Open standards also make it easier for OSS developers to create their projects, because the standard itself helps developers know what to do. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. Adobe Acrobat Reader. Q: Isnt OSS developed primarily by inexperienced students? If some portion of the software is protected by copyright, then the combined software work can be released under a copyright license. The Department of Defense Information Network (DoDIN) Approved Products List (APL) is the single consolidated list of products that affect communication and collaboration across the DoDIN. Look at the Numbers! Community OSS support is never enough by itself to provide this support, because the OSS community cannot patch your servers or workstations for you. The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. Q: How can I get support for OSS that already exists? SUBJECT: Software Applications Approval Process . Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). It may be found at, US Army Regulation 25-2, paragraph 4-6.h, provides guidance on software security controls that specifically addresses open source software. It can sometimes be a challenge to find a good name. Contracts under the federal government FAR, but not the DFARS, often use clause FAR 52.227-14 (Rights in Data - General). In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. 7101-7109). Furthermore, 52.212-4(s) says: (s) Order of precedence. Air Force ROTC is offered at over 1,100 colleges and universities in the continental United States, Puerto Rico and Hawaii. The Air Force will conduct its next "BRAVO" hackathon in March, and any U.S. citizen may apply. These definitions in U.S. law govern U.S. acquisition regulations, namely the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). Colleges & Your Majors. (Note that such software would often be classifed.). Q: Am I required to have commercial support for OSS? (2) Medications not on this list, singly or in combination, require review by AFMSA/SG3/5PF (rated officers) and MAJCOM/SG (non-rated personnel). DoD Directive 5000.1 states that open systems shall be employed, where feasible, and the European Commission identifies open standards as a major policy thrust. Under the default DFARS and FAR rules and processes, the contractor often keeps and exercise the rights of a copyright holder, which enables them to release that software as open source software (as long as other laws and regulations are met). Q: What are the risks of the government releasing software as OSS? DISA FREE HOME ANTIVIRUS SOFTWARE (CAC REQ'D) STRATEGIC . The DoD does not have a single required process for evaluating OSS. OSS and Security/Software Assurance/System Assurance/Supply Chain Risk Management. These lists apply to all NSA/CSS elements, contractors, and personnel, and pertains to all IS storage devices that they use. However, there are advantages to registering a trademark, especially for enforcement. Examples include: If you know of others who have similar needs, ask them for leads. Q: Can contractors develop software for the government and then release it under an open source license? The Buy American Act does not apply to information technology that is a commercial item, so there is usually no problem for OSS. Use typical OSS infrastructure, tools, etc. In short, OSS more accurately reflects the economics of software development; some speculate that this is one reason why OSS has become so common. This control enhancement is based in the need for some way to update software to fix problems after they are discovered. Reasons for taking this approach vary. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. However, if the goal is to encourage longevity and cost savings through a commonly-maintained library or application, protective licenses may have some advantages, because they encourage developers to contribute their improvements back into a single common project. Choose a license that has passed legal reviews and is clearly accepted as an OSS license. It would also remove the uniquely (OSS) ability to change infrastructure source code rapidly in response to new modes of cyberattack. Air Force - (618)-229-6976, DSN 779. To provide Cybersecurity tools to . Licenses that meet all the criteria above include the MIT license, revised BSD license, the Apache 2.0 license (though Apache 2.0 is only compatible with GPL version 3 not GPL version 2), the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. If you know of an existing proprietary product meets your needs, searching for its name plus open source source may help. OSS-like development approaches within the government. Include upgrade/maintenance costs, including indirect costs (such as hardware replacement if necessary to run updated software), in the TCO. (4) Waivers for non-FDA approved medications will not be considered. AFCENT/A1RR will publish approved local supplements to the Air Force Reporting Can the DoD used GPL-licensed software? Epitalon (Epithalon) Hexarelin. Q: What are indicators that a specific OSS program will have fewer unintentional vulnerabilities? It's like it dropped off the face of the earth. The United States Air Force operates a service called "Iron Bank", which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. The WHO was established on 7 April 1948. However, support from in-house staff, augmented by the OSS community, may be (and often is) sufficient. Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. If you have concerns about using in-house staff, augmented by the OSS community for those components, then select and pay a commercial organization to provide the necessary support. The example of Borlands InterBase/Firebird is instructive. Since OSS licenses are quite generous, the only license-violating actions a developer is likely to try is to release software under a more stringent license and those will have little effect if they cannot be enforced in court. The red book section 6.C.3.b explains this prohibition in more detail. Adtek Acculoads. This also means that these particular licenses are compatible. However, sometimes OGOTS/GOSS software is later released as OSS. Q: Can the government or contractor use trademarks, service marks, and/or certification marks with OSS projects? Even if source code is necessary (e.g., for source code analyzers), adequate source code can often be regenerated by disassemblers and decompilers sufficiently to search for vulnerabilities. While this argument may be valid, we know of no court decision or legal opinion confirming this. Permissive: These licenses permit the software to become proprietary (i.e., not OSS). At the subsequent meeting of the Inter-Allied Council . Thus, Open Source Intelligence (OSINT) is form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. is a survey paper that provides quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures.. (its) goal is to show that you should consider using OSS/FS when acquiring software. Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). The FAR and DFARS do not currently mandate any specific marking for software where the government has unlimited rights. The term open source software is sometimes hyphenated as open-source software. However, if the covered software/library is itself modified, then additional conditions are imposed. It can be argued that classified software can be arbitrarily combined with GPL code, beyond the approaches described above. You must release it without any copyright protection (e.g., as not subject to copyright protection in the United States) if you release it at all and if it was developed wholly by US government employee(s) as part of their official duties. Q: How can I find open source software that meets my specific needs? Although the government cannot directly sue for copyright violation, in such cases it can still sue for breach of license and, presumably, get injunctive relief to stop the breach and money damages to recover royalties obtained by breaching the license (and perhaps other damages as well). Tech must enable mission success. DoD ESI is pleased to announce the Cybersecurity Multi-Award Blanket Purchase Agreements (BPAs) for Appgate, CyberArk, Exabeam, Fidelis Security, Firemon, Forcepoint, Fortinet, Illumio, LogRhythm, Okta, Ping Identity, Racktop Systems, RedSeal, Sailpoint, Tychon and Varonis Systems. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures. The more potential users, the more potential developers. In the commercial world, the copyright holders are typically the individuals and organizations that originally developed the software. Q: Under what conditions can GPL-licensed software be mixed with proprietary/classified software? FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO . This memorandum only applies to Navy and Marine Corps commands, but may be a useful reference for others. Similarly, SourceForge/Apache (in 2001) and Debian (in 2003) countered external attacks. This does not mean that existing OSS elements should always be chosen, but it means that they must be considered. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. With the Acrobat Reader, you can view, navigate, print and present any Portable Document Format (PDF) file. Thus, open systems require standards that are widely-supported and consensus-based; standards that meet these (and possibly some additional conditions) may be termed open standards. 2019 Approved Software Developers of Paper 2D Forms (PDF 47.33 KB) Final as of April 2, 2020. The DoD already uses a wide variety of software licensed under the GPL. Often there is a single integrating organization, while other organizations inside the government submit proposed changes to the integrator. Patents expire after 20 years, so any idea (invention) implemented in software publicly available for more than 20 years should not, in theory, be patentable. Flight Inspection. Requiring that all developers be cleared first can reduce certain risks (at substantial costs), where necessary, but even then there is no guarantee. This is in addition to the advantages from OSS because it can be reviewed, modified, and redistributed with few restrictions (inherent in the definition of OSS). One way to deal with potential export control issues is to make this request in the same way as approving public release of other data/documentation. No, OSS is developed by a wide variety of software developers, and the average developer is quite experienced. Many OSS licenses do not have a choice of venue clause, and thus cannot have an issue, although some do. In some cases, the sources of information for OSS differ. African nations hold Women, Peace and Security Panel at AACS 2023. In addition, widely-used licenses and OSS projects often include additional mechanisms to counter this risk. Thus, as long as the software has at least one non-governmental use, software released (or offered for release) to the public is a commercial product for procurement purposes, even if it was originally developed using public funds. According to the U.S. Patent and Trademark Office (PTO): For more about trademarks, see the U.S. Patent and Trademark Office (PTO) page Trademark basics. African nations hold Women, Peace and Security Panel at AACS 2023. Running shoes. Air Force football finishes signing class with 28 three-star recruits, most in Mountain West. Relevant government authorities make it clear that the Antideficiency Act (ADA) does not generally prohibit the use of OSS due to limitations on voluntary services. The 1997 InfoWorld Best Technical Support award was won by the Linux User Community. Such source code may not be adequate to cost-effectively. https://www.disa.mil/network-services/ucco, The DoD Cyber Exchange is sponsored by Part of the ADA, Pub.L. Most of the Air Force runs on excel VBA because of this. This General Service Administration (GSA . If it is an improvement to an existing project, release it to the main OSS project, in whatever format they prefer changes. Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? an Air Force community college and on 9 November 1971, General John D. Ryan, Air Force Chief of Staff, approved the establishment of the Community College of the Air Force. See also DFARS subpart 227.70infringement claims, licenses, and assignments and 28 USC 1498. What programs are already in widespread use? Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. If the supplier attains a monopoly or it is difficult to switch from the supplier, the costs may skyrocket. What it does mean, however, is that the DoD will not reject consideration of a COTS product merely because it is OSS. The DoD is, of course, not the only user of OSS. SUBJECT: Software Products Approval Process . The Air Force's program comes with a slight caveat: it's actually called Bring Your Own Approved Device (BYOAD); airmen won't be able to . GOTS software should not be released when it implements a strategic innovation, i.e. When the program was released as OSS, within 5 months this vulnerability was found and fixed. OSS COTS is especially appropriate when there is an existing OSS COTS product that meets the need, or one can be developed and supported by a wide range of users/co-developers. Department of the Air Force updates policies, procedures to recruit for the future. The following questions discuss some specific cases. The first specific step towards the establishment of the United Nations was the Inter-Allied conference that led to the Declaration of St James's Palace on 12 June 1941. The key issue with both versions of the GPL is that, unlike most other OSS licenses, the GPL licenses require that a recipient of a binary (executable) must be able to demand and receive the source code of that program, and the recipient must also be able to propogate the work under that license. 2 Commanders Among 6 Fired from Jobs at Minot Air Force Base Col. Gregory Mayer, the commander of the 5th Mission Support Group, and Maj. Jonathan Welch, the commander of the 5th. Any inconsistencies in this solicitation or contract shall be resolved by giving precedence in the following order: (1) the schedule of supplies/services; (2) the Assignments, Disputes, Payments, Invoice, Other Compliances, and Compliance with Laws Unique to Government Contracts paragraphs of this clause; (3) the clause at 52.212-5; (4) addenda to this solicitation or contract, including any license agreements for computer software; . FROM: Air Force Authorizing Official . Terms that people have used include source available software, open-box software, visible-source software, and disclosed-source software. DoDIN APL is managed by the APCO | disa.meade.ie.list.approved-products-certification-office@mail.mil. Each government program must determine its needs, and then evaluate its options for meeting those needs. This has a reduced likelihood if the program is niche or rarely-used, has few developers, uses a rare computer language, or is not really OSS. The real challenge is one of education - some developers incorrectly believe that just because something is free to download, it can be merged or changed without restriction. In Wallace vs. FSF, Judge Daniel Tinder stated that the GPL encourages, rather than discourages, free competition and the distribution of computer operating systems and found no anti-trust issues with the GPL. It may be illegal to modify proprietary software, but that will normally not slow an attacker. Q: What are Open Government Off-the-Shelf (OGOTS) or Government OSS (GOSS)? Contact Contracting. Thus, the government may receive custom-developed, non-commercial software as a deliverable and receive unlimited rights for that new code, but also acquire only commercial rights to the third-party (possibly OSS) components. Prior art invalidates patents. Q: Can OSS licenses and approaches be used for material other than software? . Recent rulings have strengthened the requirement for non-obviousness, which probably renders unenforceable some already-granted software patents, but at this time it is difficult to determine which ones are affected. The U.S. has granted a large number of software patents, making it difficult and costly to examine all of them. Q: What license should the government or contractor choose/select when releasing open source software? A permissive license permits arbitrary use of the program, including making proprietary versions of it. The DoD has chosen to use the term open source software (OSS) in its official policy documents. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. Only some developers are allowed to modify the trusted repository directly: the trusted developers. DFARS 252.227-7014 specifically defines commercial computer software in a way that includes nearly all OSS, and defines noncommercial computer software as software that does not qualify as commercial computer software. OSS projects typically seek financial gain in the form of improvements. Read More 616th OC Airmen empower each other. Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. The Free Software Foundation (FSF) interprets linking a GPL program with another program as creating a derivative work, and thus imposing this license term in such cases. In nearly all cases, pre-existing OSS are commercial products, and thus their use is governed by the rules for including any commercial products in the deliverable. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND GUARDIANS OF THE HIGH FRONTIER. OSS licenses can be grouped into three main categories: Permissive, strongly protective, and weakly protective. As a result, it is difficult to develop software and be confident that it does not violate enforceable patents. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . Users can send bug reports to the distributor or trusted repository, just as they could for a proprietary program. Q: Does the DoD use OSS for security functions? The MITRE study did identify some of many OSS programs that the DoD is already using, and may prove helpful. 37 African nations, US kickoff AACS 2023 in Senegal. An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). Public domain software (in this copyright-related sense) can be used by anyone for any purpose, and cannot by itself be released under a copyright license (including typical open source software licenses). Some protocols and formats have been specifically devised and reviewed to avoid patents; using them is more likely to avoid problems. OGOTS/GOSS software is often not OSS; software is only OSS if it meets the definition of OSS. . The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. This has never been true, and explaining this takes little time. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . This can create an avalanche-like virtuous cycle. This way, the software can be incorporated in the existing project, saving time and money in support. This formal training is supplemented by extensive on-the-job training and accumulated hands on experience gained throughout the Service member's career. As noted in FAR 27.201-1, Pursuant to 28 U.S.C. Indeed, many people have released proprietary code that is malicious. Note that many of the largest commercially-supported OSS projects have their own sites. Knowledge is more important than the licensing scheme. The usual federal non-DoD clause (FAR 52.227-14) also permits this by default as long as the government has not granted the contractor the right to assert copyright. As with all commercial items, organizations must obey the terms of the commercial license, negotiate a different license if necessary, or not use the commercial item. Thus, if there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. (The MIT license is similar to public domain release, but with some legal protection from lawsuits.). Typically enforcement actions are based on copyright violations, and only copyright holders can raise a copyright claim in U.S. court. If the contract includes the typical FAR 52.227-14 (Rights in data - general) clause, without any special alternatives or additions, then the contractor must make a written request for permission to assert copyright in works containing data first produced under the contract. Launch video (9:47) Thus, public domain software provides recipients all of the rights that open source software must provide. OSS is typically developed through a collaborative process. Observing the output from inputs is often sufficient for attack. Review really does happen. The GTG-F is a collection of web-based applications supporting the continuing evolution of the Department of Defense (DoD) Information Technology Standards. Wikipedias Comparison of OSS hosting facilities page may be helpful in identifying existing hosting facilities, as well as some of their pros and cons. Any software not listed on the Approved Software List is prohibited. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, did suggest developing a Generally Recognized As Safe (GRAS) list, but such a list has not been developed. Many prefer unified diff patches, generated by diff -u or similar commands. An Open Source Community can update the codebase, but they cannot patch your servers. Once the government has unlimited rights, it may release that software to the public under any terms it wishes - including by using the GPL. Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. Similarly, in Wallace v. IBM, Red Hat, and Novell, the U.S. Court of Appeals for the Seventh Circuit found in November 2006 that the GNU General Public License (GPL) and open-source software have nothing to fear from the antitrust laws. Army - (703) 602-7420, DSN 332. It is usually far better to stick to licenses that have already gone through legal review and are widely used in the commercial world. This statute says that, An officer or employee of the United States Government or of the District of Columbia government may not accept voluntary services for either government or employ personal services exceeding that authorized by law except for emergencies involving the safety of human life or the protection of property., The US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book) explains federal appropriation law. The Authorized Equipment List (AEL) is a list of approved equipment types allowed under FEMA's preparedness grant programs. Certification Report Security Target. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. In some cases, export-controlled software may be licensed for export under the condition that the source code not be released; this would prevent release of software that had mixed GPL and export-controlled software. Many development tools covered by the GPL include libraries and runtimes that are not covered by the GPL itself but the GPL with a runtime exception (e.g., the CLASSPATH exception) that specifically permits development of proprietary software. More recent decisions, such as the 1982 decision B-204326 by the U.S. Comptroller General, continue to confirm this distinction between gratuitous and voluntary service. Q: Why is it important to understand that open source software is commercial software? Cisco Firepower Threat Defense (FTD) 6.4 with FMC and AnyConnect. For commercial software, such needed fixes could be provided by a software vendor as part of a warranty, or in the case of OSS, by the government (or its contractors). As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. As noted in the Secure Programming for Linux and Unix HOWTO, three conditions reduce the risks from unintentional vulnerabilities in OSS: The use of any commercially-available software, be it proprietary or OSS, creates the risk of executing malicious code embedded in the software. In many cases, weakly protective licenses are used for common libraries, while strongly protective licenses are used for applications. Thus, avoid releasing software under only the original (4-clause) BSD license (which has been replaced by the new or revised 3-clause licence), the Academic Free License (AFL), the now-abandoned Common Public License 1.0 (CPL), the Open Software License (OSL), or the Mozilla Public License version 1.1 (MPL 1.1).