Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. Q: Is there any quantitative evidence that open source software can be as good as (or better than) proprietary software? Q: Isnt using open source software (OSS) forbidden by DoD Information Assurance (IA) Policy? In some cases, there are nationally strategic reasons the software should not be released to the public (e.g., it is classified). At project start, the project creators (who create the initial trusted repository) are the trusted developers, and they determine who else may become a trusted developer of this initial trusted repository. FAR 52.227-1 (Authorization and Consent), as prescribed by FAR 27.201-2(a)(1), inserts the clause that the Government authorizes and consents to all use and manufacturer of any invention (covered by) U.S. patent. The 2009 DoD CIO memo on open source software says, in attachment 2, 2(d), The use of any software without appropriate maintenance and support presents an information assurance risk. Enables families, visitors and the public to locate gravesites, events or other points of interest throughout the cemetery. The Government has the rights to reproduce and release the item, and to authorize others to do so. This approach may inhibit later release of the combined result to other parties (e.g., allies), as release to an ally would likely be considered distribution as defined in the GPL. Senior leaders across DoD see bridging the tactical edge and embedding resilience to scale as key issues moving forward. Air Force Command and Control at the Start of the New Millennium. DoDIN APL is managed by the APCO | disa.meade.ie.list.approved-products-certification-office@mail.mil. The red book explains its purpose; since an agency cannot directly obligate in excess or advance of its appropriations, it should not be able to accomplish the same thing indirectly by accepting ostensibly voluntary services and then presenting Congress with the bill, in the hope that Congress will recognize a moral obligation to pay for the benefits conferred. What contract applies, what are its terms, and what decisions have been made? There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. Computer and electronic hardware that is designed in the same fashion as open source software (OSS) is sometimes termed open source hardware. You can support OSS either through a commercial organization, or you can self-support OSS; in either case, you can use community support as an aid. Thus, they are all strategies for sharing the development and maintenance costs of software, potentially reducing its cost. What is its relationship to OSS? OSS projects typically seek financial gain in the form of improvements. Developers/reviewers need security knowledge. Do you have the materials (e.g., source code) and are all materials properly marked? Q: Is there a large risk that widely-used OSS unlawfully includes proprietary software (in violation of copyright)? In particular, U.S. law (10 USC 2377) requires a preference for commercial products for procurement of supplies or services. Her work has appeared in Air Force Magazine, Inside Defense, Inside Health Policy, the Frederick News-Post (Md. Clarence Carpenter. Q: Can the government release software under an open source license if it was developed by contractors under government contract? Note that enforcing such separation has many other advantages as well. DISA FREE HOME ANTIVIRUS SOFTWARE (CAC REQ'D) STRATEGIC . First, get approval to publicly release the software. The doctrine of unclean hands, per law.com, is a legal doctrine which is a defense to a complaint, which states that a party who is asking for a judgment cannot have the help of the court if he/she has done anything unethical in relation to the subject of the lawsuit. No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. The 1997 InfoWorld Best Technical Support award was won by the Linux User Community. September 22, 2022. Patent examiners have relatively little time to review each patent, and do not have effective access to most prior art in software, which may lead them to grant patents for previously-published inventions or obvious inventions. Gartner Groups Mark Driver stated in November 2010 that, Open source is ubiquitous, its unavoidable having a policy against open source is impractical and places you at a competitive disadvantage.. OSS is typically developed through a collaborative process. Comfortable shoes. In many cases, yes, but this depends on the specific contract and circumstances. What are good practices for use of OSS in a larger system? In addition, DISA has initiated an assessment of the APL process, which was enacted nearly a decade ago, to ensure that current procedures align with new and evolving departmental priorities. However, support from in-house staff, augmented by the OSS community, may be (and often is) sufficient. Is it COTS? Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. If you know of an existing proprietary product meets your needs, searching for its name plus open source source may help. Indeed, vulnerability databases such as CVE make it clear that merely hiding source code does not counter attacks: Hiding source code does inhibit the ability of third parties to respond to vulnerabilities (because changing software is more difficult without the source code), but this is obviously not a security advantage. A GPLed program can run on top of a classified/proprietary platform when the platform is a separate System Library (as defined in GPL version 3). Prior art invalidates patents. For local guidance, Airmen are encouraged to . Yes; Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? OTD is an approach to software/system development in which developers (in multiple organizations) collaboratively develop and maintain software or a system in a decentralized fashion. Where it is unclear, make it clear what the source or source code means. Q: What are some military-specific open source software programs? If the contract includes the typical FAR 52.227-14 (Rights in data - general) clause, without any special alternatives or additions, then the contractor must make a written request for permission to assert copyright in works containing data first produced under the contract. Q: How does open source software relate to the Buy American Act? Bruce Perens noted back in 1999, Do not write a new license if it is possible to use (a common existing license) The propagation of many different and incompatible licenses works to the detriment of Open Source software because fragments of one program cannot be used in another program with an incompatible license. Many view OSS license proliferation as a problem; Serdar Yegulalps 2008 Open Source Licensing Implosion (InformationWeek) noted that not only are there too many OSS licenses, but that the consequences for blithely creating new ones are finally becoming concrete the vast majority of open source products out there use a small handful of licenses Now that open source is becoming (gasp) a mainstream phenomenon, using one of the less-common licenses or coming up with one of your own works against you more often than not. Q: Can OSS licenses and approaches be used for material other than software? Typically enforcement actions are based on copyright violations, and only copyright holders can raise a copyright claim in U.S. court. These lists apply to all NSA/CSS elements, contractors, and personnel, and pertains to all IS storage devices that they use. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. Cyberspace Capabilities Center Re-designation Ceremony Nov 7, 1300. Q: How do GOTS, Proprietary COTS, and OSS COTS compare? In many cases, weakly protective licenses are used for common libraries, while strongly protective licenses are used for applications. Boundary Protection Devices and Systems - 41 Certified Products. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. As explained in detail below, nearly all OSS is commercial computer software as defined in US law and the Defense Federal Acquisition Regulation Supplement, and if it used unchanged (or with only minor changes), it is almost always COTS. The 2003 MITRE study section 1.3.4 outlines several ways to legally mix GPL with proprietary or classified software: Often such separation can occur by separating information into data and a program that uses it, or by defining distinct layers. Under the current DoD contracting regime, the contractor usually retains the copyright for software developed with government funding, so in such cases the contractor (not the government) has the right to sue for copyright violation. As noted by the OSJTF definition for open systems, be sure to test such systems with more than one web browser (e.g., Google Chrome, Microsoft Edge and Firefox), to reduce the risk of vendor lock-in. Example: GPL software can be stored on the same computer disk as (most kinds of) proprietary software. Some protocols and formats have been specifically devised and reviewed to avoid patents; using them is more likely to avoid problems. Other laws must still be obeyed. This can increase the number of potential users. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. As noted by the 16 October 2009 policy memorandum from the DoD CIO, in almost all cases OSS is a commercial item as defined by US Law (Title 41) and regulation (the FAR). It is usually far better to stick to licenses that have already gone through legal review and are widely used in the commercial world. That said, this does not mean that all OSS is superior to all proprietary software in all cases by all measures. If the supplier attains a monopoly or it is difficult to switch from the supplier, the costs may skyrocket. Other documents that you may find useful include: An official website of the United States government, Frequently Asked Questions regarding Open Source Software (OSS) and the Department of Defense (DoD). This memorandum surveys U.S. economic sanctions and anti-money laundering ("AML") developments and trends in 2022 and provides an outlook for 2023. Avenir MJ8 Editions of HeatCAD and LoopCAD. Established Oct. 1, 2013, the Defense Health Agency is the centerpiece of Military Health System governance reform, as outlined in the Deputy Secretary of Defense's March 11, 2013 Memorandum "Implementation of Military Health System Governance Reform." The DHA's role is to achieve greater integration of our direct and purchased health care delivery systems so that we accomplish the . Since OSS licenses are quite generous, the only license-violating actions a developer is likely to try is to release software under a more stringent license and those will have little effect if they cannot be enforced in court. Instead, Government employees must ensure that they do not accept services rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. . On approval, such containers are granted a "Certificate to Field" designation by the Air Force Chief Software Officer. Q: How does open source software work with open systems/open standards? On approval, such containers are granted a Certificate to Field designation by the Air Force Chief Software Officer. Export control laws are often not specifically noted in OSS licenses, but nevertheless these laws also govern when and how software may be released. Choose a GPL-compatible license. For disposal or recycling per NSA/CSS Policy Manual 9-12, "Storage Device Sanitization and Destruction Manual": Information stored on these . Wikipedia maintains an encyclopedia using approaches similar to open source software approaches. If this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. is a survey paper that provides quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures.. (its) goal is to show that you should consider using OSS/FS when acquiring software. Elite RHVAC. At a high-level, DoD policy requires commercial software (including OSS) to come with either a warranty or source code, so that the software can be maintained when necessary by the supplier or the government. In the Intelligence Community (IC), the term open source typically refers to overt, publicly available sources (as opposed to covert or classified sources). (See GPL FAQ, Can I use the GPL for something other than software?.). Note that this also applies to proprietary software, which often have even stricter limits on if/how the software may be changed. The NSA/CSS Evaluated Products Lists equipment that meets NSA specifications. The Authorized Equipment List (AEL) is a list of approved equipment types allowed under FEMA's preparedness grant programs. Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. In addition, ignoring OSS would not be lawful; U.S. law specifically requires consideration of commercial software (including extant OSS, regardless of exactly which license it uses), and specifically instructs departments to pass this requirement to consider commercial items down to contractors and their suppliers at all tiers. This enables cost-sharing between users, as with proprietary development models. U.S. law governing federal procurement U.S. Code Title 41, Chapter 7, Section 103 defines commercial product as a product, other than real property, that- (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public . An OSS implementation can be read and modified by anyone; such implementations can quickly become a working reference model (a sample implementation or an executable specification) that demonstrates what the specification means (clarifying the specification) and demonstrating how to actually implement it. These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. Software might not infringe on a patent when it was released, yet the same software may later infringe on a patent if the patent was granted after the softwares release. Q: What are the risks of failing to consider the use of OSS components or approaches? In addition, widely-used licenses and OSS projects often include additional mechanisms to counter this risk. This webpage is a one-stop reference to help answer questions regarding proper wear of approved Air Force uniform items, insignias, awards and decorations, etc. Once an invention is released to the public, the inventor has only one year to file for a patent, so any new ideas in some software must have a patent filed within one year by that inventor, or (in theory) they cannot be patented. Contact Contracting. As noted above, in software, Open Source refers to software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of such software. Around the Air Force: Accelerating the Legacy, Expanding Cyber Resiliency, Poppy Seed Warning. The United States Air Force operates a service called "Iron Bank", which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. Q: Can contractors develop software for the government and then release it under an open source license? Such source code may not be adequate to cost-effectively. The terms that apply to usage and redistribution tend to be trivially easy to meet (e.g., you must not remove the license or author credits when re-distributing the software). The following externally-developed evaluation processes or tips may be of use: Migrating from an existing system to an OSS approach requires addressing the same issues that any migration involves. We also provide some thoughts concerning compliance and risk mitigation in this challenging environment. Specifically, the federal governments IA controls, as documented in NIST SP 800-53 revision 5 includes a control enhancement, CM-7(8). Clarifying Guidance Regarding Open Source Software (OSS), a list of licenses which have successfully gone through the approval process and comply with the Open Source Definition, publishes a list of licenses that meet the Free Software Definition, good licenses that Fedora has determined are open source software licenses, Federal Source Code Policy, OMB Memo 16-21, National Defense Authorization Act for FY2018, http://www.doncio.navy.mil/contentview.aspx?id=312, http://www.dtic.mil/dtic/tr/fulltext/u2/a450769.pdf, http://www.whitehouse.gov/omb/memoranda/fy04/m04-16.html, http://www.army.mil/usapa/epubs/pdf/r25_2.pdf, Defense Federal Acquisition Regulation Supplement (DFARS), 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation, European Interoperability Framework (EIF), Bruce Perens Open Standards: Principles and Practice, U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer, The Free-Libre / Open Source Software (FLOSS) License Slide, GPL linking exception term (such as the Classpath exception), Maintaining Permissive-Licensed Files in a GPL-Licensed Project: Guidelines for Developers (Software Freedom Law Center), Creative Commons does not recommend that you use one of their licenses for software, GPL FAQ, Can I use the GPL for something other than software?, GPL FAQ, Who has the power to enforce the GPL?, 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, Secure Programming for Linux and Unix HOWTO, in 2003 the Linux kernel development process resisted an attack, Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT, Gartner Groups Mark Driver stated in November 2010, Estimating the Total Development Cost of a Linux Distribution, Open Source Software for Imagery & Mapping (OSSIM), Open Source Alternatives (Ben Balter et al.). The red book section 6.C.3.b explains this prohibition in more detail. See the licenses listed in the FAQ question What are the major types of open source software licenses?. Include upgrade/maintenance costs, including indirect costs (such as hardware replacement if necessary to run updated software), in the TCO. Under the DFARS or the FAR, the government can release software as open source software once it receives unlimited rights to that software. No. The products listed below are evaluated against a NIAP-approved Protection Profile, which encompasses the security requirements and test activities suitable across the technology with no EAL assigned - hence the conformance claim is "PP". Similarly, SourceForge/Apache (in 2001) and Debian (in 2003) countered external attacks. Fundamentally, a standard is a specification, so an open standard is a specification that is open. Thus, as long as the software has at least one non-governmental use, software released (or offered for release) to the public is a commercial product for procurement purposes, even if it was originally developed using public funds. [ top of page] Common licenses for each type are: - Permissive: MIT, BSD-new, Apache 2.0 - Weakly protective: LGPL (version 2 or 3) - Strongly protective: GPL (version 2 or 3). When taking this approach, contractors hired to modify the software must not retain copyright or other rights to the result (else the software would be conveyed outside the U.S. government); see GPL version 3 section 2, paragraph 2 which states this explicitly. Use typical OSS infrastructure, tools, etc. Licenses that meet all the criteria above include the MIT license, revised BSD license, the Apache 2.0 license (though Apache 2.0 is only compatible with GPL version 3 not GPL version 2), the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. These include: If you are looking for smaller pieces of code to reuse, search engines specifically for code may be helpful. Examine if it is truly community-developed - or if there are only a very few developers. It is far better to fix vulnerabilities before deployment - are such efforts occuring? The Air Force separated 610 Airmen for declining the once-mandated COVID-19 vaccination. Make sure its really OSS. Do you have the necessary other intellectual rights (e.g., patents)? The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. Q: What are synonyms for open source software? No. More recent decisions, such as the 1982 decision B-204326 by the U.S. Comptroller General, continue to confirm this distinction between gratuitous and voluntary service. What is more, the supplier may choose to abandon the product; source-code escrow can reduce these risks somewhat, but in these cases the software becomes GOTS with its attendant costs. According to the U.S. Patent and Trademark Office (PTO): For more about trademarks, see the U.S. Patent and Trademark Office (PTO) page Trademark basics. For example, software that can only be used for government purposes is not OSS, since it cannot be used for any purpose. For example, users of proprietary software must typically pay for a license to use a copy or copies. Parties are innocent until proven guilty, so if there. For example, software that is released to the public as OSS is not considered commercial if it is a type of software that is only used for governmental purposes. Bases. Administration/Format. Although the government cannot directly sue for copyright violation, in such cases it can still sue for breach of license and, presumably, get injunctive relief to stop the breach and money damages to recover royalties obtained by breaching the license (and perhaps other damages as well). Thus, as long as the software has at least one non-governmental use, software licensed (or offered for license) to the public is a commercial product for procurement purposes. In most cases, contributors to OSS projects intend for their contributions to be gratuitous, and provide them for all (not just for the Federal government), clearly distinguishing such OSS contributions from the voluntary services that the ADA was designed to prevent. Q: What license should the government or contractor choose/select when releasing open source software? Under the same reasoning, the CBP determined that building an object file from source code performed a substantial transformation into a new article. Terms that people have used include source available software, open-box software, visible-source software, and disclosed-source software. No, complying with OSS licenses is much easier than proprietary licenses if you only use the software in the same way that proprietary software is normally used. However, if the covered software/library is itself modified, then additional conditions are imposed.