That said, other factors may be more important for a given circumstance. user agreement - DCMA Q: Are non-commercial software, freeware, or shareware the same thing as open source software? Yes, extensively. This risk is mitigated by reviewing software (in particular, for classification and export control issues) before public release. The more potential users, the more potential developers. Q: Why is it important to understand that open source software is commercial software? Such software does not normally undergo widespread public review, indeed, the source code is typically not provided to the public and there are often license clauses that attempt to inhibit review further (e.g., forbidding reverse engineering and/or forbidding the public disclosure of analysis results). By definition, OSS software permits arbitrary use of the software, and allows users to re-distribute the software to others. This can be a cause of confusion, because without any markings, a recipient is often unaware that the government has unlimited rights to it, and if the government does not know it has certain rights, it becomes difficult for the government to exercise its rights. PDF Headquarters Air Force Space Command - Af Many development tools covered by the GPL include libraries and runtimes that are not covered by the GPL itself but the GPL with a runtime exception (e.g., the CLASSPATH exception) that specifically permits development of proprietary software. Computer and electronic hardware that is designed in the same fashion as open source software (OSS) is sometimes termed open source hardware. Comfortable shoes. 75th Anniversary Article. These included the Linux kernel, the gcc compilation suite (including the GNAT Ada compiler), the OpenOffice.org office suite, the emacs text editor, the Nmap network scanner, OpenSSH and OpenSSH for encryption, and Samba for Unix/Linux/Windows interoperability. 1342 the Attorney General drew a distinction that the Comptroller of the Treasury thereafter adopted, and that GAO and the Justice Department continue to follow to this daythe distinction between voluntary services and gratuitous services. Some key text from this opinion, as identified by the red book, are: [I]t seems plain that the words voluntary service were not intended to be synonymous with gratuitous service it is evident that the evil at which Congress was aiming was not appointment or employment for authorized services without compensation, but the acceptance of unauthorized services not intended or agreed to be gratuitous and therefore likely to afford a basis for a future claim upon Congress. The Air Force thinks it's finally found a way. OSS options should be evaluated in principle the same way you would evaluate any option, considering need, cost, and so on. Q: Is there any quantitative evidence that open source software can be as good as (or better than) proprietary software? Other open source software implementations of Unix interfaces include OpenBSD, NetBSD, FreeBSD, and Darwin. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. The GPL and LGPL licenses specifically recommend that You should also get your employer (if you work as a programmer) or school, if any, to sign a copyright disclaimer for the program, if necessary., and point to additional information. The government normally gets unlimited rights in software when that software is created in the performance of a contract with government funds. They can obtain this by receiving certain authorization clauses in their contracts. LenelS2 OnGuard and Milestone XProtect jointly added to U.S. Air Force Many software developers find software patents difficult to understand, making it difficult for them to determine if a given patent even applies to a given program. Indeed, because a calculation of damages is inherently speculative, these types of license restrictions might well be rendered meaningless absent the ability to enforce through injunctive relief. In short, it determined that the OSS license at issue in the case (the Artistic license) was indeed an enforceable license. On approval, such containers are granted a "Certificate to Field" designation by the Air Force Chief Software Officer. The United States Air Force operates a service called Iron Bank, which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. Establish vetting process(es) before government will use updated versions (testing, etc.). Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. The FAR and DFARS specifically permit different agreements to be struck, within certain boundaries, and other agencies have other supplements. In short, the ADAs limitation on voluntary services does not broadly forbid the government from working with organizations and people who identify themselves as volunteers, including those who develop OSS. Home page of Air Force Materiel Command Certain FAR clause alternatives (such as FAR 52.227-17) require the contractor to assign the copyright to the government. It costs essentially nothing to download a file. The intended audience of this tool is emergency managers, first responders, and other homeland security professionals. Q: Can government employees contribute code to open source software projects? Thus, they are all strategies for sharing the development and maintenance costs of software, potentially reducing its cost. There are many alternative clauses in the FAR and DFARS, and specific contracts can (and often do) have different specific agreements on who has which rights to software developed under a government contract. The program available to the public may improve over time, through contributions not paid for by the U.S. government. Q: What additional material is available on OSS in the government or DoD? This control enhancement is based in the need for some way to update software to fix problems after they are discovered. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND . The Authorized Equipment List (AEL) is a list of approved equipment types allowed under FEMA's preparedness grant programs. The release of the software may be restricted by the International Traffic in Arms Regulation or Export Administration Regulation. Browse 817 acronyms and abbreviations related to the Air Force terminology and jargon. To provide Cybersecurity tools to . .. [ top of page] Military orders. CCRA Certificate. A very small percentage of such users determine that they can make a change valuable to them, and contribute it back (to avoid maintenance costs). Q: Is open source software the same as open systems/open standards? An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). Most projects prefer to receive a set of smaller changes, so that they can review each change for correctness. Industry Partners / Employers. As explained in detail below, nearly all OSS is commercial computer software as defined in US law and the Defense Federal Acquisition Regulation Supplement, and if it used unchanged (or with only minor changes), it is almost always COTS. PDF Community College of the Air forCe - Air University a license) from the copyright holder(s) before they can obtain a copy of software to run on their system(s). Thus, avoid releasing software under only the original (4-clause) BSD license (which has been replaced by the new or revised 3-clause licence), the Academic Free License (AFL), the now-abandoned Common Public License 1.0 (CPL), the Open Software License (OSL), or the Mozilla Public License version 1.1 (MPL 1.1). The NASA FAR Supplement (NFS) 1852.227-14 gives NASA the right, under typical conditions, to demand that a contractor assert copyright and then assign the copyright to the government, which would again give the government the right to release the software as open source software. Even if source code is necessary (e.g., for source code analyzers), adequate source code can often be regenerated by disassemblers and decompilers sufficiently to search for vulnerabilities. This should not be surprising; the DoD uses OSS extensively, and the GPL is the most popular OSS license. Indeed, according to Walli, Standards exist to encourage & enable multiple implementations. Note that Creative Commons does not recommend that you use one of their licenses for software; they encourage using one of the existing OSS licenses which were designed specifically for use with software. Acquisition Common Portal Environment. Colleges & Your Majors. The term trademark is often used to refer to both trademarks and service marks. Q: Is there a risk of malicious code becoming embedded into OSS? OSS implementations can help rapidly increase adoption/use of the open standard. Be sure to consider such costs over a period of time (typically the lifetime of the system including its upgrades), and use the same period when evaluating alternatives; otherwise, one-time costs (such as costs to transition from an existing proprietary system) can lead to erroneous conclusions. These lists apply to all NSA/CSS elements, contractors, and personnel, and pertains to all IS storage devices that they use. It's like it dropped off the face of the earth. Software developed by US federal government employees (including military personnel) as part of their official duties is not subject to copyright protection in the US (see 17 USC 105). No. For at least 7 years, Borlands Interbase (a proprietary database program) had embedded in it a back door; the username politically, password correct, would immediately give the requestor complete control over the database, a fact unknown to its users. Note that most commercial software is not intended to be used where the impact of any error of any kind is extremely high (e.g., a large number of lives are likely to be immediately lost if even the slightest software error occurs). These prevent the software component (often a software library) from becoming proprietary, yet permit it to be part of a larger proprietary program. Cisco takes a deep dive into the latest technologies to get it done. REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C . If it is a new project, be sure to remove barriers to entry for others to contribute to the project: OSS should be released using conventional formats that make it easy to install (for end-users) and easy to update (for potential co-developers). Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? A company that found any of its proprietary software in an OSS project can in most cases quickly determine who unlawfully submitted that code and sue that person for infringement. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . Q: What are indicators that a specific OSS program will have fewer unintentional vulnerabilities? Conversely, if it widely-used, has many developers, and so on, the likelihood of review increases. Indeed, vulnerability databases such as CVE make it clear that merely hiding source code does not counter attacks: Hiding source code does inhibit the ability of third parties to respond to vulnerabilities (because changing software is more difficult without the source code), but this is obviously not a security advantage. (Free in Free software refers to freedom, not price.) Q: Is this related to open source intelligence? Department of the Air Force E-Publishing > Publications + Forms - AF A trademark is a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of the goods of one party from those of others.. Some more military-specific OSS programs created-by or used in the military include: One approach is to use a general-purpose search engine (such as Google) and type in your key functional requirements. (US Air Force/Airman 1st Class Jacob T. Stephens) . Only some developers are allowed to modify the trusted repository directly: the trusted developers. This memorandum surveys U.S. economic sanctions and anti-money laundering ("AML") developments and trends in 2022 and provides an outlook for 2023. The Department of Defense Information Network (DoDIN) Approved Products List (APL) is the single consolidated list of products that affect communication and collaboration across the DoDIN. Air Force Command and Control at the Start of the New Millennium. Also, since there are a limited number of users, there is limited opportunity to gain from user innovation - which again can lead to obsolescence. Air Force Approved Software List? : r/AirForce - Reddit The Department of Defense invests tens of thousands of dollars in training for its Service members. For example, a Code Analysis of the Linux Wireless Teams ath5k Driver found no license problems. These formats may, but need not, be the same. Failing to understand that open source software is commercial software would result in failing to follow the laws, regulations, policies, and so on regarding commercial software. In that case, the U.S. government might choose to continue to use the version to which it has unlimited rights, or it might use the publicly-available commercial version available to the government through that versions commercial license (the GPL in this case). The products listed below are evaluated against a NIAP-approved Protection Profile, which encompasses the security requirements and test activities suitable across the technology with no EAL assigned - hence the conformance claim is "PP". Where possible, it may be better to divide such components into smaller components in a way that avoids this issue. It is only when the OSS is modified that additional OSS terms come into play, depending on the OSS license. BIG-IP logout page - Cyber Software licensed under the GPL can be mixed with software released under other licenses, and mixed with classified or export-controlled software, but only under conditions that do not violate any license. The DoD does not have a single required process for evaluating OSS. Note that when government employees develop software as part of their official duties, it can be protected by copyright in other countries, but note that these can only be enforced outside the US. Unfortunately, this typically trades off flexibility; the government does not have the right to modify the software, so it cannot fix serious security problems, add arbitrary improvements, or make the software work on platforms of its choosing. As the program becomes more capable, more users are attracted to using it. Note that this sometimes depends on how the program is used or modified. 10 USC 2377 requires that the head of an agency shall ensure that procurement officials in that agency, to the maximum extent practicable: Similarly, it requires preliminary market research to determine whether there are commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial items available that (A) meet the agencys requirements; (B) could be modified to meet the agencys requirements; or (C) could meet the agencys requirements if those requirements were modified to a reasonable extent. This market research should occur before developing new specifications for a procurement by that agency; and before soliciting bids or proposals for a contract in excess of the simplified acquisition threshold.. Economic Sanctions and Anti-Money Laundering Developments: 2022 Year in Government Off-the-Shelf (GOTS), proprietary commercial off-the-shelf (COTS), and OSS COTS are all methods to enable reuse of software across multiple projects. Choose a license that best meets your goals. As noted above, OSS projects have a trusted repository that only certain developers (the trusted developers) can directly modify. This statute says that, An officer or employee of the United States Government or of the District of Columbia government may not accept voluntary services for either government or employ personal services exceeding that authorized by law except for emergencies involving the safety of human life or the protection of property., The US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book) explains federal appropriation law. (Such terms might include open source software, but could also include other software). DoDIN Approved Products List. Thankfully, there are ways to reduce the risk of executing malicious code when using commercial software (both proprietary and OSS). Whether or not this was intentional, it certainly had the same form as a malicious back door. Execution Mixing GPL and other software can run at the same time on the same computer or network. If the OSS is intended for use on Linux/Unix systems, follow standard source installation release practices so that it is easier for users to install. Q: Can contractors develop software for the government and then release it under an open source license? Contact Contracting. DISA Approved Product List - DoD Cyber Exchange Note that merely being released by a US firm is no guarantee that there is no malicious embedded code. Note that enforcing such separation has many other advantages as well. Intellipedia is implemented using MediaWiki, the open source software developed to implement Wikipedia. This can increase the number of potential users. It can be argued that classified software can be arbitrarily combined with GPL code, beyond the approaches described above. Make sure its really OSS. The U.S. has granted a large number of software patents, making it difficult and costly to examine all of them. 1.1.3. Is it COTS? Such mixing can sometimes only occur when certain kinds of separation are maintained - and thus this can become a design issue. If the supplier attains a monopoly or it is difficult to switch from the supplier, the costs may skyrocket. If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. An Airman at the 616th Operations Center empowered his fellow service members by organizing a professional development seminar for his unit. When taking this approach, contractors hired to modify the software must not retain copyright or other rights to the result (else the software would be conveyed outside the U.S. government); see GPL version 3 section 2, paragraph 2 which states this explicitly. Army - (703) 602-7420, DSN 332. Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). Specific patents can also be authorized using clause FAR 52.227-5 or via listed exceptions of FAR 52.227-3. 150 Vandenberg Street, Suite 1105 . Thus, even this FAQ was developed using open source software. The public release of the item is not restricted by other law or regulation, such as the Export Administration Regulations or the International Traffic in Arms Regulation, and the item qualifies for Distribution Statement A, per DoD Directive 5230.24 (reference (i)).". If the standard DFARS contract clauses are used (see DFARS 252.227-7014), then unless other arrangements are made, the government has unlimited rights to a software component when (1) it pays entirely for the development of it (see DFARS 252.227-7014(b)(1)(i)), or (2) it is five years after contract signature if it partly paid for its development (see DFARS 252.227-7014(b)(2)).