Q: Does the DoD use OSS for security functions? This is in addition to the advantages from OSS because it can be reviewed, modified, and redistributed with few restrictions (inherent in the definition of OSS). (Note that such software would often be classifed.). Military orders. If that competitors use of OSS results in an advantage to the DoD (such as lower cost, faster schedule, increased performance, or other factors such as increased flexibility), contractors should expect that the DoD will choose the better bid. In many cases, yes, but this depends on the specific contract and circumstances. However, if youre going to rely on the OSS community, you must make sure that the OSS community for that product is active, and that you have suitably qualified staff to implement the upgrades/enhancements developed by the community. The DDR&E, Advanced Capabilities Modular Open Systems Approach web page also provides some useful background. However, this cost-sharing is done in a rather different way than in proprietary development. Knowledge is more important than the licensing scheme. Note that under the DoD definition of open source software, such public domain software is open source software. Going through our RMF/DICAP and cannot find the Air Force Approved Software List anywhere. Contracts under the federal government FAR, but not the DFARS, often use clause FAR 52.227-14 (Rights in Data - General). There are two runways supporting an average of 47,000 aircraft operations . On approval, such containers are granted a "Certificate to Field" designation by the Air Force Chief Software Officer. Q: Can OSS licenses and approaches be used for material other than software? Air Force Command and Control at the Start of the New Millennium. It also risks reduced flexibility (including against cyberattack), since OSS permits arbitrary later modification by users in ways that some other license approaches do not. Navy - 1-877-418-6824. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. Each hosting service tends to be focused on particular kinds of projects, so prefer a hosting service that well-matches the project. . Another useful source is the list of licenses accepted by the Google code hosting service. This control enhancement is based in the need for some way to update software to fix problems after they are discovered. The IDA Open Source Migration Guidelines recommend: It also suggests that the following questions need to be addressed: It also recommends ensuring that decisions made now, even if they do not relate directly to a migration, should not further tie an Administration to proprietary file formats and protocols. The information on this page does not constitute legal advice and any legal questions relating to specific situations should be referred to legal counsel. (Supports Block Load, Room-by-Room Load, Zone-by-Zone and Adequate Exposure Diversity or AED Calculations) Wrightsoft Right-J8. The U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer made it clear that OSS licenses are enforceable, even if money is not exchanged. Part of the ADA, Pub.L. Note that many of the largest commercially-supported OSS projects have their own sites. In some cases, the sources of information for OSS differ. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. OSS and Security/Software Assurance/System Assurance/Supply Chain Risk Management. The public release of the item is not restricted by other law or regulation, such as the Export Administration Regulations or the International Traffic in Arms Regulation, and the item qualifies for Distribution Statement A, per DoD Directive 5230.24 (reference (i)).". Static attacks (e.g., analyzing the code instead of its execution) can use pattern-matches against binaries - source code is not needed for them either. REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C&A) DoDIN Approved Products List. BPC-157. However, the required FAR Clause 52.212-4(d) establishes that This contract is subject to the Contract Disputes Act of 1978, as amended (41 U.S.C. The government normally gets unlimited rights in software when that software is created in the performance of a contract with government funds. However, you should examine past experience and your intended uses before depending on this as a primary mechanism for support. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. Q: What are some military-specific open source software programs? Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. This isnt usually an issue because of how typical DoD contract clauses work under the DFARS. Software that meets very high reliability/security requirements, aka high assurance software, must be specially designed to meet such requirements. Most projects prefer to receive a set of smaller changes, so that they can review each change for correctness. The NSA/CSS Evaluated Products Lists equipment that meets NSA specifications. an Air Force community college and on 9 November 1971, General John D. Ryan, Air Force Chief of Staff, approved the establishment of the Community College of the Air Force. Contact Contracting. (See GPL FAQ, Can I use the GPL for something other than software?.). The project manager, program manager, or other comparable official determines that it is in the Governments interest to do so, such as through the expectation of future enhancements by others. Under the same reasoning, the CBP determined that building an object file from source code performed a substantial transformation into a new article. The DoD already uses a wide variety of software licensed under the GPL. Document the projects purpose, scope, and major decisions - users must be able to quickly determine if this project might meet their needs. In general, Security by Obscurity is widely denigrated. Also, since there are a limited number of users, there is limited opportunity to gain from user innovation - which again can lead to obsolescence. The CBP ruling points out that 19 U.S.C. This statute says that, An officer or employee of the United States Government or of the District of Columbia government may not accept voluntary services for either government or employ personal services exceeding that authorized by law except for emergencies involving the safety of human life or the protection of property., The US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book) explains federal appropriation law. OSS-like development approaches within the government. As noted by the OSJTF definition for open systems, be sure to test such systems with more than one web browser (e.g., Google Chrome, Microsoft Edge and Firefox), to reduce the risk of vendor lock-in. The DSOP is joint effort of the DOD's Chief Information Officer, Office of the Undersecretary of Defense for Acquisition and Sustainment. As an aid, the Open Source Initiative (OSI) maintains a list of Licenses that are popular and widely used or with strong communities. If the intent of a contract is to develop software to be released as open source software, it is best to expressly include release as OSS as part of the contract. The 1997 InfoWorld Best Technical Support award was won by the Linux User Community. What is more, the supplier may choose to abandon the product; source-code escrow can reduce these risks somewhat, but in these cases the software becomes GOTS with its attendant costs. Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. Thus, open systems require standards that are widely-supported and consensus-based; standards that meet these (and possibly some additional conditions) may be termed open standards. In practice, OSS projects tend to be remarkably clean of such issues. In particular, it found that DoD security depends on (OSS) applications and strategies, and that a hypothetic ban would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. This is not uncommon. With practically no exceptions, successful open standards for software have OSS implementations. There is no DoD policy forbidding or limiting the use of software licensed under the GNU General Public License (GPL). The MITRE study did identify some of many OSS programs that the DoD is already using, and may prove helpful. a license) from the copyright holder(s) before they can obtain a copy of software to run on their system(s). Reasons for taking this approach vary. Certain FAR clause alternatives (such as FAR 52.227-17) require the contractor to assign the copyright to the government. Open source software that has at least one non-governmental use, and is licensed to the public, is commercial software. Similarly, U.S. Code Title 41, Section 104 defines the term Commercially available off-the-shelf (COTS) item; software is COTS if it is (a) a commercial product, (b) sold in substantial quantities in the commercial marketplace, and (c) is offered to the Federal Government, without modification, in the same form in which it is sold in the commercial marketplace. There are valid business reasons, unrelated to security, that may lead a commercial company selling proprietary software to choose to hide source code (e.g., to reduce the risk of copyright infringement or the revelation of trade secrets). 37 African nations, US kickoff AACS 2023 in Senegal. GOTS software should not be released when it implements a strategic innovation, i.e. Established Oct. 1, 2013, the Defense Health Agency is the centerpiece of Military Health System governance reform, as outlined in the Deputy Secretary of Defense's March 11, 2013 Memorandum "Implementation of Military Health System Governance Reform." The DHA's role is to achieve greater integration of our direct and purchased health care delivery systems so that we accomplish the . As with all commercial items, organizations must obey the terms of the commercial license, negotiate a different license if necessary, or not use the commercial item. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. Note that this also applies to proprietary software, which often have even stricter limits on if/how the software may be changed. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network . The Government has the rights to reproduce and release the item, and to authorize others to do so. Units. Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. how to ensure the interoperability of systems; how to build systems that are manageable. Thus, components that have the potential to (eventually) support many users are more likely to succeed. So if the program is being used and not modified (a very common case), this additional term has no impact. The United States Air Force operates a service called "Iron Bank", which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. Adtek Acculoads. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . A permissive license permits arbitrary use of the program, including making proprietary versions of it. A Boston Consulting Group study found that the average age of OSS developers was 30 years old, the majority had training in information technology and/or computer science, and on average had 11.8 years of computer programming experience. The Air Force will conduct its next "BRAVO" hackathon in March, and any U.S. citizen may apply. Feb. 4, 2022 |. The. For more discussion on this topic, see the article Open Source Software Is Commercial. When the program was released as OSS, within 5 months this vulnerability was found and fixed. Many analyses focus on versions of the GNU General Public License (GPL), since this is the most common OSS license, but analyses for other licenses are also available. The cases are too complicated to summarize here, other than to say that the GPLv2 was clearly regarded as enforceable by the courts. Users can send bug reports to the distributor or trusted repository, just as they could for a proprietary program. As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. An example of such software is Expect, which was developed and released by NIST as public domain software. Again, these are examples, and not official endorsements of any particular product or supplier. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? The Department of Defense invests tens of thousands of dollars in training for its Service members. Software might not infringe on a patent when it was released, yet the same software may later infringe on a patent if the patent was granted after the softwares release. Patents expire after 20 years, so any idea (invention) implemented in software publicly available for more than 20 years should not, in theory, be patentable. (4) Waivers for non-FDA approved medications will not be considered. Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. Approved software is listed on the DCMA Approved Software List. Note that Creative Commons does not recommend that you use one of their licenses for software; they encourage using one of the existing OSS licenses which were designed specifically for use with software. ensure that security is designed in from the start and not tacked on as an after thought. This approach may inhibit later release of the combined result to other parties (e.g., allies), as release to an ally would likely be considered distribution as defined in the GPL. disa.meade.ie.list.approved-products-certification-office@mail.mil. By August 1941, American president Franklin Roosevelt and British prime minister Winston Churchill had drafted the Atlantic Charter to define goals for the post-war world. Yes, both the government and contractors may obtain and use trademarks, service marks, and/or certification marks for software, including OSS. Commander offers insight during Black History celebration at Oklahoma Capitol. DISA has updated the APL Integrated Tracking System, a web-based user database, to list products that have been approved and the current status of remaining items that are still in process. OSS options should be evaluated in principle the same way you would evaluate any option, considering need, cost, and so on. Air Force - (618)-229-6976, DSN 779. Typically this will include source code version management system, a mailing list, and an issue tracker. Is it COTS? A copyright holder who releases creative works under one of the Creative Common licenses that permit commercial use and modifications would be using an OSS-like approach for such works. Execution Mixing GPL and other software can run at the same time on the same computer or network. But what is radically different is that a user can actually make a change to the program itself (either directly, or by hiring someone to do it). Otherwise, choose some existing OSS license, since all existing licenses add some legal protections from lawsuits. 75 Years of Dedicated Service. 2 Commanders Among 6 Fired from Jobs at Minot Air Force Base Col. Gregory Mayer, the commander of the 5th Mission Support Group, and Maj. Jonathan Welch, the commander of the 5th. This is often done when the deliverable is a software application; instead of including commercially-available components such as the operating system or database system as part of the deliverable, the deliverable could simply state what it requires. By dominate, that means that when software is merged which have those pairs of licenses, the dominating license essentially governs the resulting combination because the dominating license essentially includes all the key terms of the other license. Home use of the antivirus products will not only protect personal PCs, but will also potentially lessen the threat of malicious logic being introduced to the workplace and compromising DoD networks. Florida Solar Energy Center's EnergyGauge. The DoD is, of course, not the only user of OSS. Yes; Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? In nearly all cases, OSS is commercial software, so the policies regarding commercial software continue to apply to OSS. Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. 2518(4)(B) says that, An article is a product of a country or instrumentality only if (i) it is wholly the growth, product, or manufacture of that country or instrumentality, or (ii) in the case of an article which consists in whole or in part of materials from another country or instrumentality, it has been substantially transformed into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was so transformed. The CBP also pointed out a ruling (Data General v. United States, 4 CIT 182 (1982)), that programming a PROM performed a substantial transformation. This has never been true, and explaining this takes little time. For example, software that can only be used for government purposes is not OSS, since it cannot be used for any purpose. New York ANG supports Canadian arctic exercise. Classified information may not be released to the public without special authorization to do so. Q: Do choice of venue clauses automatically disqualify OSS licences? Enables families, visitors and the public to locate gravesites, events or other points of interest throughout the cemetery. This clause establishes that the choice of venue clause (category 4) is superseded by the Contract Disputes Act (category 2), and thus the conflict is typically moot. If you have concerns about using in-house staff, augmented by the OSS community for those components, then select and pay a commercial organization to provide the necessary support. Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. Here's a list of potentially banned peptides: Adipotide FTPP. By U.S. Cybercom Command Public Affairs | Aug. 12, 2022. Contractors for other federal agencies may have a different process to use, but after going through a process they can often release such software as open source software. Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. Marines - (703) 432-1134, DSN 378. You may only claim that a trademark is registered if it is actually registered. Windows Services for UNIX 3.0 is a good example of commercial use of GPL application mixing. Where possible, it may be better to divide such components into smaller components in a way that avoids this issue. Questions about why the government - who represents the people - is not releasing software (that the people paid for) back to the people. Once software exists, all costs are due to maintenance and support of software. Instead, Government employees must ensure that they do not accept services rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. Yes. This makes the expectations clear to all parties, which may be especially important as personnel change. As noted in the article Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), the intent of the memo was not to issue a blanket requirement that all open source software come bundled with contractor support or else it cant be used If a Defense agency is able to sustain the open source software with its own skills and talents then that can be enough to satisfy the intent of the memo. In addition, How robust the support plan need be can also vary on the nature of the software itself For command and control software, the degree would have to be greater than for something thats not so critical to mission execution. They can obtain this by receiving certain authorization clauses in their contracts. Wikipedias Comparison of OSS hosting facilities page may be helpful in identifying existing hosting facilities, as well as some of their pros and cons. Similarly, delaying a components OSS release too long may doom it, if another OSS component is released first. Examples include GPL applications running on proprietary operating systems or wrappers, and GPL applications that use proprietary components explicitly marked as non-GPL. This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. Thus, OSS available to the public and used unchanged is normally COTS. (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). Q: What are synonyms for open source software? There is no injunctive relief available, and there is no direct cause of action against a contractor that is infringing a patent or copyright with the authorization or consent of the Government (e.g., while performing a contract).. FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO . As stated in FAR 25.103 Exceptions item (e), The restriction on purchasing foreign end products does not apply to the acquisition of information technology that is a commercial item, when using fiscal year 2004 or subsequent fiscal year funds (Section 535(a) of Division F, Title V, Consolidated Appropriations Act, 2004, and similar sections in subsequent appropriations acts)..