Section 6.C.3.a notes that the voluntary services provision is not new; it first appeared, in almost identical form, back in 1884. When examining a specific OSS project, look for evidence that review (both by humans and tools) does take place. This shows that proprietary software can include functionality that could be described as malicious, yet remain unfixed - and that at least in some cases OSS is reviewed and fixed. Q: In what form should I release open source software? Some protocols and formats have been specifically devised and reviewed to avoid patents; using them is more likely to avoid problems. AEW and AEG/CCs may publish supplements to AFI 1-1, Air Force Standards, to address issues of community standards. At project start, the project creators (who create the initial trusted repository) are the trusted developers, and they determine who else may become a trusted developer of this initial trusted repository. Even if OSS has no cost to download, there is still a cost for OSS due to installation, support, and so on (whether done in-house or through external organizations). This includes the, Strongly Protective (aka strong copyleft): These licenses prevent the software from becoming proprietary, and instead enforce a share and share alike approach. Yes, both the government and contractors may obtain and use trademarks, service marks, and/or certification marks for software, including OSS. an Air Force community college and on 9 November 1971, General John D. Ryan, Air Force Chief of Staff, approved the establishment of the Community College of the Air Force. The argument is that the classification rules are simply laws of the land (and not additional rules), the classification rules already forbid the release of the resulting binaries to those without proper clearances, and that the GPL only requires that source code be released to those who received a binary. The GNU General Public License (GPL) is the most common OSS license; while you do not need to use the GPL, it is often unwise to choose a license incompatible with the majority of OSS. Running shoes. It states that in 1913, the Attorney General developed an opinion (30 Op. DoDIN APL is managed by the APCO | disa.meade.ie.list.approved-products-certification-office@mail.mil. Failing to understand that open source software is commercial software would result in failing to follow the laws, regulations, policies, and so on regarding commercial software. Depending on your goals, a trademark, service mark, or certification mark may be exactly what you need. DISA Tools Mission Statement. Where possible, software developed partly by government funds should broken into a set of smaller components at the lowest practicable level so the rules can be applied separately to each one. Cisco Firepower Threat Defense (FTD) 6.4 with FMC and AnyConnect. Telestra provides Air Force simulators with . 31 U.S.C. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. If it is a new project, be sure to remove barriers to entry for others to contribute to the project: OSS should be released using conventional formats that make it easy to install (for end-users) and easy to update (for potential co-developers). Adobe Acrobat Reader. What is Open Technology Development (OTD)? SUBJECT: Software Products Approval Process . In most cases, contributors to OSS projects intend for their contributions to be gratuitous, and provide them for all (not just for the Federal government), clearly distinguishing such OSS contributions from the voluntary services that the ADA was designed to prevent. Very Important Notes: The Public version of DoD Cyber Exchange has limited content. The release may also be limited by patent and trademark law. Thus, Open Source Intelligence (OSINT) is form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. Export control laws are often not specifically noted in OSS licenses, but nevertheless these laws also govern when and how software may be released. By dominate, that means that when software is merged which have those pairs of licenses, the dominating license essentially governs the resulting combination because the dominating license essentially includes all the key terms of the other license. If the standard DFARS contract clauses are used (see DFARS 252.227-7014), then unless other arrangements are made, the government has unlimited rights to a software component when (1) it pays entirely for the development of it (see DFARS 252.227-7014(b)(1)(i)), or (2) it is five years after contract signature if it partly paid for its development (see DFARS 252.227-7014(b)(2)). A very small percentage of such users determine that they can make a change valuable to them, and contribute it back (to avoid maintenance costs). Commercial software (including OSS) that has widespread use often has lower risk, since there are often good reasons for its widespread use. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to include existing open source software? Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. In the DoD, the GIG Technical Guidance Federation is a useful resource for identifying recommended standards (which tend to be open standards). Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. The U.S. government can often directly combine GPL and proprietary, classified, or export-controlled software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government. Open source software that has at least one non-governmental use, and is licensed to the public, is commercial software. In many cases, weakly protective licenses are used for common libraries, while strongly protective licenses are used for applications. Continuous and broad peer-review, enabled by publicly available source code, improves software reliability and security through the identification and elimination of defects that might otherwise go unrecognized by the core development team. Coronavirus (COVID-19) Update Information. It points to various studies related to market share, reliability, performance, scalability, security, and total cost of ownership. DFARS 252.227-7014(a)(15) defines unlimited rights as rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. These decisions largely held that the GNU General Public License, version 2 was enforceable in a series of five related legal cases loosely referred to as Versata v. Ameriprise, although there were related suits against Versata by XimpleWare. For commercial software, such needed fixes could be provided by a software vendor as part of a warranty, or in the case of OSS, by the government (or its contractors). Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. Thus, in many cases a choice of venue clause is not an insurmountable barrier to acceptance of the software delivery by the government. In addition, ignoring OSS would not be lawful; U.S. law specifically requires consideration of commercial software (including extant OSS, regardless of exactly which license it uses), and specifically instructs departments to pass this requirement to consider commercial items down to contractors and their suppliers at all tiers. Thus, open systems require standards that are widely-supported and consensus-based; standards that meet these (and possibly some additional conditions) may be termed open standards. Even for many modifications (e.g., bug fixes) this causes no issues because in many cases the DoD has no interest in keeping those changes confidential. However, the required FAR Clause 52.212-4(d) establishes that This contract is subject to the Contract Disputes Act of 1978, as amended (41 U.S.C. What is its relationship to OSS? (See next question. Note that this sometimes depends on how the program is used or modified. OSS-like development approaches within the government. The Air Force thinks it's finally found a way. . Air Force Command and Control at the Start of the New Millennium. The list consists of 21 equipment categories divided into categories, sub-categories and then . A service mark is "a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of a service rather than goods. Open source software is also called Free software, libre software, Free/open source software (FOSS or F/OSS), and Free/Libre/Open Source Software (FLOSS). Similarly, delaying a components OSS release too long may doom it, if another OSS component is released first. Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. Q: How can you determine if different open source software licenses are compatible? One way to deal with potential export control issues is to make this request in the same way as approving public release of other data/documentation. Thus, public domain software provides recipients all of the rights that open source software must provide. . Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. However, if the GPL software must be mixed with other proprietary/classified software, the GPL terms must still be followed. There is a fee for registering a trademark. The example of Borlands InterBase/Firebird is instructive. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. AFCWWTS 2021 GUEST LIST Coming Soon. References to specific products or organizations are for information only, and do not constitute an endorsement of the product/company. Use a widely-used existing license. Whats more, proprietary software release practices make it more difficult to be confident that the software does not include malicious code. Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. As a result, it is difficult to develop software and be confident that it does not violate enforceable patents. OpenSSL - SSL/cryptographic library implementation, GNAT - Ada compiler suite (technically this is part of gcc), perl, Python, PHP, Ruby - Scripting languages, Samba - Windows - Unix/Linux interoperability. Widely-used programs include the Apache web server, Firefox web browser, Linux kernel, and many other programs. Q: Isnt OSS developed primarily by inexperienced students? For almost as long as smartphones have existed, defense IT leaders have wondered aloud whether they'd ever be able to securely implement a bring-your-own-device (BYOD) approach to military networks. Department of the Air Force updates policies, procedures to recruit for the future. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . This list was generated on Friday, March 3, 2023, at 5:54 PM. If such software includes third-party components that were not produced in performace of that contract, the contractor is generally responsible for acquiring those components with acceptable licenses that premit the government to use that software. In some cases access is limited to portions of the government instead of the entire government. Conversely, where source code is hidden from the public, attackers can attack the software anyway as described above. Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134-1706 USA. Can the DoD used GPL-licensed software? It is impossible to completely eliminate all risks; instead, focus on reducing risks to acceptable levels. Examples include: If you know of others who have similar needs, ask them for leads. As with proprietary software, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier (the OSS project) and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator (e.g., from the main project site or a trusted distributor). Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. . For example, software that can only be used for government purposes is not OSS, since it cannot be used for any purpose. Q: Isnt using open source software (OSS) forbidden by DoD Information Assurance (IA) Policy? Q: Where can I release open source software that are new projects to the public? Static attacks (e.g., analyzing the code instead of its execution) can use pattern-matches against binaries - source code is not needed for them either. FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO . Atty Gen.51 (1913)) that has become the leading case construing 31 U.S.C. As noted in FAR 27.201-1, Pursuant to 28 U.S.C. Yes. The resulting joint work as a whole is protected by the copyrights of the non-government authors and may be released according to the terms of the original open-source license. Thus, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator. As explained in detail below, nearly all OSS is commercial computer software as defined in US law and the Defense Federal Acquisition Regulation Supplement, and if it used unchanged (or with only minor changes), it is almost always COTS. For local guidance, Airmen are encouraged to . Thus, complex license management processes to track every installation or use of the software, or who is permitted to use the software, is completely unnecessary. The U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer made it clear that OSS licenses are enforceable, even if money is not exchanged. how to ensure the interoperability of systems; how to build systems that are manageable. The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). Use a common OSS license well-known to be OSS (GPL, LGPL, MIT/X, BSD-new, Apache 2.0) dont write your own license. The DoD Antivirus Software License Agreement with McAfee allows active DoD employees to utilize the antivirus software for home use. In particular, it found that DoD security depends on (OSS) applications and strategies, and that a hypothetic ban would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. Many perceive this openness as an advantage for OSS, since OSS better meets Saltzer & Schroeders Open design principle (the protection mechanism must not depend on attacker ignorance). U.S. law governing federal procurement U.S. Code Title 41, Section 103 defines commercial product as including a product, other than real property, that (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public. Military orders. A U.S. Air Force A-10 receives maintenance at Davis-Monthan Air Force Base, Arizona, May 29, 2020. Recent rulings have strengthened the requirement for non-obviousness, which probably renders unenforceable some already-granted software patents, but at this time it is difficult to determine which ones are affected. In Wallace vs. FSF, Judge Daniel Tinder stated that the GPL encourages, rather than discourages, free competition and the distribution of computer operating systems and found no anti-trust issues with the GPL. Q: What are Open Government Off-the-Shelf (OGOTS) or Government OSS (GOSS)? Under U.S. copyright law, users must have permission (i.e. OSS options should be evaluated in principle the same way you would evaluate any option, considering need, cost, and so on. These services must be genuinely generic in the sense that the applications that use them must not depend on the detailed design of the GPL software to work. The Air Force's program comes with a slight caveat: it's actually called Bring Your Own Approved Device (BYOAD); airmen won't be able to . This has never been true, and explaining this takes little time. The more potential users, the more potential developers. As noted by the OSJTF definition for open systems, be sure to test such systems with more than one web browser (e.g., Google Chrome, Microsoft Edge and Firefox), to reduce the risk of vendor lock-in. After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. Users can send bug reports to the distributor or trusted repository, just as they could for a proprietary program. This legal analysis must determine if it is possible to meet the conditions of all relevant licenses simultaneously. Do not mistakenly use the term non-commercial software as a synonym for open source software. Government employees may also modify existing open source software. If using acronyms and abbreviations, only utilize those identified on the approved Air Force Acronym and Abbreviation List, unless noted by an approved category. Administration/Format. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network . The usual federal non-DoD clause (FAR 52.227-14) also permits this by default as long as the government has not granted the contractor the right to assert copyright. 10 USC 2377 requires that the head of an agency shall ensure that procurement officials in that agency, to the maximum extent practicable: Similarly, it requires preliminary market research to determine whether there are commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial items available that (A) meet the agencys requirements; (B) could be modified to meet the agencys requirements; or (C) could meet the agencys requirements if those requirements were modified to a reasonable extent. This market research should occur before developing new specifications for a procurement by that agency; and before soliciting bids or proposals for a contract in excess of the simplified acquisition threshold.. When the program was released as OSS, within 5 months this vulnerability was found and fixed. So if the program is being used and not modified (a very common case), this additional term has no impact. BPC-157. Where it is important, examining the security posture of the supplier (e.g., their processes that reduce risk) and scanning/testing/evaluating the software may also be wise. On approval, such containers are granted a "Certificate to Field" designation by the Air Force Chief Software Officer. Using a made-up word that has no Google hits is often a good start, but again, see the PTO site for more information. If it is a modification of an existing project, or a plug-in to it, release it under the projects original license (and possibly other licenses). The 88th Air Base Wing is the host organization for Wright-Patterson Air Force Base. It can sometimes be a challenge to find a good name. Intellipedia is implemented using MediaWiki, the open source software developed to implement Wikipedia. Open standards can aid open source software projects: Note that open standards aid proprietary software in exactly the same way. The, Educate all software developers that they must comply with all valid licenses - including both proprietary. (2) Medications not on this list, singly or in combination, require review by AFMSA/SG3/5PF (rated officers) and MAJCOM/SG (non-rated personnel). What is more, the supplier may choose to abandon the product; source-code escrow can reduce these risks somewhat, but in these cases the software becomes GOTS with its attendant costs. A Boston Consulting Group study found that the average age of OSS developers was 30 years old, the majority had training in information technology and/or computer science, and on average had 11.8 years of computer programming experience. The United States Air Force operates a service called Iron Bank, which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. Software licensed under the GPL can be mixed with software released under other licenses, and mixed with classified or export-controlled software, but only under conditions that do not violate any license. The Apache 2.0 license is compatible with the GPL version 3 license, but not the GPL version 2 license. The World Health Organization (WHO) is a specialized agency of the United Nations responsible for international public health. As of Jan. 21, the Air Force has administratively separated 111 active duty Airmen. Note that most commercial software is not intended to be used where the impact of any error of any kind is extremely high (e.g., a large number of lives are likely to be immediately lost if even the slightest software error occurs). Many OSS licenses do not have a choice of venue clause, and thus cannot have an issue, although some do. Yes. So, while open systems/open standards are different from open source software, they are complementary and can work well together. In addition, widely-used licenses and OSS projects often include additional mechanisms to counter this risk. (Note that such software would often be classifed.). This is in part because such a ban would prevent DoD groups from using the same analysis and network intrusion applications that hostile groups could use to stage cyberattacks. Each product must be examined on its own merits. Yes. Notepad, PowerShell, and Excel are great alternatives. Similarly, in Wallace v. IBM, Red Hat, and Novell, the U.S. Court of Appeals for the Seventh Circuit found in November 2006 that the GNU General Public License (GPL) and open-source software have nothing to fear from the antitrust laws. Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. Maximize portability, and avoid requiring proprietary languages/libraries unnecessarily. Many governments, not just the U.S., view open systems as critically necessary. Some people like the term GOSS, because it indicates an intent to do OSS-like collaborative development, but within the government instead. Q: Does releasing software under an OSS license count as commercialization? 1498, the exclusive remedy for patent or copyright infringement by or on behalf of the Government is a suit for monetary damages against the Government in the Court of Federal Claims. is a survey paper that provides quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures.. (its) goal is to show that you should consider using OSS/FS when acquiring software. CCRA Certificate. The use of software with a proprietary license provides absolutely no guarantee that the software is free of malicious code. First, get approval to publicly release the software. Review really does happen. Thus, components that have the potential to (eventually) support many users are more likely to succeed. The products listed below are evaluated against a NIAP-approved Protection Profile, which encompasses the security requirements and test activities suitable across the technology with no EAL assigned - hence the conformance claim is "PP". The certification affirms that the Air Force OTI is authorized to use ASTi's products, which now appear in the OTI Evaluated/Approved Products List (OTI E/APL). Under the current DoD contracting regime, the contractor usually retains the copyright for software developed with government funding, so in such cases the contractor (not the government) has the right to sue for copyright violation. With the Acrobat Reader, you can view, navigate, print and present any Portable Document Format (PDF) file. That said, other factors may be more important for a given circumstance. Lawmakers also approved the divestment of 13 . Proprietary COTS tend to be lower cost than GOTS, since the cost of development and maintenance is typically shared among a larger number of users (who typically pay to receive licenses to use the product). Defense Information Systems Agency (DISA), National Centers of Academic Excellence in Cybersecurity (NCAE-C), Public Key Infrastructure/Enabling (PKI/PKE), https://dl.dod.cyber.mil/wp-content/uploads/home/img/img1.jpg.