Where possible, it may be better to divide such components into smaller components in a way that avoids this issue. Is it COTS? Q: Does the DoD already use open source software? There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. See. 7101-7109). Furthermore, 52.212-4(s) says: (s) Order of precedence. We also provide some thoughts concerning compliance and risk mitigation in this challenging environment. As noted above, in software, Open Source refers to software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of such software. Signing Day | Air Force football Class of 2021 signing list Full Residential Load Calculation. 2019 Approvals. . No. The more potential users, the more potential developers. OSS licenses can be grouped into three main categories: Permissive, strongly protective, and weakly protective. Approved supplements are maintained by AFCENT/A1RR at [email protected]. Q: Can contractors develop software for the government and then release it under an open source license? DAF COVID-19 Statistics - January 2022. Delivers the latest news from each branch of the U.S . Feb. 4, 2022 |. In some cases, the sources of information for OSS differ. The DoDIN APL is managed by the Approved Products Certification Office (APCO). Software licensed under the GPL can be mixed with software released under other licenses, and mixed with classified or export-controlled software, but only under conditions that do not violate any license. This legal analysis must determine if it is possible to meet the conditions of all relevant licenses simultaneously. Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. .. PITTSFORD, N.Y., June 8, 2021 . The release of the software may be restricted by the International Traffic in Arms Regulation (ITAR) or Export Administration Regulation (EAR). Read More 616th OC Airmen empower each other. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND GUARDIANS OF THE HIGH FRONTIER. The Importance of Cloud Computing and the DoD Approved Software List The resulting joint work as a whole is protected by the copyrights of the non-government authors and may be released according to the terms of the original open-source license. In effect, the malicious developer could lose many or all rights over their license-violating result, even rights they would normally have had! Many DoD capabilities are accessible via web browsers using open standards such as TCP/IP, HTTP, and HTML; in such cases, it is relatively easy to use or switch to open source software implementations (since the platforms used to implement the client or server become less relevant). Knowledge is more important than the licensing scheme. This does not mean that existing OSS elements should always be chosen, but it means that they must be considered. Coat or jacket depending on the season. For local guidance, Airmen are encouraged to . Execution Mixing GPL and other software can run at the same time on the same computer or network. (3) Verbal waivers are NOT authorized. - The award authority will establish the maximum award nomination length (number of . Q: Is this related to open source intelligence? Examples include GPL applications running on proprietary operating systems or wrappers, and GPL applications that use proprietary components explicitly marked as non-GPL. In short, OSS more accurately reflects the economics of software development; some speculate that this is one reason why OSS has become so common. (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). Parties are innocent until proven guilty, so if there. These included the Linux kernel, the gcc compilation suite (including the GNAT Ada compiler), the OpenOffice.org office suite, the emacs text editor, the Nmap network scanner, OpenSSH and OpenSSH for encryption, and Samba for Unix/Linux/Windows interoperability. Enforcing the GNU GPL by Eben Moglen is a brief essay that argues why the GNU General Public License (GPL), specifically, is enforceable. Not under typical open source software licenses based on copyright, but there is an alternative with the same practical effect. Public definitions include those of the European Interoperability Framework (EIF), the Digistan definition of open standard (based on the EIF), and Bruce Perens Open Standards: Principles and Practice. It can sometimes be a challenge to find a good name. If there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. The related FAR 52.227-2 (Notice and Assistance Regarding Patent and Copyright Infringement), as prescribed by FAR 27.201-2(b), requires the contractor to report to the Contracting Officer each notice or claim of patent/copyright infrigement in reasonable written detail. The release may also be limited by patent and trademark law. Software that meets very high reliability/security requirements, aka high assurance software, must be specially designed to meet such requirements. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. Comfortable shoes. Some people like the term GOSS, because it indicates an intent to do OSS-like collaborative development, but within the government instead. As noted by the OSJTF definition for open systems, be sure to test such systems with more than one web browser (e.g., Google Chrome, Microsoft Edge and Firefox), to reduce the risk of vendor lock-in. Government Off-the-Shelf (GOTS), proprietary commercial off-the-shelf (COTS), and OSS COTS are all methods to enable reuse of software across multiple projects. No. (Note that such software would often be classifed.). There is no injunctive relief available, and there is no direct cause of action against a contractor that is infringing a patent or copyright with the authorization or consent of the Government (e.g., while performing a contract).. 97-258, 96 Stat. For example, the LGPL permits the covered software (usually a library) to be embedded in a larger work under many different licenses (including proprietary licenses), subject to certain conditions. In addition, ignoring OSS would not be lawful; U.S. law specifically requires consideration of commercial software (including extant OSS, regardless of exactly which license it uses), and specifically instructs departments to pass this requirement to consider commercial items down to contractors and their suppliers at all tiers. Commercial software (both proprietary and OSS) is occasionally updated to fix errors (including security vulnerabilities), and your system should be designed so that it is relatively easy to accept these updates. If your contract has FAR clause 52.212-4 (which it is normally required to do), then choice of venue clauses in software licenses are undesirable, but the order of precedence clause (in the contract) means that the choice of venue clause (in the license) is superseded by the Contract Disputes Act. is a survey paper that provides quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures.. (its) goal is to show that you should consider using OSS/FS when acquiring software. For example, software that is released to the public as OSS is not considered commercial if it is a type of software that is only used for governmental purposes. Instead, users who are careful to use open standards can easily switch to a different implementation, including an OSS implementation. Common licenses for each type are: - Permissive: MIT, BSD-new, Apache 2.0 - Weakly protective: LGPL (version 2 or 3) - Strongly protective: GPL (version 2 or 3). Software not subject to copyright is often called public domain software. But in practice, publicly-released OSS nearly always meets the various government definitions for commercial computer software and thus is nearly always considered commercial software. For at least 7 years, Borlands Interbase (a proprietary database program) had embedded in it a back door; the username politically, password correct, would immediately give the requestor complete control over the database, a fact unknown to its users. Department of the Air Force E-Publishing > Publications + Forms - AF OSS-like development approaches within the government. Approved Products List - DISA The central theme of 2022 was the U.S. government's deploying of its sanctions, AML . In short, the ADAs limitation on voluntary services does not broadly forbid the government from working with organizations and people who identify themselves as volunteers, including those who develop OSS. For computer software, modern version control and source code comparison tools typically make it easy to isolate the contributions of individual authors (via blame or annote functions). In most cases, contributors to OSS projects intend for their contributions to be gratuitous, and provide them for all (not just for the Federal government), clearly distinguishing such OSS contributions from the voluntary services that the ADA was designed to prevent. Open systems and open standards counter dependency on a single supplier, though only if there is a competing marketplace of replaceable components. GOTS software should not be released when it implements a strategic innovation, i.e. Other documents that you may find useful include: An official website of the United States government, Frequently Asked Questions regarding Open Source Software (OSS) and the Department of Defense (DoD). Permissive: These licenses permit the software to become proprietary (i.e., not OSS). An OSS implementation can be read and modified by anyone; such implementations can quickly become a working reference model (a sample implementation or an executable specification) that demonstrates what the specification means (clarifying the specification) and demonstrating how to actually implement it. Been retired for a few years but work for a company that has a contract with the Air Force and Army. Contracting - AF Contact Contracting. DOR Approved Software Developers | Mass.gov It is impossible to completely eliminate all risks; instead, focus on reducing risks to acceptable levels. See also DFARS subpart 227.70infringement claims, licenses, and assignments and 28 USC 1498. In some cases, it may be wise to release software under multiple licenses (e.g., LGPL version 2.1 and version 3, GPL version 2 and 3), so that users can then pick which license they will use. Also, US citizens can attempt to embed malicious code into software, and many non-US citizens develop software without embedding malicious code. No. Q: How do GOTS, Proprietary COTS, and OSS COTS compare? This is not a copyright license, it is the absence of a license. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? when it implements novel functionality which is not already available to the public, and which significantly improves DoD mission outcomes or business processes. The certification affirms that the Air Force OTI is authorized to use ASTi's products, which now appear in the OTI Evaluated/Approved Products List (OTI E/APL). These prevent the software component (often a software library) from becoming proprietary, yet permit it to be part of a larger proprietary program. Most commercial software (including OSS) is not designed for such purposes. Of them, 40 Airmen voluntarily left the service and 14 officers retired, according to Undersecretary of the Air Force Gina Ortiz Jones at a House Armed Services Committee hearing Feb. 28. Colleges & Your Majors. Q: Does releasing software under an OSS license count as commercialization? The U.S. government can often directly combine GPL and proprietary, classified, or export-controlled software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government. Q: How can I get support for OSS that already exists? This is not a contradiction; its quite common for different organizations to have different rights to the same software. However, using a support vendor is not the only approach or the best approach in all cases; system/program managers and DAAs must look at the specific situation to make a determination. Public Law 115-232 defines OSS defines OSS as software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of such software. 75 Years of Dedicated Service. DISA renews antivirus software license agreement helping - Air Force This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. OTD is an approach to software/system development in which developers (in multiple organizations) collaboratively develop and maintain software or a system in a decentralized fashion. The first meeting of the World Health Assembly (WHA), the agency's governing body, took place on 24 July of that year. Any company can easily review OSS to look for proprietary code that should not be there; there are even OSS tools that can find common code. Thus, Open Source Intelligence (OSINT) is form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. Choose a license that is recognized as an Open Source Software license by the Open Source Initiative (OSI), a Free Software license by the Free Software Foundation (FSF), and is acceptable to widely-used Linux distributions (such as being a good license for Fedora). REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C&A) Thankfully, there are ways to reduce the risk of executing malicious code when using commercial software (both proprietary and OSS). Thus, components that have the potential to (eventually) support many users are more likely to succeed. However, the required FAR Clause 52.212-4(d) establishes that This contract is subject to the Contract Disputes Act of 1978, as amended (41 U.S.C. Q: What additional material is available on OSS in the government or DoD? Q: What is the legal basis of OSS licenses? BPC-157. In some cases, the government obtains the copyright; in those cases, the government can sue for copyright violation. Reasons for taking this approach vary. DAF COVID-19 Statistics - January 2022 - Air Force Q: Is there a large risk to DoD contractors that widely-used OSS violates enforceable software patents? Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. Certification Report Security Target. In some cases, there are nationally strategic reasons the software should not be released to the public (e.g., it is classified). Open source software licenses grant more rights than proprietary software licenses, but they are still conditional licenses that require the user to obey certain terms. It is available at, The Office of Management and Budget issued a memorandum providing guidance on software acquisition which specifically addressed open source software on 1 Jul 2004. Q: Is there a large risk that widely-used OSS unlawfully includes proprietary software (in violation of copyright)? Yes, but the following considerations apply: As stated above, software developed by government employees as part of their official duties is not subject to copyright protection in the United States. Commercial support can either be through companies with specialize in OSS support (in general or for specific products), or through contractors who specialize in supporting customers and provide the OSS support as part of a larger service. Epitalon (Epithalon) Hexarelin. Open standards also make it easier for OSS developers to create their projects, because the standard itself helps developers know what to do. Contractors must still abide with all other laws before being allowed to release anything to the public. As of 2021, the terms freeware and shareware, do not appear to have official definitions used by the United States Government, but historically (for example in the now-superseded DoD Instruction 8500.2) these terms have been used specifically for software distributed without cost where the Government does not have access to the original source code. Everything just redirects to the DISA Approved Product list which only covers hardware. Note, however, that this may be negotiated; if the government agrees to only receive lesser rights (such as government-purpose rights or restricted rights) then the government does not have the rights necessary to release that software as open source software. This is often done when the deliverable is a software application; instead of including commercially-available components such as the operating system or database system as part of the deliverable, the deliverable could simply state what it requires. If some portion of the software is protected by copyright, then the combined software work can be released under a copyright license. The Air Force separated 610 Airmen for declining the once-mandated COVID-19 vaccination. This isnt usually an issue because of how typical DoD contract clauses work under the DFARS. In the DoD, the GIG Technical Guidance Federation is a useful resource for identifying recommended standards (which tend to be open standards). If the OSS is intended for use on Linux/Unix systems, follow standard source installation release practices so that it is easier for users to install. The good news is that, by definition, OSS provides its source code, enabling a more informed evaluation than is typically available for other kinds of COTS products. If it is an improvement to an existing project, release it to the main OSS project, in whatever format they prefer changes. New York ANG supports Canadian arctic exercise. However, this cost-sharing is done in a rather different way than in proprietary development. Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. Navy - 1-877-418-6824. Thus, the government may receive custom-developed, non-commercial software as a deliverable and receive unlimited rights for that new code, but also acquire only commercial rights to the third-party (possibly OSS) components. Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. 923, is in 31 U.S.C. There are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties The choice to exact consideration in the form of compliance with the open source requirements of disclosure and explanation of changes, rather than as a dollar-denominated fee, is entitled to no less legal recognition. Air Force - (618)-229-6976, DSN 779. The Air Force's program comes with a slight caveat: it's actually called Bring Your Own Approved Device (BYOAD); airmen won't be able to . Note that this also applies to proprietary software, which often have even stricter limits on if/how the software may be changed. One way to deal with potential export control issues is to make this request in the same way as approving public release of other data/documentation. I agree to abide by software copyrights and to comply with the terms of all licenses. All new software products must go through the systems change request approval process and complete a satisfactory risk assessment. Choose a license that has passed legal reviews and is clearly accepted as an OSS license. Note that this sometimes depends on how the program is used or modified. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. The regulation is available at. DISA FREE HOME ANTIVIRUS SOFTWARE (CAC REQ'D) STRATEGIC . The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. Do you have the materials (e.g., source code) and are all materials properly marked? Avenir MJ8 Editions of HeatCAD and LoopCAD. Awards - Afpc.af.mil Determine if there will be a government-paid lead. Note, however, that this risk has little to do with OSS, but is instead rooted in the risks of U.S. patent infringement for all software, and the patent indemnification clauses in their contract. If the supplier attains a monopoly or it is difficult to switch from the supplier, the costs may skyrocket. The usual federal non-DoD clause (FAR 52.227-14) also permits this by default as long as the government has not granted the contractor the right to assert copyright. 2021 USAF & USSF Almanac: Glossary of Acronyms & Abbreviations Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Defense Health Agency | Health.mil - Military Health System This makes the expectations clear to all parties, which may be especially important as personnel change. Obviously, software that does not meet the U.S. governments definition of commercial computer software is not considered commercial software by the U.S. governments acquisition processes. If the government has received copyright (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply) then the government can release the software as open source software. Whether or not this will occur depends on factors such as the number of potential users (more potential users makes this more likely), the existence of competing OSS programs (which may out-compete the newly released component), and how difficult it is to install/use. Airtime Hourly PayThe Federal Salary Council determines the pay gap DOD Mobile Apps Gallery - U.S. Department of Defense Intellipedia is implemented using MediaWiki, the open source software developed to implement Wikipedia. Most projects prefer to receive a set of smaller changes, so that they can review each change for correctness. 37 African nations, US kickoff AACS 2023 in Senegal. Cisco solutions for department of defense DoD - Cisco When including externally-developed software in a larger system (e.g., as a library), make it clearly separable from the other components and easy to update. The MITRE study did identify some of many OSS programs that the DoD is already using, and may prove helpful. The GPL version 2 and the GPL version 3 are in principle incompatible with each other, but in practice, most released OSS states that it is GPL version 2 or later or GPL version 3 or later; in these cases, version 3 is a common license and thus such software is compatible. The DoD has chosen to use the term open source software (OSS) in its official policy documents. What contract applies, what are its terms, and what decisions have been made? In addition, important open source software is typically supported by one or more commercial firms. For DoD contractors, if the standard DFARS contract clauses are used (in particular DFARS 252.227-7014) then the contractor who developed the software retains the copyright to the software and has the right to release it to others, even if the software was developed exclusively with government funds. Support for OSS is often sold separately for OSS; in such cases, you must comply with the support terms for those uses to receive support, but these are typically the same kinds of terms that apply to proprietary software (and they tend to be simpler in practice). In practice, commercial software (OSS or not) tends to be developed globally, especially when you consider their developers and supply chains. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, did suggest developing a Generally Recognized As Safe (GRAS) list, but such a list has not been developed. Q: Can OSS licenses and approaches be used for material other than software? DoD Software Modernization Strategy Approved > U.S. Department of Guglielmo Marconi. Q: Am I required to have commercial support for OSS? Community OSS support is never enough by itself to provide this support, because the OSS community cannot patch your servers or workstations for you. Q: What are indicators that a specific OSS program will have fewer unintentional vulnerabilities? Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. If it is a modification of an existing project, or a plug-in to it, release it under the projects original license (and possibly other licenses). LenelS2 OnGuard and Milestone XProtect jointly added to U.S. Air Force Her work has appeared in Air Force Magazine, Inside Defense, Inside Health Policy, the Frederick News-Post (Md. . By definition, open source software provides more rights to users than proprietary software (at least in terms of use, modification, and distribution). Various organizations have been formed to reduce patent risks for OSS. The red book section 6.C.3.b explains this prohibition in more detail. Download Adobe Acrobat Reader. Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. Consider anticipated uses. Typically this will include source code version management system, a mailing list, and an issue tracker. The GPL and government unlimited rights terms have similar goals, but differ in details. Launch video (9:47) Q: Has the U.S. government released OSS projects or improvements? . Elite RHVAC. Open standards can aid open source software projects: Note that open standards aid proprietary software in exactly the same way. When taking this approach, contractors hired to modify the software must not retain copyright or other rights to the result (else the software would be conveyed outside the U.S. government); see GPL version 3 section 2, paragraph 2 which states this explicitly.