In general, Security by Obscurity is widely denigrated. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. For software delivered under federal contracts, any choice of venue clauses in the license generally conflict with the Contract Disputes Act. Q: Can government employees develop software as part of their official duties and release it under an open source license? Software developed by US federal government employees (including military personnel) as part of their official duties is not subject to copyright protection in the US (see 17 USC 105). An Open Source Community can update the codebase, but they cannot patch your servers. However, it must be noted that the OSS model is much more reflective of the actual costs borne by development organizations. It would also remove the uniquely (OSS) ability to change infrastructure source code rapidly in response to new modes of cyberattack. OTD includes both OSS and OGOTS/GOSS. Note, however, that this risk has little to do with OSS, but is instead rooted in the risks of U.S. patent infringement for all software, and the patent indemnification clauses in their contract. Although the government cannot directly sue for copyright violation, in such cases it can still sue for breach of license and, presumably, get injunctive relief to stop the breach and money damages to recover royalties obtained by breaching the license (and perhaps other damages as well). Instead, Government employees must ensure that they do not accept services rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. Established Oct. 1, 2013, the Defense Health Agency is the centerpiece of Military Health System governance reform, as outlined in the Deputy Secretary of Defense's March 11, 2013 Memorandum "Implementation of Military Health System Governance Reform." The DHA's role is to achieve greater integration of our direct and purchased health care delivery systems so that we accomplish the . At the subsequent meeting of the Inter-Allied Council . There are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties The choice to exact consideration in the form of compliance with the open source requirements of disclosure and explanation of changes, rather than as a dollar-denominated fee, is entitled to no less legal recognition. This memorandum only applies to Navy and Marine Corps commands, but may be a useful reference for others. Spouse's information if you have one. The Creative Commons is a non-profit organization that provides free tools, including a set of licenses, to let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. The regulation is available at. Using industry OSS project hosting services makes it easier to collaborate with other parties outside the U.S. DoD or U.S. government. OSS can often be purchased (directly, or as a support contract), and such purchases often include some sort of indemnification. Note that merely being released by a US firm is no guarantee that there is no malicious embedded code. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. Examples of the former include Red Hat, Canonical, HP Enterprise, Oracle, IBM, SourceLabs, OpenLogic, and Carahsoft. Software licenses, including those for open source software, are typically based on copyright law. There are other ways to reduce the risk of software patent infringement (in the U.S.) as well: Yes, both entirely new programs and improvements of existing OSS have been developed using U.S. government funds. Very Important Notes: The Public version of DoD Cyber Exchange has limited content. 75th Anniversary Article. Q: Where can I release open source software that are new projects to the public? Each hosting service tends to be focused on particular kinds of projects, so prefer a hosting service that well-matches the project. Q: Under what conditions can GPL-licensed software be mixed with proprietary/classified software? Since OSS licenses are quite generous, the only license-violating actions a developer is likely to try is to release software under a more stringent license and those will have little effect if they cannot be enforced in court. Florida Solar Energy Center's EnergyGauge. Q: What license should the government or contractor choose/select when releasing open source software? If you are releasing OSS source code for Unix-like systems (including Linux and MacOS), you should follow the usual conventions for doing so as described below: You may use existing industry OSS project hosting services such as SourceForge, Savannah, GitHub, or Apache Software Foundation. It can be argued that classified software can be arbitrarily combined with GPL code, beyond the approaches described above. Do not mistakenly use the term non-commercial software as a synonym for open source software. This shows that proprietary software can include functionality that could be described as malicious, yet remain unfixed - and that at least in some cases OSS is reviewed and fixed. If you are applying for a scholarship as a high school student, you must be accepted to the program and academic major that you indicate on your scholarship application. First of all, being a US firm has little relationship to the citizenship of its developers and its suppliers developers. Many prefer unified diff patches, generated by diff -u or similar commands. One way to deal with potential export control issues is to make this request in the same way as approving public release of other data/documentation. The GTG-F is a collection of web-based applications supporting the continuing evolution of the Department of Defense (DoD) Information Technology Standards. The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. Air Force Policy Directive 38-1, Manpower and Organization, 2 July 2019 Air Force instruction 33-360, Publications and Forms Management, 1 December 2015 Air Force Manual 33-363, Management of Records, 21 July 2016 Adopted Forms AF Form 847, Recommendation for Change of Publications It is available at, The Office of Management and Budget issued a memorandum providing guidance on software acquisition which specifically addressed open source software on 1 Jul 2004. This is not merely theoretical; in 2003 the Linux kernel development process resisted an attack. Q: What are the risks of failing to consider the use of OSS components or approaches? Recent rulings have strengthened the requirement for non-obviousness, which probably renders unenforceable some already-granted software patents, but at this time it is difficult to determine which ones are affected. As noted by the 16 October 2009 policy memorandum from the DoD CIO, in almost all cases OSS is a commercial item as defined by US Law (Title 41) and regulation (the FAR). Choose a GPL-compatible license. Below are current coronavirus disease 2019 statistics for Department of Air Force personnel: *These numbers include all of the cases that were reported since our last update on Jan. 18. Examples include GPL applications running on proprietary operating systems or wrappers, and GPL applications that use proprietary components explicitly marked as non-GPL. Example: GPL software can be stored on the same computer disk as (most kinds of) proprietary software. Typically enforcement actions are based on copyright violations, and only copyright holders can raise a copyright claim in U.S. court. The argument is that the classification rules are simply laws of the land (and not additional rules), the classification rules already forbid the release of the resulting binaries to those without proper clearances, and that the GPL only requires that source code be released to those who received a binary. The 2009 DoD CIO memo on open source software says, in attachment 2, 2(d), The use of any software without appropriate maintenance and support presents an information assurance risk. Contractors must still abide with all other laws before being allowed to release anything to the public. Section 6.C.3.a notes that the voluntary services provision is not new; it first appeared, in almost identical form, back in 1884. If your contract has FAR clause 52.212-4 (which it is normally required to do), then choice of venue clauses in software licenses are undesirable, but the order of precedence clause (in the contract) means that the choice of venue clause (in the license) is superseded by the Contract Disputes Act. Currently there are no IO Certificates available for this Tracking Number. Home use of the antivirus products will not only protect personal PCs, but will also potentially lessen the threat of malicious logic being introduced to the workplace and compromising DoD networks. . No, although they work well together, and both are strategies for reducing vendor lock-in. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, identified some of many OSS programs that the DoD is already using, and concluded that OSS plays a more critical role in the [Department of Defense (DoD)] than has generally been recognized. If the government has received copyright (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply) then the government can release the software as open source software. If you claim rights to use a mark, you may simply use the TM (trademark) or SM (service mark) designation to alert the public to your claim of ownership of the mark. An alternative is to not include the OSS component in the deliverable, but simply depend on it, as long as that is acceptable to the government. Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). By some definitions this is technically not an open source license, because no license is needed, but such public domain software can be legally used, modified, and combined with other software without restriction. Q: Is there a large risk to DoD contractors that widely-used OSS violates enforceable software patents? Any company can easily review OSS to look for proprietary code that should not be there; there are even OSS tools that can find common code. While this argument may be valid, we know of no court decision or legal opinion confirming this. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". Unfortunately, this typically trades off flexibility; the government does not have the right to modify the software, so it cannot fix serious security problems, add arbitrary improvements, or make the software work on platforms of its choosing. Q: Can the government release software under an open source license if it was developed by contractors under government contract? Be sure to consider such costs over a period of time (typically the lifetime of the system including its upgrades), and use the same period when evaluating alternatives; otherwise, one-time costs (such as costs to transition from an existing proprietary system) can lead to erroneous conclusions. Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. Q: Is a lot of pre-existing open source software available? 150 Vandenberg Street, Suite 1105 Peterson AFB CO 80914-4420 . Do not use spaces when performing a product number/title search (e.g. In the commercial world, the copyright holders are typically the individuals and organizations that originally developed the software. Rachel Cohen joined Air Force Times as senior reporter in March 2021. Examples of OSS that are in widespread use include: There are many Linux distributions which provides suites of such software such as Red Hat Enterprise Linux, Fedora, SUSE, Debian and Ubuntu. Bruce Perens noted back in 1999, Do not write a new license if it is possible to use (a common existing license) The propagation of many different and incompatible licenses works to the detriment of Open Source software because fragments of one program cannot be used in another program with an incompatible license. Many view OSS license proliferation as a problem; Serdar Yegulalps 2008 Open Source Licensing Implosion (InformationWeek) noted that not only are there too many OSS licenses, but that the consequences for blithely creating new ones are finally becoming concrete the vast majority of open source products out there use a small handful of licenses Now that open source is becoming (gasp) a mainstream phenomenon, using one of the less-common licenses or coming up with one of your own works against you more often than not. In short, OSS more accurately reflects the economics of software development; some speculate that this is one reason why OSS has become so common. There are many definitions for the term open standard. REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C . This is in addition to the advantages from OSS because it can be reviewed, modified, and redistributed with few restrictions (inherent in the definition of OSS). The DoDIN APL is managed by the Approved Products Certification Office (APCO). OSS projects typically seek financial gain in the form of improvements. The release of the software may be restricted by the International Traffic in Arms Regulation or Export Administration Regulation. By dominate, that means that when software is merged which have those pairs of licenses, the dominating license essentially governs the resulting combination because the dominating license essentially includes all the key terms of the other license. Fundamentally, a standard is a specification, so an open standard is a specification that is open. The public release also makes it easy to have copies of versions in many places, and to compare those versions, making it easy for many people to review changes. Approved software is listed on the DCMA Approved Software List. (Such terms might include open source software, but could also include other software). A primary reason that this is low-probability is the publicity of the OSS source code itself (which almost invariably includes information about those who made specific changes). Unfortunately, the government must pay for all development and maintenance costs of GOTS; since these can be substantial, GOTS runs the risk of becoming obsolete when the government cannot afford those costs. Using a made-up word that has no Google hits is often a good start, but again, see the PTO site for more information. In particular, it found that DoD security depends on (OSS) applications and strategies, and that a hypothetic ban would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. Q: What are antonyms for open source software? This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. Q: What are some military-specific open source software programs? Yes. Coronavirus (COVID-19) Update Information. OSS-like development approaches within the government. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. Wikipedia maintains an encyclopedia using approaches similar to open source software approaches. can be competed, and the cost of some improvements may be borne by other users of the software. Units. New York ANG supports Canadian arctic exercise. U.S. law governing federal procurement U.S. Code Title 41, Section 103 defines commercial product as including a product, other than real property, that (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public. In particular, note that the costs borne by a particular organization are typically only those for whatever improvements or services are used (e.g., installation, configuration, help desk, etc.). GOTS is especially appropriate when the software must not be released to the public (e.g., it is classified) or when licenses forbid more extensive sharing (e.g., the government only has government-purpose rights to the software). Q: Are non-commercial software, freeware, or shareware the same thing as open source software? Air Force Command and Control at the Start of the New Millennium. Administration/Format. If it is already available to the public and is used unchanged, it is usually COTS. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. When taking this approach, contractors hired to modify the software must not retain copyright or other rights to the result (else the software would be conveyed outside the U.S. government); see GPL version 3 section 2, paragraph 2 which states this explicitly. A GPLed engine program can be controlled by classified data that it reads without issue. . A service mark is "a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of a service rather than goods. It depends on the goals for the project, however, here are some guidelines: Public domain where required by law. Many software developers find software patents difficult to understand, making it difficult for them to determine if a given patent even applies to a given program. OSS licenses can be grouped into three main categories: Permissive, strongly protective, and weakly protective. (Free in Free software refers to freedom, not price.) This has a reduced likelihood if the program is niche or rarely-used, has few developers, uses a rare computer language, or is not really OSS. Open standards also make it easier for OSS developers to create their projects, because the standard itself helps developers know what to do. As an aid, the Open Source Initiative (OSI) maintains a list of Licenses that are popular and widely used or with strong communities. OSS COTS tends to be lower cost than GOTS, in part for the same reasons as proprietary COTS: its costs are shared among more users. Note, however, that this may be negotiated; if the government agrees to only receive lesser rights (such as government-purpose rights or restricted rights) then the government does not have the rights necessary to release that software as open source software. This regulation only applies to the US Army, but may be a useful reference for others. These formats may, but need not, be the same. Yes. The world's number-one enterprise cloud gives the DoD the power to capture, analyze, and retrieve important information quickly . Q: Is there a large risk that widely-used OSS unlawfully includes proprietary software (in violation of copyright)? TCG LinkPRO, TCG BOSS, and TCG GTS all earn placement on DOD's OTI evaluated/approved products list. BSD TCP/IP suite - Provided the basis of the Internet, Greatly increased costs, due to the effort of self-maintaining its own version, Inability to use improvements (including security patches and innovations) by others, where it uses a non-standard version instead of the version being actively maintained, Greatly increased cost, due to having to bear the, Inability to use improvements (including security patches and innovations) by others, since they do not have the opportunity to aid in its development, Obsolescence due to the development and release of a competing commercial (e.g., OSS) project. This can increase the number of potential users. Several static tool vendors support analysis of OSS (such as Coverity and Sonatype) as a way to improve their tools and gain market use. It is only when the OSS is modified that additional OSS terms come into play, depending on the OSS license. In most cases, this GPL license term is not a problem. Public domain software (in this copyright-related sense) can be used by anyone for any purpose, and cannot by itself be released under a copyright license (including typical open source software licenses). The joint OnGuard system and XProtect video solution was tested and approved to protect Air Force Protection Level 1 (PL-1) non-nuclear through PL-4 sites around . This list was generated on Friday, March 3, 2023, at 5:54 PM. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. how to ensure the interoperability of systems; how to build systems that are manageable. 75th Anniversary Article. This clause establishes that the choice of venue clause (category 4) is superseded by the Contract Disputes Act (category 2), and thus the conflict is typically moot.