However, such malicious code cannot be directly inserted by just anyone into a well-established OSS project. However, support from in-house staff, augmented by the OSS community, may be (and often is) sufficient. In addition, ignoring OSS would not be lawful; U.S. law specifically requires consideration of commercial software (including extant OSS, regardless of exactly which license it uses), and specifically instructs departments to pass this requirement to consider commercial items down to contractors and their suppliers at all tiers. The WHO was established on 7 April 1948. Determine if there will be a government-paid lead. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? Since users will want to use the improvements made by others, they have a strong financial incentive to submit their improvements to the trusted repository. Q: Does the DoD use OSS for security functions? Many programs and DAAs do choose to use commercial support, and in many cases that is the best approach. OSS implementations can help create and keep open standards open. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . To manage the acquisition, development, and integration of Cybersecurity Tools and Methods for securing the Defense Information Infrastructure. It also provides the latest updates and changes to policy from Air Force senior leadership and the Uniform Board. Bruce Perens noted back in 1999, Do not write a new license if it is possible to use (a common existing license) The propagation of many different and incompatible licenses works to the detriment of Open Source software because fragments of one program cannot be used in another program with an incompatible license. Many view OSS license proliferation as a problem; Serdar Yegulalps 2008 Open Source Licensing Implosion (InformationWeek) noted that not only are there too many OSS licenses, but that the consequences for blithely creating new ones are finally becoming concrete the vast majority of open source products out there use a small handful of licenses Now that open source is becoming (gasp) a mainstream phenomenon, using one of the less-common licenses or coming up with one of your own works against you more often than not. In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. The government can typically release software as open source software once it has unlimited rights to the software. By definition, OSS software permits arbitrary use of the software, and allows users to re-distribute the software to others. Contractors for other federal agencies may have a different process to use, but after going through a process they can often release such software as open source software. For example, trademarks and certification marks can be used to differentiate one version of OSS from others, e.g., to designate certain releases as an official version. Many development tools covered by the GPL include libraries and runtimes that are not covered by the GPL itself but the GPL with a runtime exception (e.g., the CLASSPATH exception) that specifically permits development of proprietary software. Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). 1498, the exclusive remedy for patent or copyright infringement by or on behalf of the Government is a suit for monetary damages against the Government in the Court of Federal Claims. Under the DFARS or the FAR, the government can release software as open source software once it receives unlimited rights to that software. In particular, note that the costs borne by a particular organization are typically only those for whatever improvements or services are used (e.g., installation, configuration, help desk, etc.). Also, since there are a limited number of users, there is limited opportunity to gain from user innovation - which again can lead to obsolescence. Below are current coronavirus disease 2019 statistics for Department of Air Force personnel: *These numbers include all of the cases that were reported since our last update on Jan. 18. - AF Form 1206, Nomination for Award (2 Aug 17) remains the standard AF award nomination form. There are two versions of the GPL in widespread use: version 2 and version 3. Clarifying Guidance Regarding Open Source Software (OSS), a list of licenses which have successfully gone through the approval process and comply with the Open Source Definition, publishes a list of licenses that meet the Free Software Definition, good licenses that Fedora has determined are open source software licenses, Federal Source Code Policy, OMB Memo 16-21, National Defense Authorization Act for FY2018, http://www.doncio.navy.mil/contentview.aspx?id=312, http://www.dtic.mil/dtic/tr/fulltext/u2/a450769.pdf, http://www.whitehouse.gov/omb/memoranda/fy04/m04-16.html, http://www.army.mil/usapa/epubs/pdf/r25_2.pdf, Defense Federal Acquisition Regulation Supplement (DFARS), 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation, European Interoperability Framework (EIF), Bruce Perens Open Standards: Principles and Practice, U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer, The Free-Libre / Open Source Software (FLOSS) License Slide, GPL linking exception term (such as the Classpath exception), Maintaining Permissive-Licensed Files in a GPL-Licensed Project: Guidelines for Developers (Software Freedom Law Center), Creative Commons does not recommend that you use one of their licenses for software, GPL FAQ, Can I use the GPL for something other than software?, GPL FAQ, Who has the power to enforce the GPL?, 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, Secure Programming for Linux and Unix HOWTO, in 2003 the Linux kernel development process resisted an attack, Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT, Gartner Groups Mark Driver stated in November 2010, Estimating the Total Development Cost of a Linux Distribution, Open Source Software for Imagery & Mapping (OSSIM), Open Source Alternatives (Ben Balter et al.). Thus, components that have the potential to (eventually) support many users are more likely to succeed. If the contractor was required to transfer copyright to the government for works produced under contract (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply to it), then the government can release the software as open source software, because the government owns the copyright. In addition, DISA has initiated an assessment of the APL process, which was enacted nearly a decade ago, to ensure that current procedures align with new and evolving departmental priorities. Direct deposit form. DISA FREE HOME ANTIVIRUS SOFTWARE (CAC REQ'D) STRATEGIC . Depending on the contract and its interpretation, contractors may be required to get governmental permission to include commercial components in their deliverables; where this applies, this would be true for OSS components as well as proprietary components. This regulation only applies to the US Army, but may be a useful reference for others. Where it is unclear, make it clear what the source or source code means. U.S. law governing federal procurement U.S. Code Title 41, Chapter 7, Section 103 defines commercial product as a product, other than real property, that- (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public . Any software not listed on the Approved Software List is prohibited. Recent rulings have strengthened the requirement for non-obviousness, which probably renders unenforceable some already-granted software patents, but at this time it is difficult to determine which ones are affected. Open source software is also called Free software, libre software, Free/open source software (FOSS or F/OSS), and Free/Libre/Open Source Software (FLOSS). The ruling was a denial of a motion for summary judgement, and the parties ultimately settled the claim out-of-court. No, although they work well together, and both are strategies for reducing vendor lock-in. Note that merely being released by a US firm is no guarantee that there is no malicious embedded code. And of course, individual OSS projects often have security review processes or methods (such as Mozillas bounty system). If the supplier attains a monopoly or it is difficult to switch from the supplier, the costs may skyrocket. A component of Air University and Air Education and Training Command, AFIT is committed to providing defense-focused graduate and professional continuing education and research to sustain the technological . When examining a specific OSS project, look for evidence that review (both by humans and tools) does take place. Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? Note: Software that is developed collaboratively by multiple organizations within the government and its contractors for government use, and not released to the public, is sometimes called Open Government Off-the-Shelf (OGOTS) or Government OSS (GOSS). Army - (703) 602-7420, DSN 332. The summary of changes section reads as follows as of Dec. 3, 2021: This interim change revises DAFI 36-2903 by adding Chief of Staff of the Air Force-approved Air Force Virtual Uniform Board items, standardizing guidance for the maintenance duty uniform, republishing guidance from Department of the Air Force guidance memorandum for female hair . Q: Can government employees contribute code to open source software projects? Q: How can I get support for OSS that already exists? This enables cost-sharing between users, as with proprietary development models. Other laws must still be obeyed. For more discussion on this topic, see the article Open Source Software Is Commercial. Dynamic attacks (e.g., generating input patterns to probe for vulnerabilities and then sending that data to the program to execute) dont need source or binary. Choose a license that best meets your goals. So, while open systems/open standards are different from open source software, they are complementary and can work well together. Approved by AF/SG3/5P on 13 May 2019 7700 Arlington Blvd., Falls Church, VA 22042-5158 Category Unfortunately, this typically trades off flexibility; the government does not have the right to modify the software, so it cannot fix serious security problems, add arbitrary improvements, or make the software work on platforms of its choosing. A permissive license permits arbitrary use of the program, including making proprietary versions of it. Lock-in tends to raise costs substantially, reduces long-term value (including functionality, innovation, and reliability), and can become a serious security problem (since the supplier has little incentive to provide a secure product and to quickly fix problems found later). AOD-9604. Similarly, delaying a components OSS release too long may doom it, if another OSS component is released first. Since OSS provides source code, there is no problem. That said, this does not mean that all OSS is superior to all proprietary software in all cases by all measures. The usual federal non-DoD clause (FAR 52.227-14) also permits this by default as long as the government has not granted the contractor the right to assert copyright. Wikipedias Comparison of OSS hosting facilities page may be helpful in identifying existing hosting facilities, as well as some of their pros and cons. Approved software is listed on the DCMA Approved Software List. OTD depends on open standards and interfaces, open source software and designs, collaborative and distributed online tools, and technological agility. If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. Also, there are rare exceptions for NIST and the US Postal Service employees where a US copyright can be obtained (see CENDIs Frequently Asked Questions About Copyright). Very Important Notes: The Public version of DoD Cyber Exchange has limited content. Two-day supply of clothing. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. Even for many modifications (e.g., bug fixes) this causes no issues because in many cases the DoD has no interest in keeping those changes confidential. Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). Open standards make it easier for users to (later) adopt an open source software program, because users of open standards arent locked into a particular implementation. It may be illegal to modify proprietary software, but that will normally not slow an attacker. If a government employee enhances or modifies a (copyrighted) open source software program, the resulting work is a joint work (see 17 USC 101) which is partially copyrighted and partially public domain. Peterson AFB CO 80914-4420 . Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. Establish project website. Software licenses (including OSS licenses) may also involve the laws for patent, trademark, and trade secrets, in addition to copyright. The term Free software predates the term open source software, but the term Free software has sometimes been misinterpreted as meaning no cost, which is not the intended meaning in this context. when it implements novel functionality which is not already available to the public, and which significantly improves DoD mission outcomes or business processes. Choose a license that is recognized as an Open Source Software license by the Open Source Initiative (OSI), a Free Software license by the Free Software Foundation (FSF), and is acceptable to widely-used Linux distributions (such as being a good license for Fedora). As the program becomes more capable, more users are attracted to using it. In some cases, it may be wise to release software under multiple licenses (e.g., LGPL version 2.1 and version 3, GPL version 2 and 3), so that users can then pick which license they will use. All other developers can make changes to their local copies, and even post their versions to the Internet (a process made especially easy by distributed software configuration management tools), but they must submit their changes to a trusted developer to get their changes into the trusted repository. Administration/Format. The first specific step towards the establishment of the United Nations was the Inter-Allied conference that led to the Declaration of St James's Palace on 12 June 1941. This might occur, for example, if the government originally only had Government Purpose Rights (GPR), but later the government received unlimited rights and released the software as OSS. Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. In some cases, export-controlled software may be licensed for export under the condition that the source code not be released; this would prevent release of software that had mixed GPL and export-controlled software. If you know of an existing proprietary product meets your needs, searching for its name plus open source source may help. If your contract has FAR clause 52.212-4 (which it is normally required to do), then choice of venue clauses in software licenses are undesirable, but the order of precedence clause (in the contract) means that the choice of venue clause (in the license) is superseded by the Contract Disputes Act. If you claim rights to use a mark, you may simply use the TM (trademark) or SM (service mark) designation to alert the public to your claim of ownership of the mark. - White space on the right margin of a populated AF Form 1206 is both accepted and expected; white space will not be an indicator of quality. Note that when government employees develop software as part of their official duties, it can be protected by copyright in other countries, but note that these can only be enforced outside the US. Air Force Policy Directive 38-1, Manpower and Organization, 2 July 2019 Air Force instruction 33-360, Publications and Forms Management, 1 December 2015 Air Force Manual 33-363, Management of Records, 21 July 2016 Adopted Forms AF Form 847, Recommendation for Change of Publications Q: What policies address the use of open source software (OSS) in the Department of Defense? Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. Thankfully, there are ways to reduce the risk of executing malicious code when using commercial software (both proprietary and OSS). Service Mixing GPL can provide generic services to other software. Boundary Protection Devices and Systems - 41 Certified Products. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. . Static attacks (e.g., analyzing the code instead of its execution) can use pattern-matches against binaries - source code is not needed for them either. Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. See the licenses listed in the FAQ question What are the major types of open source software licenses?. Execution Mixing GPL and other software can run at the same time on the same computer or network. We maintain more than 8,000 acres of land, a physical plant of over 16 million square feet and provide operational support for more than 100 associate units located at Wright-Patterson.
Air Force Approved Software List 2021,
Cecile American Girl Doll Worth,
Articles A