The United States Air Force operates a service called Iron Bank, which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. So if the program is being used and not modified (a very common case), this additional term has no impact. Choose a GPL-compatible license. - The award authority will establish the maximum award nomination length (number of . It also provides the latest updates and changes to policy from Air Force senior leadership and the Uniform Board. Guglielmo Marconi. Include upgrade/maintenance costs, including indirect costs (such as hardware replacement if necessary to run updated software), in the TCO. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). 37 African nations, US kickoff AACS 2023 in Senegal. Acquisition Common Portal Environment. Open systems and open standards counter dependency on a single supplier, though only if there is a competing marketplace of replaceable components. The public release of the item is not restricted by other law or regulation, such as the Export Administration Regulations or the International Traffic in Arms Regulation, and the item qualifies for Distribution Statement A, per DoD Directive 5230.24 (reference (i)).". The GPL and government unlimited rights terms have similar goals, but differ in details. This isnt usually an issue because of how typical DoD contract clauses work under the DFARS. These included the Linux kernel, the gcc compilation suite (including the GNAT Ada compiler), the OpenOffice.org office suite, the emacs text editor, the Nmap network scanner, OpenSSH and OpenSSH for encryption, and Samba for Unix/Linux/Windows interoperability. Note that this also applies to proprietary software, which often have even stricter limits on if/how the software may be changed. There is no DoD policy forbidding or limiting the use of software licensed under the GNU General Public License (GPL). The terms that apply to usage and redistribution tend to be trivially easy to meet (e.g., you must not remove the license or author credits when re-distributing the software). The FAR and DFARS specifically permit different agreements to be struck, within certain boundaries, and other agencies have other supplements. 37 African nations, US kickoff AACS 2023 in Senegal. On approval, such containers are granted a "Certificate to Field" designation by the Air Force Chief Software Officer. DoD Directive 5000.1 states that open systems shall be employed, where feasible, and the European Commission identifies open standards as a major policy thrust. The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. Community OSS support is never enough by itself to provide this support, because the OSS community cannot patch your servers or workstations for you. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures. Epitalon (Epithalon) Hexarelin. The program available to the public may improve over time, through contributions not paid for by the U.S. government. According to the U.S. Patent and Trademark Office (PTO): For more about trademarks, see the U.S. Patent and Trademark Office (PTO) page Trademark basics. Under U.S. copyright law, users must have permission (i.e. The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). Yes, in general. DFARS 252.227-7014 specifically defines commercial computer software in a way that includes nearly all OSS, and defines noncommercial computer software as software that does not qualify as commercial computer software. For DoD contractors, if the standard DFARS contract clauses are used (in particular DFARS 252.227-7014) then the contractor who developed the software retains the copyright to the software and has the right to release it to others, even if the software was developed exclusively with government funds. Q: What license should the government or contractor choose/select when releasing open source software? Flight Inspection. All executables that is not on a base approval list will soon be blocked. Such mixing can sometimes only occur when certain kinds of separation are maintained - and thus this can become a design issue. Air Force football finishes signing class with 28 three-star recruits, most in Mountain West. In some cases a DoD contractor may be required to transfer copyright to the government for works produced under contract (see DFARS 252.227-7020). In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. DSEI 2021, ExCel, LONDON, UK - 14 September 2021 - Curtiss-Wright's Defense Solutions division (Bays 22-26 ExCeL Exhibition Centre), a trusted supplier of tactical data link (TDL) software and hardware solutions engineered to succeed, announced that it has received certification from . Use a common OSS license well-known to be OSS (GPL, LGPL, MIT/X, BSD-new, Apache 2.0) dont write your own license. However, this approach should not be taken lightly. The DoD has not expressed a position on whether or not software should be patented, but it is interested in ensuring that software that effectively supports its missions can be developed in a cost-effective, timely, and legal manner. Note that merely being released by a US firm is no guarantee that there is no malicious embedded code. Any software not listed on the Approved Software List is prohibited. AOD-9604. Government Cloud Brings DoD Systems in the 21st Century. (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). However, if youre going to rely on the OSS community, you must make sure that the OSS community for that product is active, and that you have suitably qualified staff to implement the upgrades/enhancements developed by the community. The products listed below are evaluated against a NIAP-approved Protection Profile, which encompasses the security requirements and test activities suitable across the technology with no EAL assigned - hence the conformance claim is "PP". Vendor lock-in, aka lock-in, is the situation in which customers are dependent on a single supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without substantial costs and/or inconvenience. Examples of the former include Red Hat, Canonical, HP Enterprise, Oracle, IBM, SourceLabs, OpenLogic, and Carahsoft. DISA Tools Mission Statement. While budget constraints and reduced staffing have forced the APL process to operate in a limited manner, In some cases, the sources of information for OSS differ. In particular, it found that DoD security depends on (OSS) applications and strategies, and that a hypothetic ban would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. For example, software that is released to the public as OSS is not considered commercial if it is a type of software that is only used for governmental purposes. Colleges & Your Majors. Q: Where can I release open source software that are new projects to the public? - AF Form 1206, Nomination for Award (2 Aug 17) remains the standard AF award nomination form. Whether or not this will occur depends on factors such as the number of potential users (more potential users makes this more likely), the existence of competing OSS programs (which may out-compete the newly released component), and how difficult it is to install/use. In the commercial world, the copyright holders are typically the individuals and organizations that originally developed the software. Similarly, SourceForge/Apache (in 2001) and Debian (in 2003) countered external attacks. These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. September 22, 2022. The Creative Commons is a non-profit organization that provides free tools, including a set of licenses, to let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. Since users will want to use the improvements made by others, they have a strong financial incentive to submit their improvements to the trusted repository. Around the Air Force: Accelerating the Legacy, Expanding Cyber Resiliency, Poppy Seed Warning. This also pressures proprietary implementations to limit their prices, and such lower prices for proprietary software also encourages use of the standard. Q: What are the major types of open source software licenses? Choose a license that has passed legal reviews and is clearly accepted as an OSS license. Q: Is it more difficult to comply with OSS licenses than proprietary licenses? GOTS is especially appropriate when the software must not be released to the public (e.g., it is classified) or when licenses forbid more extensive sharing (e.g., the government only has government-purpose rights to the software). Q: Is OSS commercial software? Depending on the contract and its interpretation, contractors may be required to get governmental permission to include commercial components in their deliverables; where this applies, this would be true for OSS components as well as proprietary components. In addition, important open source software is typically supported by one or more commercial firms. The government normally gets unlimited rights in software when that software is created in the performance of a contract with government funds. Even if source code is necessary (e.g., for source code analyzers), adequate source code can often be regenerated by disassemblers and decompilers sufficiently to search for vulnerabilities. Q: Is there a large risk to DoD contractors that widely-used OSS violates enforceable software patents? References to specific products or organizations are for information only, and do not constitute an endorsement of the product/company. The NASA FAR Supplement (NFS) 1852.227-14 gives NASA the right, under typical conditions, to demand that a contractor assert copyright and then assign the copyright to the government, which would again give the government the right to release the software as open source software. Q: Is there a standard marking for software where the government has unlimited rights? Where it is unclear, make it clear what the source or source code means. DFARS 252.227-7014(a)(15) defines unlimited rights as rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. There are valid business reasons, unrelated to security, that may lead a commercial company selling proprietary software to choose to hide source code (e.g., to reduce the risk of copyright infringement or the revelation of trade secrets). You may only claim that a trademark is registered if it is actually registered. The following externally-developed evaluation processes or tips may be of use: Migrating from an existing system to an OSS approach requires addressing the same issues that any migration involves. Thus, components that have the potential to (eventually) support many users are more likely to succeed. Q: Can government employees develop software as part of their official duties and release it under an open source license? Q: Is there a risk of malicious code becoming embedded into OSS? Since it is typically not legal to modify proprietary software at all, or it is legal only in very limited ways, it is trivial to determine when these additional terms may apply. Other open source software implementations of Unix interfaces include OpenBSD, NetBSD, FreeBSD, and Darwin. Headquartered in Geneva, Switzerland, it has six regional offices and 150 field offices worldwide.. It costs essentially nothing to download a file. Yes, its possible. New York ANG supports Canadian arctic exercise. By definition, open source software provides more rights to users than proprietary software (at least in terms of use, modification, and distribution). If it is possible to meet the conditions of all relevant licenses simultaneously, then those licenses are compatible. 2019 Approved Software Developers of Paper 2D Forms (PDF 47.33 KB) Final as of April 2, 2020. German courts have enforced the GPL. Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). Estimating the Total Development Cost of a Linux Distribution estimates that the Fedora 9 Linux distribution, which contains over 5,000 software packages, represents about $10.8 billion of development effort in 2008 dollars. The DSOP is joint effort of the DOD's Chief Information Officer, Office of the Undersecretary of Defense for Acquisition and Sustainment. Be sure to consider such costs over a period of time (typically the lifetime of the system including its upgrades), and use the same period when evaluating alternatives; otherwise, one-time costs (such as costs to transition from an existing proprietary system) can lead to erroneous conclusions. Typically, obtaining rights granted by the license can only be obtained when the requestor agrees to certain conditions. Q: Can the government or contractor use trademarks, service marks, and/or certification marks with OSS projects? Authors of a creative work, or their employer, normally receive the copyright once the work is in a fixed form (e.g., written/typed). Once software exists, all costs are due to maintenance and support of software. In addition, widely-used licenses and OSS projects often include additional mechanisms to counter this risk. Depending on your goals, a trademark, service mark, or certification mark may be exactly what you need. There is no injunctive relief available, and there is no direct cause of action against a contractor that is infringing a patent or copyright with the authorization or consent of the Government (e.g., while performing a contract).. It is far better to fix vulnerabilities before deployment - are such efforts occuring? OSS projects typically seek financial gain in the form of improvements. Establish project website. In effect, the malicious developer could lose many or all rights over their license-violating result, even rights they would normally have had! Many OSS licenses do not have a choice of venue clause, and thus cannot have an issue, although some do. Q: What are some military-specific open source software programs? A protective license protects the software from becoming proprietary, and instead enforces a share and share alike approach between parties. In such licenses, if you give someone a binary of the program, you are obligated to give them the source code (perhaps upon request) under the same terms. It states that in 1913, the Attorney General developed an opinion (30 Op. The joint OnGuard system and XProtect video solution was tested and approved to protect Air Force Protection Level 1 (PL-1) non-nuclear through PL-4 sites around . This is not a contradiction; its quite common for different organizations to have different rights to the same software. 1.1.4. 1.1.3. This regulation only applies to the US Army, but may be a useful reference for others. For more information, see the. Even if an OTD project is not OSS itself, an OTD project will typically use, improve, or create OSS components. Some people like the term GOSS, because it indicates an intent to do OSS-like collaborative development, but within the government instead. This includes the, Strongly Protective (aka strong copyleft): These licenses prevent the software from becoming proprietary, and instead enforce a share and share alike approach. A very small percentage of such users determine that they can make a change valuable to them, and contribute it back (to avoid maintenance costs). Export control laws are often not specifically noted in OSS licenses, but nevertheless these laws also govern when and how software may be released. If that competitors use of OSS results in an advantage to the DoD (such as lower cost, faster schedule, increased performance, or other factors such as increased flexibility), contractors should expect that the DoD will choose the better bid. Approved software is listed on the DCMA Approved Software List. Windows Services for UNIX 3.0 is a good example of commercial use of GPL application mixing. Q: Is open source software the same as open systems/open standards? Six pairs of ankle socks. This is the tightest form of mixing possible with GPL and other types of software, but it must be used with care to ensure that the GPL software remains generic and is not tightly bound to any one proprietary software component. Any reproduction of this computer software, or portions thereof, marked with this legend must also reproduce these markings.. It is difficult for software developers (OSS or not) to be confident that they have avoided software patent infringement in the United States, for a variety of reasons. It is available at, The Office of Management and Budget issued a memorandum providing guidance on software acquisition which specifically addressed open source software on 1 Jul 2004. (Free in Free software refers to freedom, not price.) Army - (703) 602-7420, DSN 332. Software licenses (including OSS licenses) may also involve the laws for patent, trademark, and trade secrets, in addition to copyright. If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. But what is radically different is that a user can actually make a change to the program itself (either directly, or by hiring someone to do it). Choose a widely-used existing license; do not create a new license. This makes the expectations clear to all parties, which may be especially important as personnel change. This page is an educational resource for government employees and government contractors to understand the policies and legal issues relating to the use of open source software (OSS) in the United States Department of Defense (DoD). Boundary Protection Devices and Systems - 41 Certified Products. Requiring that all developers be cleared first can reduce certain risks (at substantial costs), where necessary, but even then there is no guarantee. An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). DISA has updated the APL Integrated Tracking System, a web-based user database, to list products that have been approved and the current status of remaining items that are still in process. Similarly, in Wallace v. IBM, Red Hat, and Novell, the U.S. Court of Appeals for the Seventh Circuit found in November 2006 that the GNU General Public License (GPL) and open-source software have nothing to fear from the antitrust laws. 10 USC 2377 requires that the head of an agency shall ensure that procurement officials in that agency, to the maximum extent practicable: Similarly, it requires preliminary market research to determine whether there are commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial items available that (A) meet the agencys requirements; (B) could be modified to meet the agencys requirements; or (C) could meet the agencys requirements if those requirements were modified to a reasonable extent. This market research should occur before developing new specifications for a procurement by that agency; and before soliciting bids or proposals for a contract in excess of the simplified acquisition threshold.. Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. It also risks reduced flexibility (including against cyberattack), since OSS permits arbitrary later modification by users in ways that some other license approaches do not. In contrast, typical proprietary software costs are per-seat, not per-improvement or service. In addition, an attacker can often acquire the original source code from suppliers anyway (either because the supplier voluntarily provides it, or via attacks against the supplier); in such cases, if only the attacker has the source code, the attacker ends up with another advantage. First, get approval to publicly release the software. Often there is a single integrating organization, while other organizations inside the government submit proposed changes to the integrator. The CBP ruling points out that 19 U.S.C. The Air Force's program comes with a slight caveat: it's actually called Bring Your Own Approved Device (BYOAD); airmen won't be able to . In particular, will it be directly linked with proprietary or classified code? As explained in detail below, nearly all OSS is commercial computer software as defined in US law and the Defense Federal Acquisition Regulation Supplement, and if it used unchanged (or with only minor changes), it is almost always COTS. In short, the ADAs limitation on voluntary services does not broadly forbid the government from working with organizations and people who identify themselves as volunteers, including those who develop OSS. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . Coat or jacket depending on the season. In addition, ignoring OSS would not be lawful; U.S. law specifically requires consideration of commercial software (including extant OSS, regardless of exactly which license it uses), and specifically instructs departments to pass this requirement to consider commercial items down to contractors and their suppliers at all tiers. 2518(4)(B) says that, An article is a product of a country or instrumentality only if (i) it is wholly the growth, product, or manufacture of that country or instrumentality, or (ii) in the case of an article which consists in whole or in part of materials from another country or instrumentality, it has been substantially transformed into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was so transformed. The CBP also pointed out a ruling (Data General v. United States, 4 CIT 182 (1982)), that programming a PROM performed a substantial transformation. Many analyses focus on versions of the GNU General Public License (GPL), since this is the most common OSS license, but analyses for other licenses are also available. First of all, being a US firm has little relationship to the citizenship of its developers and its suppliers developers. Note, however, that this may be negotiated; if the government agrees to only receive lesser rights (such as government-purpose rights or restricted rights) then the government does not have the rights necessary to release that software as open source software. The doctrine of unclean hands, per law.com, is a legal doctrine which is a defense to a complaint, which states that a party who is asking for a judgment cannot have the help of the court if he/she has done anything unethical in relation to the subject of the lawsuit. Certification Report Security Target. Note that many of the largest commercially-supported OSS projects have their own sites. U.S. law governing federal procurement U.S. Code Title 41, Section 103 defines commercial product as including a product, other than real property, that (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public. The intended audience of this tool is emergency managers, first responders, and other homeland security professionals. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. Two-day supply of clothing. In Wallace vs. FSF, Judge Daniel Tinder stated that the GPL encourages, rather than discourages, free competition and the distribution of computer operating systems and found no anti-trust issues with the GPL. With the Acrobat Reader, you can view, navigate, print and present any Portable Document Format (PDF) file. Maximize portability, and avoid requiring proprietary languages/libraries unnecessarily. Thus, as long as the software has at least one non-governmental use, software licensed (or offered for license) to the public is a commercial product for procurement purposes. Note that when government employees develop software as part of their official duties, it can be protected by copyright in other countries, but note that these can only be enforced outside the US. CJC-1295 DAC. Clarifying Guidance Regarding Open Source Software (OSS) states that "Software items, including code fixes and enhancements, developed for the Government should be released to the public (such as under an open source license) when all of the following conditions are met: The government or contractor must determine the answer to these questions: Source: Publicly Releasing Open Source Software Developed for the U.S. Government. Of them, 40 Airmen voluntarily left the service and 14 officers retired, according to Undersecretary of the Air Force Gina Ortiz Jones at a House Armed Services Committee hearing Feb. 28. At project start, the project creators (who create the initial trusted repository) are the trusted developers, and they determine who else may become a trusted developer of this initial trusted repository. It may be illegal to modify proprietary software, but that will normally not slow an attacker. Look at the Numbers! Computer and electronic hardware that is designed in the same fashion as open source software (OSS) is sometimes termed open source hardware. It noted that a copyright holder may dedicate a certain work to free public use and yet enforce an open source copyright license to control the future distribution and modification of that work Open source licensing has become a widely used method of creative collaboration that serves to advance the arts and sciences in a manner and at a pace that few could have imagined just a few decades ago Traditionally, copyright owners sold their copyrighted material in exchange for money. Q: Under what conditions can GPL-licensed software be mixed with proprietary/classified software? Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? As of Jan. 21, the Air Force has administratively separated 111 active duty Airmen. What are good practices for use of OSS in a larger system? Launch video (9:47) Navy - 1-877-418-6824. The information on this page does not constitute legal advice and any legal questions relating to specific situations should be referred to legal counsel. Note that most commercial software is not intended to be used where the impact of any error of any kind is extremely high (e.g., a large number of lives are likely to be immediately lost if even the slightest software error occurs). A U.S. Air Force A-10 receives maintenance at Davis-Monthan Air Force Base, Arizona, May 29, 2020. For advice about a specific situation, however, consult with legal counsel. It's like it dropped off the face of the earth. DISA FREE HOME ANTIVIRUS SOFTWARE (CAC REQ'D) STRATEGIC . In practice, OSS projects tend to be remarkably clean of such issues. No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. It also often has lower total cost-of-ownership than proprietary COTS, since acquiring it initially is often free or low-cost, and all other support activities (training, installation, modification, etc.) Thus, open systems require standards that are widely-supported and consensus-based; standards that meet these (and possibly some additional conditions) may be termed open standards.