Document the projects purpose, scope, and major decisions - users must be able to quickly determine if this project might meet their needs. This strengthens evaluations by focusing on technology specific security requirements. Q: Is there any quantitative evidence that open source software can be as good as (or better than) proprietary software? It can be argued that classified software can be arbitrarily combined with GPL code, beyond the approaches described above. Army - (703) 602-7420, DSN 332. Q: Does the DoD use OSS for security functions? [ top of page] Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures. Department of the Air Force updates policies, procedures to recruit for the future. However, the public domain portions may be extracted from such a joint work and used by anyone for any purpose. The NASA FAR Supplement (NFS) 1852.227-14 gives NASA the right, under typical conditions, to demand that a contractor assert copyright and then assign the copyright to the government, which would again give the government the right to release the software as open source software. These included the Linux kernel, the gcc compilation suite (including the GNAT Ada compiler), the OpenOffice.org office suite, the emacs text editor, the Nmap network scanner, OpenSSH and OpenSSH for encryption, and Samba for Unix/Linux/Windows interoperability. If it is a new project, be sure to remove barriers to entry for others to contribute to the project: OSS should be released using conventional formats that make it easy to install (for end-users) and easy to update (for potential co-developers). Video conferencing platforms Zoom and Microsoft Teams are both FedRamp approved, but while Zoom offers end-to-end encryption, Microsoft Teams does not, according to the National Security Agency . In such licenses, if you give someone a binary of the program, you are obligated to give them the source code (perhaps upon request) under the same terms. However, the required FAR Clause 52.212-4(d) establishes that This contract is subject to the Contract Disputes Act of 1978, as amended (41 U.S.C. Since OSS provides source code, there is no problem. Direct deposit form. A U.S. Air Force A-10 receives maintenance at Davis-Monthan Air Force Base, Arizona, May 29, 2020. As more improvements are made, more people can use the product, creating more potential users as developers - like a snowball that gains mass as it rolls downhill. It can sometimes be a challenge to find a good name. If a legal method for using the GPL software for a particular application cannot be devised, and a different license cannot be negotiated, then the GPL-licensed component cannot be used for that particular purpose. 10 USC 2377 requires that the head of an agency shall ensure that procurement officials in that agency, to the maximum extent practicable: Similarly, it requires preliminary market research to determine whether there are commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial items available that (A) meet the agencys requirements; (B) could be modified to meet the agencys requirements; or (C) could meet the agencys requirements if those requirements were modified to a reasonable extent. This market research should occur before developing new specifications for a procurement by that agency; and before soliciting bids or proposals for a contract in excess of the simplified acquisition threshold.. 1.1.4. This statute says that, An officer or employee of the United States Government or of the District of Columbia government may not accept voluntary services for either government or employ personal services exceeding that authorized by law except for emergencies involving the safety of human life or the protection of property., The US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book) explains federal appropriation law. Terms that people have used include source available software, open-box software, visible-source software, and disclosed-source software. As an aid, the Open Source Initiative (OSI) maintains a list of Licenses that are popular and widely used or with strong communities. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . No, although they work well together, and both are strategies for reducing vendor lock-in. It is impossible to completely eliminate all risks; instead, focus on reducing risks to acceptable levels. Using a standard license simplifies collaboration and eliminates many legal analysis costs. The 1997 InfoWorld Best Technical Support award was won by the Linux User Community. Q: Does the Antideficiency act (ADA) prohibit all use of OSS due to limitations on voluntary services? Colleges & Your Majors. Q: Doesnt hiding source code automatically make software more secure? Q: Can government employees develop software as part of their official duties and release it under an open source license? The intended audience of this tool is emergency managers, first responders, and other homeland security professionals. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . We also provide some thoughts concerning compliance and risk mitigation in this challenging environment. The release may also be limited by patent and trademark law. The NSA/CSS Evaluated Products Lists equipment that meets NSA specifications. Ipamorelin. This webpage is a one-stop reference to help answer questions regarding proper wear of approved Air Force uniform items, insignias, awards and decorations, etc. OSS projects typically seek financial gain in the form of improvements. Problems must be fixed. Font size: 0G: Zero Gravity: Rate it: 106 RQW: 106th Rescue Wing: Rate it: 121ARW: 121st Air Refueling Wing: Rate it: 129 RQW: 129th Rescue Wing: Rate it: 1TS: No.1 Transmitting Station: Rate it: 920RQG: 920th Rescue Group: Rate it: A: Air Force Training . An Airman at the 616th Operations Center empowered his fellow service members by organizing a professional development seminar for his unit. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. Any company can easily review OSS to look for proprietary code that should not be there; there are even OSS tools that can find common code. This formal training is supplemented by extensive on-the-job training and accumulated hands on experience gained throughout the Service member's career. Execution Mixing GPL and other software can run at the same time on the same computer or network. Wikipedia maintains an encyclopedia using approaches similar to open source software approaches. Is it COTS? This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. Launch video (9:47) The GPL and government unlimited rights terms have similar goals, but differ in details. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". Many programs and DAAs do choose to use commercial support, and in many cases that is the best approach. The following questions discuss some specific cases. Be sure to consider total cost of ownership (TCO), not just initial download costs. Notepad, PowerShell, and Excel are great alternatives. Also, there are rare exceptions for NIST and the US Postal Service employees where a US copyright can be obtained (see CENDIs Frequently Asked Questions About Copyright). The Free Software Foundation (FSF) interprets linking a GPL program with another program as creating a derivative work, and thus imposing this license term in such cases. 2019 Approved Software Developers of Paper 2D Forms (PDF 47.33 KB) Final as of April 2, 2020. The, Educate all software developers that they must comply with all valid licenses - including both proprietary. Otherwise, choose some existing OSS license, since all existing licenses add some legal protections from lawsuits. This should not be surprising; the DoD uses OSS extensively, and the GPL is the most popular OSS license. The cases are too complicated to summarize here, other than to say that the GPLv2 was clearly regarded as enforceable by the courts. Under the current DoD contracting regime, the contractor usually retains the copyright for software developed with government funding, so in such cases the contractor (not the government) has the right to sue for copyright violation. Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. For advice about a specific situation, however, consult with legal counsel. Q: Is there a large risk that widely-used OSS unlawfully includes proprietary software (in violation of copyright)? Note that enforcing such separation has many other advantages as well. It would also remove the uniquely (OSS) ability to change infrastructure source code rapidly in response to new modes of cyberattack. Yes, but the following considerations apply: As stated above, software developed by government employees as part of their official duties is not subject to copyright protection in the United States. It points to various studies related to market share, reliability, performance, scalability, security, and total cost of ownership. AEW and AEG/CCs may publish supplements to AFI 1-1, Air Force Standards, to address issues of community standards. Q: Can the government or contractor use trademarks, service marks, and/or certification marks with OSS projects? If that competitors use of OSS results in an advantage to the DoD (such as lower cost, faster schedule, increased performance, or other factors such as increased flexibility), contractors should expect that the DoD will choose the better bid. These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. Q: How can I get support for OSS that already exists? This is not a copyright license, it is the absence of a license. Such developers need not be cleared, for example. Commercially-available software that is not open source software is typically called proprietary or closed source software. Q: Is open source software the same as open systems/open standards? Performance Statements are plain language and avoid using uncommon acronyms and abbreviations. The United States Air Force operates a service called "Iron Bank", which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. "Delivering a more lethal force requires the ability to evolve faster and be more adaptable . FROM: Air Force Authorizing Official . The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). U.S. government contractors (including those in the DoD) are often indemnified from patent infringement by the U.S. government as part of their contract. The red book section 6.C.3.b explains this prohibition in more detail. For DoD contractors, if the standard DFARS contract clauses are used (in particular DFARS 252.227-7014) then the contractor who developed the software retains the copyright to the software and has the right to release it to others, even if the software was developed exclusively with government funds. For software delivered under federal contracts, any choice of venue clauses in the license generally conflict with the Contract Disputes Act. This includes the most popular OSS license, the, Weakly Protective (aka weak copyleft): These licenses are a compromise between permissive and strongly protective licenses. Use typical OSS infrastructure, tools, etc. Although the government cannot directly sue for copyright violation, in such cases it can still sue for breach of license and, presumably, get injunctive relief to stop the breach and money damages to recover royalties obtained by breaching the license (and perhaps other damages as well). This clause establishes that the choice of venue clause (category 4) is superseded by the Contract Disputes Act (category 2), and thus the conflict is typically moot. Thus, if there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. For the DoD, the risks of failing to consider the use of OSS where appropriate are of increased cost, increased schedule, and/or reduced performance (including reduced innovation or security) to the DoD due to the failure to use the commercial software that best meets the needs (when that is the case). Commercial support can either be through companies with specialize in OSS support (in general or for specific products), or through contractors who specialize in supporting customers and provide the OSS support as part of a larger service. This resource contains Facility-Related Control Systems (FRCS) guidance, reference materials, checklists and templates.The DoD has adopted the Risk Management Framework (RMF) for all Information Technology and Operational Technology networks, components and devices to include FRCS. Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. Q: When can the U.S. federal government or its contractors publicly release, as OSS, software developed with government funds? For commercial software, such needed fixes could be provided by a software vendor as part of a warranty, or in the case of OSS, by the government (or its contractors). As noted in the article Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), the intent of the memo was not to issue a blanket requirement that all open source software come bundled with contractor support or else it cant be used If a Defense agency is able to sustain the open source software with its own skills and talents then that can be enough to satisfy the intent of the memo. In addition, How robust the support plan need be can also vary on the nature of the software itself For command and control software, the degree would have to be greater than for something thats not so critical to mission execution. OSS is typically developed through a collaborative process. But in practice, publicly-released OSS nearly always meets the various government definitions for commercial computer software and thus is nearly always considered commercial software. If this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. . A Boston Consulting Group study found that the average age of OSS developers was 30 years old, the majority had training in information technology and/or computer science, and on average had 11.8 years of computer programming experience. The travel and meal tickets you received the day you reported to ship out to basic training. In some other cases, the government lacks the rights to release the software to the public, e.g., the government may only have Government Purpose Rights (GPR). As noted in Technical Data and Computer Software: A Guide to Rights and Responsibilities Under Federal Contracts, Grants and Cooperative Agreements by the Council on Governmental Relations (COGR), This unlimited license enables the government to act on its own behalf and to authorize others to do the same things that it can do, thus giving the government essentially the same rights as the copyright owner. In short, once the government has unlimited rights, it has essentially the same rights as a copyright holder, and can then use those rights to release that software under a variety of conditions (including an open source software license), because it has the use and modify the software at will, and has the right to authorize others to do so. In 2015, a series of decisions regarding the GNU General Public License were issued by the United States District Courts for the Western District of Texas as well as the Northern District of California. Look at the Numbers! By August 1941, American president Franklin Roosevelt and British prime minister Winston Churchill had drafted the Atlantic Charter to define goals for the post-war world. As noted by the 16 October 2009 policy memorandum from the DoD CIO, in almost all cases OSS is a commercial item as defined by US Law (Title 41) and regulation (the FAR). Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). It also often has lower total cost-of-ownership than proprietary COTS, since acquiring it initially is often free or low-cost, and all other support activities (training, installation, modification, etc.) The Air Force Institute of Technology, or AFIT, is the Air Force's graduate school of engineering and management as well as its institution for technical professional continuing education. Note: Software that is developed collaboratively by multiple organizations within the government and its contractors for government use, and not released to the public, is sometimes called Open Government Off-the-Shelf (OGOTS) or Government OSS (GOSS). There are many alternative clauses in the FAR and DFARS, and specific contracts can (and often do) have different agreements on who has which rights to software developed under a government contract. If the OSS is intended for use on Linux/Unix systems, follow standard source installation release practices so that it is easier for users to install. BSD TCP/IP suite - Provided the basis of the Internet, Greatly increased costs, due to the effort of self-maintaining its own version, Inability to use improvements (including security patches and innovations) by others, where it uses a non-standard version instead of the version being actively maintained, Greatly increased cost, due to having to bear the, Inability to use improvements (including security patches and innovations) by others, since they do not have the opportunity to aid in its development, Obsolescence due to the development and release of a competing commercial (e.g., OSS) project. (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). Q: Isnt using open source software (OSS) forbidden by DoD Information Assurance (IA) Policy? There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. Florida Solar Energy Center's EnergyGauge. . Under U.S. copyright law, users must have permission (i.e. Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? Been retired for a few years but work for a company that has a contract with the Air Force and Army. . In many cases, yes, but this depends on the specific contract and circumstances. Thus, complex license management processes to track every installation or use of the software, or who is permitted to use the software, is completely unnecessary. 37 African nations, US kickoff AACS 2023 in Senegal. Document from where and when any external software was acquired, as well as the license conditions, so that future users and maintainers can easily comply with the license terms. The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. Everything just redirects to the DISA Approved Product list which only covers hardware. Flight Inspection. OSS options should be evaluated in principle the same way you would evaluate any option, considering need, cost, and so on. Q: Is there a risk of malicious code becoming embedded into OSS? The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. Numbered Air Forces. (See GPL FAQ, Can I use the GPL for something other than software?.). The Defense Innovation Unit (DIU) is a . Some have found that community support can be very helpful. Q: Where can I release open source software that are new projects to the public? Browse 817 acronyms and abbreviations related to the Air Force terminology and jargon. Do not use spaces when performing a product number/title search (e.g. If it is already available to the public and is used unchanged, it is usually COTS. The list of products, referred to as "Blue sUAS," come from 5 different manufacturers: Skydio, Parrot, Altavian, Teal Drones, and Vantage Robotics. No. In some cases, export-controlled software may be licensed for export under the condition that the source code not be released; this would prevent release of software that had mixed GPL and export-controlled software. Thus, Open Source Intelligence (OSINT) is form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. Make sure its really OSS. Classified information may not be released to the public without special authorization to do so. Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? If the intent of a contract is to develop software to be released as open source software, it is best to expressly include release as OSS as part of the contract. Q: Is there a name for software whose source code is publicly available, but does not meet the definition of open source software? Q: What license should the government or contractor choose/select when releasing open source software? Thankfully, such analyses has already been performed on the common OSS licenses, which tend to be mutually compatible. Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. Q: How do GOTS, Proprietary COTS, and OSS COTS compare? There are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties The choice to exact consideration in the form of compliance with the open source requirements of disclosure and explanation of changes, rather than as a dollar-denominated fee, is entitled to no less legal recognition. Air Force - (618)-229-6976, DSN 779. As explained in detail below, nearly all OSS is commercial computer software as defined in US law and the Defense Federal Acquisition Regulation Supplement, and if it used unchanged (or with only minor changes), it is almost always COTS. Thus, as long as the software has at least one non-governmental use, software licensed (or offered for license) to the public is a commercial product for procurement purposes. OSS licenses and projects clearly approve of commercial support. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. 37 African nations, US kickoff AACS 2023 in Senegal. how to ensure the interoperability of systems; how to build systems that are manageable. Choose a GPL-compatible license. The project manager, program manager, or other comparable official determines that it is in the Governments interest to do so, such as through the expectation of future enhancements by others. A permissive license permits arbitrary use of the program, including making proprietary versions of it. Note that merely being released by a US firm is no guarantee that there is no malicious embedded code. However, such malicious code cannot be directly inserted by just anyone into a well-established OSS project. That said, this does not mean that all OSS is superior to all proprietary software in all cases by all measures. Many governments, not just the U.S., view open systems as critically necessary. It depends on the goals for the project, however, here are some guidelines: Public domain where required by law. As described in FAR 27.404-3(a)(2), a contracting officer should grant such a request only when [that] will enhance appropriate dissemination or use but release as open source software would typically qualify as a justification for enhanced dissemination and use. Any software not listed on the Approved Software List is prohibited. In some cases, there are nationally strategic reasons the software should not be released to the public (e.g., it is classified). Q: What additional material is available on OSS in the government or DoD? This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. Thus, even this FAQ was developed using open source software. 2019 Approved Software Developers and Transmitters (PDF 51.18 KB) Updated April 15, 2020. Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). In this case, the government has the unenviable choice of (1) spending possibly large sums to switch to the new project (which would typically have a radically different interface and goals), or (2) continuing to use the government-unique custom solution, which typically becomes obsolete and leaves the U.S. systems far less capable that others (including those of U.S. adversaries). When examining a specific OSS project, look for evidence that review (both by humans and tools) does take place. OSS is increasingly commercially developed and supported. The services focus on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and . Open systems and open standards counter dependency on a single supplier, though only if there is a competing marketplace of replaceable components. By some definitions this is technically not an open source license, because no license is needed, but such public domain software can be legally used, modified, and combined with other software without restriction. DFARS 252.227-7014 specifically defines commercial computer software in a way that includes nearly all OSS, and defines noncommercial computer software as software that does not qualify as commercial computer software. In some cases a DoD contractor may be required to transfer copyright to the government for works produced under contract (see DFARS 252.227-7020). In addition, an attacker can often acquire the original source code from suppliers anyway (either because the supplier voluntarily provides it, or via attacks against the supplier); in such cases, if only the attacker has the source code, the attacker ends up with another advantage.
Donna Martindale Way International,
Storage Wars: Texas Bubba Smith Age,
Articles A