be grouped into three main categories: Permissive, strongly protective, and weakly protective. Choose a license that best meets your goals. The release of the software may be restricted by the International Traffic in Arms Regulation (ITAR) or Export Administration Regulation (EAR). Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. Commercially-available software that is not open source software is typically called proprietary or closed source software. TCG LinkPRO, TCG BOSS, and TCG GTS all earn placement on DOD's OTI evaluated/approved products list. Open source software that has at least one non-governmental use, and is licensed to the public, is commercial software. . Q: What is the country of origin for software? Q: Is this related to open source intelligence? Support for OSS is often sold separately for OSS; in such cases, you must comply with the support terms for those uses to receive support, but these are typically the same kinds of terms that apply to proprietary software (and they tend to be simpler in practice). For example, the Government has public release rights when the software is developed by Government personnel, when the Government receives unlimited rights in software developed by a contractor at Government expense, or when pre-existing OSS is modified by or for the Government. Florida Solar Energy Center's EnergyGauge. [ top of page] Contractors for other federal agencies may have a different process to use, but after going through a process they can often release such software as open source software. Comfortable shoes. Do not use spaces when performing a product number/title search (e.g. The Department of Defense Information Network (DoDIN) Approved Products List (APL) is the single consolidated list of products that affect communication and collaboration across the DoDIN. When considering any software (OSS or proprietary), look for evidence that the risk of unlawful release is low. However, note that the advantages of cost-sharing only applies if there are many users; if no user/co-developer community is built up, then it can be as costly as GOTS. Q: Isnt using open source software (OSS) forbidden by DoD Information Assurance (IA) Policy? Clarence Carpenter. DISA has updated the APL Integrated Tracking System, a web-based user database, to list products that have been approved and the current status of remaining items that are still in process. Carmelsoft HVAC ResLoad-J. DFARS 252.227-7014(a)(15) defines unlimited rights as rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. Epitalon (Epithalon) Hexarelin. At a high-level, DoD policy requires commercial software (including OSS) to come with either a warranty or source code, so that the software can be maintained when necessary by the supplier or the government. No. Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. Read More 616th OC Airmen empower each other. The term Free software predates the term open source software, but the term Free software has sometimes been misinterpreted as meaning no cost, which is not the intended meaning in this context. Its flexibility is as high as GOTS, since it can be arbitrarily modified. This memorandum only applies to Navy and Marine Corps commands, but may be a useful reference for others. In some cases, there are nationally strategic reasons the software should not be released to the public (e.g., it is classified). In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. Yes, extensively. If that competitors use of OSS results in an advantage to the DoD (such as lower cost, faster schedule, increased performance, or other factors such as increased flexibility), contractors should expect that the DoD will choose the better bid. Even where there is GOTS/classified software, such software is typically only a portion of the entire system, with other components implemented through COTS components. Others do not like the term GOSS, because GOSS is not actually OSS, and they believe the term can be misleading. The red book explains its purpose; since an agency cannot directly obligate in excess or advance of its appropriations, it should not be able to accomplish the same thing indirectly by accepting ostensibly voluntary services and then presenting Congress with the bill, in the hope that Congress will recognize a moral obligation to pay for the benefits conferred.