FRCS projects will be required to meet RMF requirements and if required, obtain an Authorization To Operate (ATO . OSS programs can typically be simply downloaded and tried out, making it much easier for people to try it out and encouraging widespread use. Most of the Air Force runs on excel VBA because of this. If the goal is maximize the use of a technology or standard in a variety of different applications/implementations, including proprietary ones, permissive licenses may be especially useful. If it is already available to the public and is used unchanged, it is usually COTS. The 1997 InfoWorld Best Technical Support award was won by the Linux User Community. Choose a license that is recognized as an Open Source Software license by the Open Source Initiative (OSI), a Free Software license by the Free Software Foundation (FSF), and is acceptable to widely-used Linux distributions (such as being a good license for Fedora). The MITRE study did identify some of many OSS programs that the DoD is already using, and may prove helpful. It's like it dropped off the face of the earth. The Defense Innovation Unit (DIU) is a . Q: How can I get support for OSS that already exists? In most cases, this GPL license term is not a problem. Thus, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator. Air Force Policy Directive 38-1, Manpower and Organization, 2 July 2019 Air Force instruction 33-360, Publications and Forms Management, 1 December 2015 Air Force Manual 33-363, Management of Records, 21 July 2016 Adopted Forms AF Form 847, Recommendation for Change of Publications This eliminates future incompatibility and encourages future contributions by others. Under the current DoD contracting regime, the contractor usually retains the copyright for software developed with government funding, so in such cases the contractor (not the government) has the right to sue for copyright violation. Estimating the Total Development Cost of a Linux Distribution estimates that the Fedora 9 Linux distribution, which contains over 5,000 software packages, represents about $10.8 billion of development effort in 2008 dollars. In some other cases, the government lacks the rights to release the software to the public, e.g., the government may only have Government Purpose Rights (GPR). (The MIT license is similar to public domain release, but with some legal protection from lawsuits.). Defense Information Systems Agency (DISA), National Centers of Academic Excellence in Cybersecurity (NCAE-C), Public Key Infrastructure/Enabling (PKI/PKE), https://dl.dod.cyber.mil/wp-content/uploads/home/img/img1.jpg. The use of commercial products is generally encouraged, and when there are commercial products, the government expects that it will normally use whatever license is offered to the public. In contrast, typical proprietary software costs are per-seat, not per-improvement or service. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. CJC-1295 DAC. For example, the LGPL permits the covered software (usually a library) to be embedded in a larger work under many different licenses (including proprietary licenses), subject to certain conditions. This statute says that, An officer or employee of the United States Government or of the District of Columbia government may not accept voluntary services for either government or employ personal services exceeding that authorized by law except for emergencies involving the safety of human life or the protection of property., The US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book) explains federal appropriation law. 2 Commanders Among 6 Fired from Jobs at Minot Air Force Base Col. Gregory Mayer, the commander of the 5th Mission Support Group, and Maj. Jonathan Welch, the commander of the 5th. SUBJECT: Software Applications Approval Process . 2019 Approved Software Developers and Transmitters (PDF 51.18 KB) Updated April 15, 2020. The Apache 2.0 license is compatible with the GPL version 3 license, but not the GPL version 2 license. Yes, its possible. The program available to the public may improve over time, through contributions not paid for by the U.S. government. It points to various studies related to market share, reliability, performance, scalability, security, and total cost of ownership. Recent rulings have strengthened the requirement for non-obviousness, which probably renders unenforceable some already-granted software patents, but at this time it is difficult to determine which ones are affected. Reasons for taking this approach vary. Thankfully, such analyses has already been performed on the common OSS licenses, which tend to be mutually compatible. For example, trademarks and certification marks can be used to differentiate one version of OSS from others, e.g., to designate certain releases as an official version. To manage the acquisition, development, and integration of Cybersecurity Tools and Methods for securing the Defense Information Infrastructure. In many cases, yes, but this depends on the specific contract and circumstances. In practice, commercial software (OSS or not) tends to be developed globally, especially when you consider their developers and supply chains. Services that are intended and agreed to be gratuitous do not conflict with this statute. You can support OSS either through a commercial organization, or you can self-support OSS; in either case, you can use community support as an aid. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . Can the DoD used GPL-licensed software? These include: If you are looking for smaller pieces of code to reuse, search engines specifically for code may be helpful. In addition, DISA has initiated an assessment of the APL process, which was enacted nearly a decade ago, to ensure that current procedures align with new and evolving departmental priorities. Maximize portability, and avoid requiring proprietary languages/libraries unnecessarily. Section 6.C.3.a notes that the voluntary services provision is not new; it first appeared, in almost identical form, back in 1884. These services must be genuinely generic in the sense that the applications that use them must not depend on the detailed design of the GPL software to work. Thus, in many cases a choice of venue clause is not an insurmountable barrier to acceptance of the software delivery by the government. Q: What are antonyms for open source software? Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. In particular, it found that DoD security depends on (OSS) applications and strategies, and that a hypothetic ban would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. 923, is in 31 U.S.C. Example: GPL software can be stored on the same computer disk as (most kinds of) proprietary software. - White space on the right margin of a populated AF Form 1206 is both accepted and expected; white space will not be an indicator of quality. 1342, Limitation on voluntary services, US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book), the 1982 decision B-204326 by the U.S. Comptroller General, How to Evaluate Open Source Software / Free Software (OSS/FS) Programs, Capgeminis Open Source Maturity Model (OSMM), Top Tips For Selecting Open Source Software, Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), Code Analysis of the Linux Wireless Teams ath5k Driver, DFARS subpart 227.70infringement claims, licenses, and assignments, Prior Art and Its Uses: A Primer, by Theodore C. McCullough, this NASA Jet Propulsion Laboratory (JPL) project became a top level open source Apache Software Foundation project in 2011, Geographic Resources Analysis Support System (GRASS), Publicly Releasing Open Source Software Developed for the U.S. Government, CENDIs Frequently Asked Questions About Copyright, GPL FAQ, Question Can the US Government release a program under the GNU GPL?, Free Software Foundation License List, Public Domain, GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?, Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011, U.S. Code Title 41, Chapter 7, Section 103, follow standard source installation release practices, Open Source Software license by the Open Source Initiative (OSI), Free Software license by the Free Software Foundation (FSF), Many view OSS license proliferation as a problem, Serdar Yegulalps 2008 Open Source Licensing Implosion (InformationWeek), Open Source Initiative (OSI) maintains a list of Licenses that are popular and widely used or with strong communities, licenses accepted by the Google code hosting service, Producing Open Source Software: How to Run a Successful Free Software Project by Karl Fogel, Open Technology Development (OTD): Lessons Learned & Best Practices for Military Software, Recognizing and Avoiding Common Open Source Community Pitfalls, Releasing Free/Libre/Open Source Software (FLOSS) for Source Installation, GNU Coding Standards, especially on the release process, Wikipedias Comparison of OSS hosting facilities page, U.S. Patent and Trademark Office (PTO) page Trademark basics, U.S. Patent and Trademark Office (PTO) page Should I register my mark?, Open Technology Development Lessons Learned, Office of the Director of National Intelligence (ODNI) Government Open-Source Software (GOSS) Handbook for Govies, Military - Open Source Software (MIL-OSS) DoD/IC discussion list, Hosted by Defense Media Activity - WEB.mil, Open source software licenses are reviewed and approved as conforming to the, In practice, an open source software license must also meet the, Fedora reviews licenses and publishes a list of, The Department of Navy CIO issued a memorandum with guidance on open source software on 5 Jun 2007. Indeed, according to Walli, Standards exist to encourage & enable multiple implementations. Below are current coronavirus disease 2019 statistics for Department of Air Force personnel: *These numbers include all of the cases that were reported since our last update on Jan. 18. These included the Linux kernel, the gcc compilation suite (including the GNAT Ada compiler), the OpenOffice.org office suite, the emacs text editor, the Nmap network scanner, OpenSSH and OpenSSH for encryption, and Samba for Unix/Linux/Windows interoperability. Problems must be fixed. No, although they work well together, and both are strategies for reducing vendor lock-in. 37 African nations, US kickoff AACS 2023 in Senegal. For almost as long as smartphones have existed, defense IT leaders have wondered aloud whether they'd ever be able to securely implement a bring-your-own-device (BYOD) approach to military networks. Many governments, not just the U.S., view open systems as critically necessary. Each product must be examined on its own merits. The release of the software may be restricted by the International Traffic in Arms Regulation (ITAR) or Export Administration Regulation (EAR). Q: Has the U.S. government released OSS projects or improvements? Q: How can I find open source software that meets my specific needs? All other developers can make changes to their local copies, and even post their versions to the Internet (a process made especially easy by distributed software configuration management tools), but they must submit their changes to a trusted developer to get their changes into the trusted repository. 2518(4)(B) says that, An article is a product of a country or instrumentality only if (i) it is wholly the growth, product, or manufacture of that country or instrumentality, or (ii) in the case of an article which consists in whole or in part of materials from another country or instrumentality, it has been substantially transformed into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was so transformed. The CBP also pointed out a ruling (Data General v. United States, 4 CIT 182 (1982)), that programming a PROM performed a substantial transformation. 150 Vandenberg Street, Suite 1105 Peterson AFB CO 80914-4420 . The CBP ruling points out that 19 U.S.C. Gartner Groups Mark Driver stated in November 2010 that, Open source is ubiquitous, its unavoidable having a policy against open source is impractical and places you at a competitive disadvantage.. Export control laws are often not specifically noted in OSS licenses, but nevertheless these laws also govern when and how software may be released. Open systems and open standards counter dependency on a single supplier, though only if there is a competing marketplace of replaceable components. Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. Specific patents can also be authorized using clause FAR 52.227-5 or via listed exceptions of FAR 52.227-3. This shows that proprietary software can include functionality that could be described as malicious, yet remain unfixed - and that at least in some cases OSS is reviewed and fixed. Since it is typically not legal to modify proprietary software at all, or it is legal only in very limited ways, it is trivial to determine when these additional terms may apply. Once software exists, all costs are due to maintenance and support of software. Note: Software that is developed collaboratively by multiple organizations within the government and its contractors for government use, and not released to the public, is sometimes called Open Government Off-the-Shelf (OGOTS) or Government OSS (GOSS). In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. Air Force, U.S. Navy, and U.S. Marine Corps, and to participating agencies in-volved with supportability analysis sum-maries and provisioning/item selection functions by, or for, Department of Defense weapons systems, equipment, publications, software and hardware, training, training devices, and support equipment. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. Guglielmo Marconi. Patent examiners have relatively little time to review each patent, and do not have effective access to most prior art in software, which may lead them to grant patents for previously-published inventions or obvious inventions. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. Going through our RMF/DICAP and cannot find the Air Force Approved Software List anywhere. The FAR and DFARS specifically permit different agreements to be struck, within certain boundaries, and other agencies have other supplements. It can be argued that classified software can be arbitrarily combined with GPL code, beyond the approaches described above. February 9, 2018. Distribution Mixing GPL and other software can be stored and transmitted together. Read More 616th OC Airmen empower each other. As more improvements are made, more people can use the product, creating more potential users as developers - like a snowball that gains mass as it rolls downhill. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. Unfortunately, this typically trades off flexibility; the government does not have the right to modify the software, so it cannot fix serious security problems, add arbitrary improvements, or make the software work on platforms of its choosing. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". Also, there are rare exceptions for NIST and the US Postal Service employees where a US copyright can be obtained (see CENDIs Frequently Asked Questions About Copyright). Q: In what form should I release open source software? Rachel Cohen joined Air Force Times as senior reporter in March 2021. Computer and electronic hardware that is designed in the same fashion as open source software (OSS) is sometimes termed open source hardware. As noted in Technical Data and Computer Software: A Guide to Rights and Responsibilities Under Federal Contracts, Grants and Cooperative Agreements by the Council on Governmental Relations (COGR), This unlimited license enables the government to act on its own behalf and to authorize others to do the same things that it can do, thus giving the government essentially the same rights as the copyright owner. In short, once the government has unlimited rights, it has essentially the same rights as a copyright holder, and can then use those rights to release that software under a variety of conditions (including an open source software license), because it has the use and modify the software at will, and has the right to authorize others to do so. Questions about why the government - who represents the people - is not releasing software (that the people paid for) back to the people. ), (See also GPL FAQ, Question Can the US Government release a program under the GNU GPL?). DoDIN APL is managed by the APCO | disa.meade.ie.list.approved-products-certification-office@mail.mil. The release of the software may be restricted by the International Traffic in Arms Regulation or Export Administration Regulation. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures. A U.S. Air Force A-10 receives maintenance at Davis-Monthan Air Force Base, Arizona, May 29, 2020. It is far better to fix vulnerabilities before deployment - are such efforts occuring? The United States Air Force operates a service called "Iron Bank", which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. Examples include: If you know of others who have similar needs, ask them for leads. Q: What are the risks of failing to consider the use of OSS components or approaches? 1498, the exclusive remedy for patent or copyright infringement by or on behalf of the Government is a suit for monetary damages against the Government in the Court of Federal Claims. The central theme of 2022 was the U.S. government's deploying of its sanctions, AML . (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). Any company can easily review OSS to look for proprietary code that should not be there; there are even OSS tools that can find common code. Q: What are indicators that a specific OSS program will have fewer unintentional vulnerabilities? A GPLed engine program can be controlled by classified data that it reads without issue. Q: Does releasing software under an OSS license count as commercialization? Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). The DoD has not expressed a position on whether or not software should be patented, but it is interested in ensuring that software that effectively supports its missions can be developed in a cost-effective, timely, and legal manner. Approved supplements are maintained by AFCENT/A1RR at afcent.a1rrshaw@afcent.af.mil. The 2003 MITRE study section 1.3.4 outlines several ways to legally mix GPL with proprietary or classified software: Often such separation can occur by separating information into data and a program that uses it, or by defining distinct layers. Another useful source is the list of licenses accepted by the Google code hosting service. An example of such software is Expect, which was developed and released by NIST as public domain software. This legal analysis must determine if it is possible to meet the conditions of all relevant licenses simultaneously. In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. Where possible, it may be better to divide such components into smaller components in a way that avoids this issue. This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. Choose a widely-used existing license; do not create a new license. However, if the GPL software must be mixed with other proprietary/classified software, the GPL terms must still be followed. If the supplier attains a monopoly or it is difficult to switch from the supplier, the costs may skyrocket. When examining a specific OSS project, look for evidence that review (both by humans and tools) does take place. Note, however, that this may be negotiated; if the government agrees to only receive lesser rights (such as government-purpose rights or restricted rights) then the government does not have the rights necessary to release that software as open source software. Where it is unclear, make it clear what the source or source code means. This also pressures proprietary implementations to limit their prices, and such lower prices for proprietary software also encourages use of the standard. Download Adobe Acrobat Reader. References to specific products or organizations are for information only, and do not constitute an endorsement of the product/company. Each government program must determine its needs, and then evaluate its options for meeting those needs. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, identified some of many OSS programs that the DoD is already using, and concluded that OSS plays a more critical role in the [Department of Defense (DoD)] than has generally been recognized. Relevant government authorities make it clear that the Antideficiency Act (ADA) does not generally prohibit the use of OSS due to limitations on voluntary services. Q: Can contractors develop software for the government and then release it under an open source license? There are many alternative clauses in the FAR and DFARS, and specific contracts can (and often do) have different specific agreements on who has which rights to software developed under a government contract. This is in addition to the advantages from OSS because it can be reviewed, modified, and redistributed with few restrictions (inherent in the definition of OSS). Where it is important, examining the security posture of the supplier (e.g., their processes that reduce risk) and scanning/testing/evaluating the software may also be wise. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? This does not mean that existing OSS elements should always be chosen, but it means that they must be considered. It depends on the goals for the project, however, here are some guidelines: Public domain where required by law. Browse 817 acronyms and abbreviations related to the Air Force terminology and jargon. Review really does happen. It also provides the latest updates and changes to policy from Air Force senior leadership and the Uniform Board.