Widespread availability and use of the software (which increases the likelihood of detection), Configuration management systems that record the identity of individual contributors (which acts as a deterrent), Licenses or development policies that warn against the unlawful inclusion of material, or require people to specifically assert that they are acting lawfully (which reduce the risk of unintentional infringement), Lack of evidence of infrigement (e.g., an Internet search for project name + copyright infringement turns up nothing). Section 6.C.3.a notes that the voluntary services provision is not new; it first appeared, in almost identical form, back in 1884. In practice, OSS projects tend to be remarkably clean of such issues. Widely-used programs include the Apache web server, Firefox web browser, Linux kernel, and many other programs. What contract applies, what are its terms, and what decisions have been made? Going through our RMF/DICAP and cannot find the Air Force Approved Software List anywhere. There are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties The choice to exact consideration in the form of compliance with the open source requirements of disclosure and explanation of changes, rather than as a dollar-denominated fee, is entitled to no less legal recognition. OpenSSL - SSL/cryptographic library implementation, GNAT - Ada compiler suite (technically this is part of gcc), perl, Python, PHP, Ruby - Scripting languages, Samba - Windows - Unix/Linux interoperability. Be sure to consider total cost of ownership (TCO), not just initial download costs. FROM: HQ AFSPC/A6 . Q: How do GOTS, Proprietary COTS, and OSS COTS compare? Be sure to consider such costs over a period of time (typically the lifetime of the system including its upgrades), and use the same period when evaluating alternatives; otherwise, one-time costs (such as costs to transition from an existing proprietary system) can lead to erroneous conclusions. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. However, there are advantages to registering a trademark, especially for enforcement. The Air Force separated 610 Airmen for declining the once-mandated COVID-19 vaccination. Classified information may not be released to the public without special authorization to do so. In the DoD, the GIG Technical Guidance Federation is a useful resource for identifying recommended standards (which tend to be open standards). Various organizations have been formed to reduce patent risks for OSS. DAF COVID-19 Statistics - January 2022. In particular, it found that DoD security depends on (OSS) applications and strategies, and that a hypothetic ban would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. Perhaps more importantly, by forcing there to be an implementation that others can examine in detail, resulting in better specifications that are more likely to be used. - The award authority will establish the maximum award nomination length (number of . FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO . CCRA Certificate. Since it is typically not legal to modify proprietary software at all, or it is legal only in very limited ways, it is trivial to determine when these additional terms may apply. Q: Are non-commercial software, freeware, or shareware the same thing as open source software? The red book section 6.C.3.b explains this prohibition in more detail. OTD depends on open standards and interfaces, open source software and designs, collaborative and distributed online tools, and technological agility. Where it is important, examining the security posture of the supplier (e.g., their processes that reduce risk) and scanning/testing/evaluating the software may also be wise. It is only when the OSS is modified that additional OSS terms come into play, depending on the OSS license. But in practice, publicly-released OSS nearly always meets the various government definitions for commercial computer software and thus is nearly always considered commercial software. In many cases, weakly protective licenses are used for common libraries, while strongly protective licenses are used for applications. The products listed below are evaluated against a NIAP-approved Protection Profile, which encompasses the security requirements and test activities suitable across the technology with no EAL assigned - hence the conformance claim is "PP". Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). Not under typical open source software licenses based on copyright, but there is an alternative with the same practical effect. The release may also be limited by patent and trademark law. 97-258, 96 Stat. The government normally gets unlimited rights in software when that software is created in the performance of a contract with government funds. Do you have permission to release to the public (classification, distribution statements, export controls)? When the software is already deployed, does the project develop and deploy fixes? Under U.S. copyright law, users must have permission (i.e. In some other cases, the government lacks the rights to release the software to the public, e.g., the government may only have Government Purpose Rights (GPR). Rachel Cohen joined Air Force Times as senior reporter in March 2021. Cisco Firepower Threat Defense (FTD) 6.4 with FMC and AnyConnect. While budget constraints and reduced staffing have forced the APL process to operate in a limited manner, The cases are too complicated to summarize here, other than to say that the GPLv2 was clearly regarded as enforceable by the courts. There are many general OSS review projects, such as those by OpenBSD and the Debian Security Audit team. These decisions largely held that the GNU General Public License, version 2 was enforceable in a series of five related legal cases loosely referred to as Versata v. Ameriprise, although there were related suits against Versata by XimpleWare. The Customs and Border Protection (CBP) has said, in an advisory ruling, that the country of origin of software is the place where the software is converted into object code (Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT), for purposes of granting waivers of certain Buy American restrictions in U.S. law or practice or products offered for sale to the U.S. Government.. As noted by the OSJTF definition for open systems, be sure to test such systems with more than one web browser (e.g., Google Chrome, Microsoft Edge and Firefox), to reduce the risk of vendor lock-in. As more improvements are made, more people can use the product, creating more potential users as developers - like a snowball that gains mass as it rolls downhill. 1342, Limitation on voluntary services. Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. Any inconsistencies in this solicitation or contract shall be resolved by giving precedence in the following order: (1) the schedule of supplies/services; (2) the Assignments, Disputes, Payments, Invoice, Other Compliances, and Compliance with Laws Unique to Government Contracts paragraphs of this clause; (3) the clause at 52.212-5; (4) addenda to this solicitation or contract, including any license agreements for computer software; . The real challenge is one of education - some developers incorrectly believe that just because something is free to download, it can be merged or changed without restriction. The DoD does not have a single required process for evaluating OSS. Clarifying Guidance Regarding Open Source Software (OSS) states that "Software items, including code fixes and enhancements, developed for the Government should be released to the public (such as under an open source license) when all of the following conditions are met: The government or contractor must determine the answer to these questions: Source: Publicly Releasing Open Source Software Developed for the U.S. Government. However, if the GPL software must be mixed with other proprietary/classified software, the GPL terms must still be followed. This might occur, for example, if the government originally only had Government Purpose Rights (GPR), but later the government received unlimited rights and released the software as OSS. Army - (703) 602-7420, DSN 332. Enforcing the GNU GPL by Eben Moglen is a brief essay that argues why the GNU General Public License (GPL), specifically, is enforceable. The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. (See also Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011.). An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). If the project is likely to become large, or must perform filtering for public release, it may be better to establish its own website. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. 2019 Approvals. Yes. Even for many modifications (e.g., bug fixes) this causes no issues because in many cases the DoD has no interest in keeping those changes confidential. Indeed, vulnerability databases such as CVE make it clear that merely hiding source code does not counter attacks: Hiding source code does inhibit the ability of third parties to respond to vulnerabilities (because changing software is more difficult without the source code), but this is obviously not a security advantage. In particular, U.S. law (10 USC 2377) requires a preference for commercial products for procurement of supplies or services. Other documents that you may find useful include: An official website of the United States government, Frequently Asked Questions regarding Open Source Software (OSS) and the Department of Defense (DoD). If the standard DFARS contract clauses are used (see DFARS 252.227-7014), then unless other arrangements are made, the government has unlimited rights to a software component when (1) it pays entirely for the development of it (see DFARS 252.227-7014(b)(1)(i)), or (2) it is five years after contract signature if it partly paid for its development (see DFARS 252.227-7014(b)(2)). A choice of venue clause is a clause that states where a dispute is to be resolved (e.g., which court). Indeed, many people have released proprietary code that is malicious. DISA FREE HOME ANTIVIRUS SOFTWARE (CAC REQ'D) STRATEGIC . The Air Force Institute of Technology, or AFIT, is the Air Force's graduate school of engineering and management as well as its institution for technical professional continuing education. The resulting joint work as a whole is protected by the copyrights of the non-government authors and may be released according to the terms of the original open-source license. You can support OSS either through a commercial organization, or you can self-support OSS; in either case, you can use community support as an aid. Q: Is it more difficult to comply with OSS licenses than proprietary licenses? OSS is typically developed through a collaborative process. The FAR and DFARS specifically permit different agreements to be struck, within certain boundaries, and other agencies have other supplements. Instead, the ADA prohibits government employees from accepting services that are not intended or agreed to be gratuitous, but were instead rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. Choose a license that is recognized as an Open Source Software license by the Open Source Initiative (OSI), a Free Software license by the Free Software Foundation (FSF), and is acceptable to widely-used Linux distributions (such as being a good license for Fedora). An alternative is to not include the OSS component in the deliverable, but simply depend on it, as long as that is acceptable to the government. This is not a copyright license, it is the absence of a license. Approved supplements are maintained by AFCENT/A1RR at afcent.a1rrshaw@afcent.af.mil. OSS programs can typically be simply downloaded and tried out, making it much easier for people to try it out and encouraging widespread use. Clarifying Guidance Regarding Open Source Software (OSS), a list of licenses which have successfully gone through the approval process and comply with the Open Source Definition, publishes a list of licenses that meet the Free Software Definition, good licenses that Fedora has determined are open source software licenses, Federal Source Code Policy, OMB Memo 16-21, National Defense Authorization Act for FY2018, http://www.doncio.navy.mil/contentview.aspx?id=312, http://www.dtic.mil/dtic/tr/fulltext/u2/a450769.pdf, http://www.whitehouse.gov/omb/memoranda/fy04/m04-16.html, http://www.army.mil/usapa/epubs/pdf/r25_2.pdf, Defense Federal Acquisition Regulation Supplement (DFARS), 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation, European Interoperability Framework (EIF), Bruce Perens Open Standards: Principles and Practice, U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer, The Free-Libre / Open Source Software (FLOSS) License Slide, GPL linking exception term (such as the Classpath exception), Maintaining Permissive-Licensed Files in a GPL-Licensed Project: Guidelines for Developers (Software Freedom Law Center), Creative Commons does not recommend that you use one of their licenses for software, GPL FAQ, Can I use the GPL for something other than software?, GPL FAQ, Who has the power to enforce the GPL?, 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, Secure Programming for Linux and Unix HOWTO, in 2003 the Linux kernel development process resisted an attack, Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT, Gartner Groups Mark Driver stated in November 2010, Estimating the Total Development Cost of a Linux Distribution, Open Source Software for Imagery & Mapping (OSSIM), Open Source Alternatives (Ben Balter et al.). To manage the acquisition, development, and integration of Cybersecurity Tools and Methods for securing the Defense Information Infrastructure. The argument is that the classification rules are simply laws of the land (and not additional rules), the classification rules already forbid the release of the resulting binaries to those without proper clearances, and that the GPL only requires that source code be released to those who received a binary. Any reproduction of this computer software, or portions thereof, marked with this legend must also reproduce these markings.. However, support from in-house staff, augmented by the OSS community, may be (and often is) sufficient. See also DFARS subpart 227.70infringement claims, licenses, and assignments and 28 USC 1498. If some portion of the software is protected by copyright, then the combined software work can be released under a copyright license. In that case, the U.S. government might choose to continue to use the version to which it has unlimited rights, or it might use the publicly-available commercial version available to the government through that versions commercial license (the GPL in this case). Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. Q: Is OSS commercial software? The use of software with a proprietary license provides absolutely no guarantee that the software is free of malicious code. The release may also be limited by patent and trademark law. Yes, its possible. Prior art invalidates patents. This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. AFCWWTS 2021 BREAKOUT SESSION Coming Soon. There are other ways to reduce the risk of software patent infringement (in the U.S.) as well: Yes, both entirely new programs and improvements of existing OSS have been developed using U.S. government funds. September 22, 2022. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . Whats more, proprietary software release practices make it more difficult to be confident that the software does not include malicious code. This page is an educational resource for government employees and government contractors to understand the policies and legal issues relating to the use of open source software (OSS) in the United States Department of Defense (DoD). The Authorized Equipment List (AEL) is a list of approved equipment types allowed under FEMA's preparedness grant programs. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . Even if an OTD project is not OSS itself, an OTD project will typically use, improve, or create OSS components. The DoD Antivirus Software License Agreement with McAfee allows active DoD employees to utilize the antivirus software for home use. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". Two-day supply of clothing. Often there is a single integrating organization, while other organizations inside the government submit proposed changes to the integrator. By definition, open source software provides more rights to users than proprietary software (at least in terms of use, modification, and distribution). This webpage is a one-stop reference to help answer questions regarding proper wear of approved Air Force uniform items, insignias, awards and decorations, etc. Community OSS support is never enough by itself to provide this support, because the OSS community cannot patch your servers or workstations for you. First, get approval to publicly release the software. For DoD contractors, if the standard DFARS contract clauses are used (in particular DFARS 252.227-7014) then the contractor who developed the software retains the copyright to the software and has the right to release it to others, even if the software was developed exclusively with government funds. Thus, open systems require standards that are widely-supported and consensus-based; standards that meet these (and possibly some additional conditions) may be termed open standards. Launch video (9:47) In addition, important open source software is typically supported by one or more commercial firms. The DoDIN APL is an acquisition decision support tool for DoD organizations interested in procuring equipment to add to the DISN to support their mission. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, did suggest developing a Generally Recognized As Safe (GRAS) list, but such a list has not been developed. 75 Years of Dedicated Service. The U.S. government can often directly combine GPL and proprietary, classified, or export-controlled software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government. A very small percentage of such users determine that they can make a change valuable to them, and contribute it back (to avoid maintenance costs). A permissive license permits arbitrary use of the program, including making proprietary versions of it. No, the DoD does not have an official recommendation for any particular OSS product or set of products, nor a Generally Recognized as Safe/Mature list. If it is a modification of an existing project, or a plug-in to it, release it under the projects original license (and possibly other licenses). Some more military-specific OSS programs created-by or used in the military include: One approach is to use a general-purpose search engine (such as Google) and type in your key functional requirements. This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. Tech must enable mission success. A GPLed engine program can be controlled by classified data that it reads without issue. Acquisition Process Model. Note that many of the largest commercially-supported OSS projects have their own sites. The GPL version 2 and the GPL version 3 are in principle incompatible with each other, but in practice, most released OSS states that it is GPL version 2 or later or GPL version 3 or later; in these cases, version 3 is a common license and thus such software is compatible. Air Force - (618)-229-6976, DSN 779. It also risks reduced flexibility (including against cyberattack), since OSS permits arbitrary later modification by users in ways that some other license approaches do not. U.S. law governing federal procurement U.S. Code Title 41, Section 103 defines commercial product as including a product, other than real property, that (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public. Also, there are rare exceptions for NIST and the US Postal Service employees where a US copyright can be obtained (see CENDIs Frequently Asked Questions About Copyright). Problems must be fixed. Direct deposit form. A primary reason that this is low-probability is the publicity of the OSS source code itself (which almost invariably includes information about those who made specific changes). In the Intelligence Community (IC), the term open source typically refers to overt, publicly available sources (as opposed to covert or classified sources). Proprietary COTS tend to be lower cost than GOTS, since the cost of development and maintenance is typically shared among a larger number of users (who typically pay to receive licenses to use the product). There are two versions of the GPL in widespread use: version 2 and version 3. These licenses include the MIT license, revised BSD license (and its 2-clause variant), the Apache 2.0 license, the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. If this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. As noted above, OSS projects have a trusted repository that only certain developers (the trusted developers) can directly modify. dress & appearance Policy. In 2015, a series of decisions regarding the GNU General Public License were issued by the United States District Courts for the Western District of Texas as well as the Northern District of California. In practice, commercial software (OSS or not) tends to be developed globally, especially when you consider their developers and supply chains. That said, other factors may be more important for a given circumstance. Example: GPL and (unrelated) proprietary applications can be running at the same time on a desktop PC. 923, is in 31 U.S.C. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, for analysis purposes, posed the hypothetical question of what would happen if OSS software were banned in the DoD, and found that OSS plays a far more critical role in the DoD than has been generally recognized (especially in) Infrastructure Support, Software Development, Security, and Research. Q: Isnt using open source software (OSS) forbidden by DoD Information Assurance (IA) Policy? However, this approach should not be taken lightly. (Free in Free software refers to freedom, not price.) What it does mean, however, is that the DoD will not reject consideration of a COTS product merely because it is OSS. Q: Can the government release software under an open source license if it was developed by contractors under government contract? Carmelsoft HVAC ResLoad-J. A certification mark is any word, phrase, symbol or design, or a combination thereof owned by one party who certifies the goods and services of others when they meet certain standards. No. On approval, such containers are granted a "Certificate to Field" designation by the Air Force Chief Software Officer. This control enhancement is based in the need for some way to update software to fix problems after they are discovered. No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. Q: Doesnt hiding source code automatically make software more secure? Performance Statements are plain language and avoid using uncommon acronyms and abbreviations. DSEI 2021, ExCel, LONDON, UK - 14 September 2021 - Curtiss-Wright's Defense Solutions division (Bays 22-26 ExCeL Exhibition Centre), a trusted supplier of tactical data link (TDL) software and hardware solutions engineered to succeed, announced that it has received certification from .
Is Kate Miles Related To Steve Harvey,
Jerry Reed Funeral,
The Boy Stood On The Burning Deck Rude Version,
Articles A
