In Wallace vs. FSF, Judge Daniel Tinder stated that the GPL encourages, rather than discourages, free competition and the distribution of computer operating systems and found no anti-trust issues with the GPL. In contracts where this issue is important, you should examine the contract to find the specific definitions that are being used. This is often done when the deliverable is a software application; instead of including commercially-available components such as the operating system or database system as part of the deliverable, the deliverable could simply state what it requires. If using acronyms and abbreviations, only utilize those identified on the approved Air Force Acronym and Abbreviation List, unless noted by an approved category. A company that found any of its proprietary software in an OSS project can in most cases quickly determine who unlawfully submitted that code and sue that person for infringement. TCG LinkPRO, TCG BOSS, and TCG GTS all earn placement on DOD's OTI evaluated/approved products list. For example, a Code Analysis of the Linux Wireless Teams ath5k Driver found no license problems. OSS programs can typically be simply downloaded and tried out, making it much easier for people to try it out and encouraging widespread use. If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. The ruling was a denial of a motion for summary judgement, and the parties ultimately settled the claim out-of-court. In addition, an attacker can often acquire the original source code from suppliers anyway (either because the supplier voluntarily provides it, or via attacks against the supplier); in such cases, if only the attacker has the source code, the attacker ends up with another advantage. It is impossible to completely eliminate all risks; instead, focus on reducing risks to acceptable levels. Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. The red book section 6.C.3.b explains this prohibition in more detail. This is not a copyright license, it is the absence of a license. As noted in FAR 27.201-1, Pursuant to 28 U.S.C. You may only claim that a trademark is registered if it is actually registered. This resource contains Facility-Related Control Systems (FRCS) guidance, reference materials, checklists and templates.The DoD has adopted the Risk Management Framework (RMF) for all Information Technology and Operational Technology networks, components and devices to include FRCS. That said, other factors may be more important for a given circumstance. Thus, as long as the software has at least one non-governmental use, software licensed (or offered for license) to the public is a commercial product for procurement purposes. Note that many of the largest commercially-supported OSS projects have their own sites. Q: Under what conditions can GPL-licensed software be mixed with proprietary/classified software? If the supplier attains a monopoly or it is difficult to switch from the supplier, the costs may skyrocket. In particular, U.S. law (10 USC 2377) requires a preference for commercial products for procurement of supplies or services. Each hosting service tends to be focused on particular kinds of projects, so prefer a hosting service that well-matches the project. Obviously, contractors cannot release anything (including software) to the public if it is classified. 1498, the exclusive remedy for patent or copyright infringement by or on behalf of the Government is a suit for monetary damages against the Government in the Court of Federal Claims. Is it COTS? Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. Can the DoD used GPL-licensed software? Bruce Perens noted back in 1999, Do not write a new license if it is possible to use (a common existing license) The propagation of many different and incompatible licenses works to the detriment of Open Source software because fragments of one program cannot be used in another program with an incompatible license. Many view OSS license proliferation as a problem; Serdar Yegulalps 2008 Open Source Licensing Implosion (InformationWeek) noted that not only are there too many OSS licenses, but that the consequences for blithely creating new ones are finally becoming concrete the vast majority of open source products out there use a small handful of licenses Now that open source is becoming (gasp) a mainstream phenomenon, using one of the less-common licenses or coming up with one of your own works against you more often than not. Q: How can I get support for OSS that already exists? Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. When considering any software (OSS or proprietary), look for evidence that the risk of unlawful release is low. First of all, being a US firm has little relationship to the citizenship of its developers and its suppliers developers. The regulation is available at. In 2015, a series of decisions regarding the GNU General Public License were issued by the United States District Courts for the Western District of Texas as well as the Northern District of California. Q: How do GOTS, Proprietary COTS, and OSS COTS compare? Yes, extensively. This webpage is a one-stop reference to help answer questions regarding proper wear of approved Air Force uniform items, insignias, awards and decorations, etc. No, OSS is developed by a wide variety of software developers, and the average developer is quite experienced. Q: What is the country of origin for software? The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. when it implements novel functionality which is not already available to the public, and which significantly improves DoD mission outcomes or business processes. Public definitions include those of the European Interoperability Framework (EIF), the Digistan definition of open standard (based on the EIF), and Bruce Perens Open Standards: Principles and Practice. Very Important Notes: The Public version of DoD Cyber Exchange has limited content. 1.1.3. The information on this page does not constitute legal advice and any legal questions relating to specific situations should be referred to legal counsel. The usual DoD contract clause (DFARS 252.227-7014) permits this by default. BSD TCP/IP suite - Provided the basis of the Internet, Greatly increased costs, due to the effort of self-maintaining its own version, Inability to use improvements (including security patches and innovations) by others, where it uses a non-standard version instead of the version being actively maintained, Greatly increased cost, due to having to bear the, Inability to use improvements (including security patches and innovations) by others, since they do not have the opportunity to aid in its development, Obsolescence due to the development and release of a competing commercial (e.g., OSS) project. However, sometimes OGOTS/GOSS software is later released as OSS. The, Educate all software developers that they must comply with all valid licenses - including both proprietary. This memorandum only applies to Navy and Marine Corps commands, but may be a useful reference for others. Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. Q: In what form should I release open source software? Establish project website. The government can typically release software as open source software once it has unlimited rights to the software. Q: Can the government or contractor use trademarks, service marks, and/or certification marks with OSS projects? The Air Force thinks it's finally found a way. After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. Reasons for taking this approach vary. Typically enforcement actions are based on copyright violations, and only copyright holders can raise a copyright claim in U.S. court. The program available to the public may improve over time, through contributions not paid for by the U.S. government. This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. For example, the Government has public release rights when the software is developed by Government personnel, when the Government receives unlimited rights in software developed by a contractor at Government expense, or when pre-existing OSS is modified by or for the Government. Lawmakers also approved the divestment of 13 . OGOTS/GOSS software is often not OSS; software is only OSS if it meets the definition of OSS. Software licenses, including those for open source software, are typically based on copyright law. If the standard DFARS contract clauses are used (see DFARS 252.227-7014), then unless other arrangements are made, the government has unlimited rights to a software component when (1) it pays entirely for the development of it (see DFARS 252.227-7014(b)(1)(i)), or (2) it is five years after contract signature if it partly paid for its development (see DFARS 252.227-7014(b)(2)). This definition is essentially identical to what the DoD has been using since publication of the 16 October 2009 memorandum from the DoD CIO, Clarifying Guidance Regarding Open Source Software (OSS). The DoD is, of course, not the only user of OSS. Make sure its really OSS. No changes since that date. For computer software, modern version control and source code comparison tools typically make it easy to isolate the contributions of individual authors (via blame or annote functions). If it is a modification of an existing project, or a plug-in to it, release it under the projects original license (and possibly other licenses). Choose a license that is recognized as an Open Source Software license by the Open Source Initiative (OSI), a Free Software license by the Free Software Foundation (FSF), and is acceptable to widely-used Linux distributions (such as being a good license for Fedora). In contrast, typical proprietary software costs are per-seat, not per-improvement or service. Indeed, many people have released proprietary code that is malicious. For example, software that is released to the public as OSS is not considered commercial if it is a type of software that is only used for governmental purposes. The term trademark is often used to refer to both trademarks and service marks. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . In that case, the U.S. government might choose to continue to use the version to which it has unlimited rights, or it might use the publicly-available commercial version available to the government through that versions commercial license (the GPL in this case). These licenses include the MIT license, revised BSD license (and its 2-clause variant), the Apache 2.0 license, the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. The term has primarily been used to reflect the free release of information about the hardware design, such as schematics, bill of materials and PCB layout data, or its representation in a hardware description language (HDL), often with the use of open source software to drive the hardware. disa.meade.ie.list.approved-products-certification-office@mail.mil. Look at the Numbers! 37 African nations, US kickoff AACS 2023 in Senegal. Vendor lock-in, aka lock-in, is the situation in which customers are dependent on a single supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without substantial costs and/or inconvenience. (See also Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011.). An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). In 2017, the United States District Court for the Northern District of California, in Artifex Software, Inc.v. Hancom, Inc., issued a ruling confirming the enforceability of the GNU General Public License. No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. If there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. What contract applies, what are its terms, and what decisions have been made? There are many definitions for the term open standard. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? DFARS 252.227-7014 specifically defines commercial computer software in a way that includes nearly all OSS, and defines noncommercial computer software as software that does not qualify as commercial computer software. This can be a cause of confusion, because without any markings, a recipient is often unaware that the government has unlimited rights to it, and if the government does not know it has certain rights, it becomes difficult for the government to exercise its rights. As of 2021, the terms freeware and shareware, do not appear to have official definitions used by the United States Government, but historically (for example in the now-superseded DoD Instruction 8500.2) these terms have been used specifically for software distributed without cost where the Government does not have access to the original source code. Government Cloud Brings DoD Systems in the 21st Century. Q: Is it more difficult to comply with OSS licenses than proprietary licenses? A permissive license permits arbitrary use of the program, including making proprietary versions of it. This also means that these particular licenses are compatible. Software licensed under the GPL can be mixed with software released under other licenses, and mixed with classified or export-controlled software, but only under conditions that do not violate any license. Air Force Policy Directive 38-1, Manpower and Organization, 2 July 2019 Air Force instruction 33-360, Publications and Forms Management, 1 December 2015 Air Force Manual 33-363, Management of Records, 21 July 2016 Adopted Forms AF Form 847, Recommendation for Change of Publications Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to include existing open source software? For additional information please contact: disa.meade.ie.list.approved-products-certification-office@mail.mil. Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. Typically this will include source code version management system, a mailing list, and an issue tracker. 7101-7109). Furthermore, 52.212-4(s) says: (s) Order of precedence. CJC-1295 DAC. In most cases, contributors to OSS projects intend for their contributions to be gratuitous, and provide them for all (not just for the Federal government), clearly distinguishing such OSS contributions from the voluntary services that the ADA was designed to prevent. Open standards also make it easier for OSS developers to create their projects, because the standard itself helps developers know what to do. No; this is a low-probability risk for widely-used OSS programs. Yes. DFARS 252.227-7014(a)(15) defines unlimited rights as rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. Cisco takes a deep dive into the latest technologies to get it done. Each product must be examined on its own merits. U.S. government contractors (including those in the DoD) are often indemnified from patent infringement by the U.S. government as part of their contract. Classified information may not be released to the public without special authorization to do so. (Such terms might include open source software, but could also include other software). [ top of page] Observing the output from inputs is often sufficient for attack. OSS-like development approaches within the government. Cyberspace Capabilities Center Re-designation Ceremony Nov 7, 1300. As noted by the 16 October 2009 policy memorandum from the DoD CIO, in almost all cases OSS is a commercial item as defined by US Law (Title 41) and regulation (the FAR). If a government employee enhances or modifies a (copyrighted) open source software program, the resulting work is a joint work (see 17 USC 101) which is partially copyrighted and partially public domain. Q: Is a lot of pre-existing open source software available? Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. At this time there is no widely-accepted term for software whose source code is available for review but does not meet the definition of open source software (due to restrictions on use, modification, or redistribution). If there are reviewers from many different backgrounds (e.g., different countries), this can also reduce certain risks. They can obtain this by receiving certain authorization clauses in their contracts. Depending on the contract and its interpretation, contractors may be required to get governmental permission to include commercial components in their deliverables; where this applies, this would be true for OSS components as well as proprietary components. These include: If you are looking for smaller pieces of code to reuse, search engines specifically for code may be helpful. In most cases, this GPL license term is not a problem. No. It also risks reduced flexibility (including against cyberattack), since OSS permits arbitrary later modification by users in ways that some other license approaches do not. Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. An OTD project might be OSS, but it also might not be (it might be OGOTS/GOSS instead). For disposal or recycling per NSA/CSS Policy Manual 9-12, "Storage Device Sanitization and Destruction Manual": Information stored on these . What is Open Technology Development (OTD)? OSS licenses can be grouped into three main categories: Permissive, strongly protective, and weakly protective. If it is already available to the public and is used unchanged, it is usually COTS. Q: What additional material is available on OSS in the government or DoD? This makes the expectations clear to all parties, which may be especially important as personnel change. There is a fee for registering a trademark. Volume II of its third edition, section 6.C.3, describes in detail this prohibition on voluntary services. We also provide some thoughts concerning compliance and risk mitigation in this challenging environment. This is not a contradiction; its quite common for different organizations to have different rights to the same software. Many governments, not just the U.S., view open systems as critically necessary. Such source code may not be adequate to cost-effectively. The terms that apply to usage and redistribution tend to be trivially easy to meet (e.g., you must not remove the license or author credits when re-distributing the software). Many development tools covered by the GPL include libraries and runtimes that are not covered by the GPL itself but the GPL with a runtime exception (e.g., the CLASSPATH exception) that specifically permits development of proprietary software. Its flexibility is as high as GOTS, since it can be arbitrarily modified. However, if the goal is to encourage longevity and cost savings through a commonly-maintained library or application, protective licenses may have some advantages, because they encourage developers to contribute their improvements back into a single common project. A primary reason that this is low-probability is the publicity of the OSS source code itself (which almost invariably includes information about those who made specific changes). African nations hold Women, Peace and Security Panel at AACS 2023. OSS projects typically seek financial gain in the form of improvements. Use a widely-used existing license. The key issue with both versions of the GPL is that, unlike most other OSS licenses, the GPL licenses require that a recipient of a binary (executable) must be able to demand and receive the source code of that program, and the recipient must also be able to propogate the work under that license. In particular, note that the costs borne by a particular organization are typically only those for whatever improvements or services are used (e.g., installation, configuration, help desk, etc.). Been retired for a few years but work for a company that has a contract with the Air Force and Army. Many OSS licenses do not have a choice of venue clause, and thus cannot have an issue, although some do. Headquartered in Geneva, Switzerland, it has six regional offices and 150 field offices worldwide.. In most cases, yes. While this argument may be valid, we know of no court decision or legal opinion confirming this. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, identified some of many OSS programs that the DoD is already using, and concluded that OSS plays a more critical role in the [Department of Defense (DoD)] than has generally been recognized. The public release of the item is not restricted by other law or regulation, such as the Export Administration Regulations or the International Traffic in Arms Regulation, and the item qualifies for Distribution Statement A, per DoD Directive 5230.24 (reference (i)).". Around the Air Force: Accelerating the Legacy, Expanding Cyber Resiliency, Poppy Seed Warning. Export control laws are often not specifically noted in OSS licenses, but nevertheless these laws also govern when and how software may be released. Establish vetting process(es) before government will use updated versions (testing, etc.). Coat or jacket depending on the season. The DoDIN APL is managed by the Approved Products Certification Office (APCO). Under the same reasoning, the CBP determined that building an object file from source code performed a substantial transformation into a new article. Carmelsoft HVAC ResLoad-J. We maintain more than 8,000 acres of land, a physical plant of over 16 million square feet and provide operational support for more than 100 associate units located at Wright-Patterson. Others do not like the term GOSS, because GOSS is not actually OSS, and they believe the term can be misleading. Developers/reviewers need security knowledge. Cisco Firepower Threat Defense (FTD) 6.4 with FMC and AnyConnect. When the program was released as OSS, within 5 months this vulnerability was found and fixed. Conversely, if it widely-used, has many developers, and so on, the likelihood of review increases. In some cases access is limited to portions of the government instead of the entire government. In general, Security by Obscurity is widely denigrated. Often there is a single integrating organization, while other organizations inside the government submit proposed changes to the integrator. A protective license protects the software from becoming proprietary, and instead enforces a share and share alike approach between parties. It can be argued that classified software can be arbitrarily combined with GPL code, beyond the approaches described above. An example is (connecting) a GPL utility to a proprietary software component by using the Unix pipe mechanism, which allows one-way flow of data to move between software components. This way, the software can be incorporated in the existing project, saving time and money in support. If you claim rights to use a mark, you may simply use the TM (trademark) or SM (service mark) designation to alert the public to your claim of ownership of the mark. a license) from the copyright holder(s) before they can obtain a copy of software to run on their system(s). By default, the government has the necessary rights if it does not permit the contractor to assert copyright, but it loses those rights if the government permits the contractor to assert copyright. The real challenge is one of education - some developers incorrectly believe that just because something is free to download, it can be merged or changed without restriction. View the complete AFI 36-2903 for more details. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . When including externally-developed software in a larger system (e.g., as a library), make it clearly separable from the other components and easy to update. Adtek Acculoads. Note that Creative Commons does not recommend that you use one of their licenses for software; they encourage using one of the existing OSS licenses which were designed specifically for use with software. Choosing between the various options - particularly between permissive, weakly protective, and strongly protective options - is perhaps the most difficult, because this selection depends on your goals, and there are many opinions on which licenses are most appropriate for different circumstances. Even where there is GOTS/classified software, such software is typically only a portion of the entire system, with other components implemented through COTS components. OSS implementations can help rapidly increase adoption/use of the open standard. Thus, Open Source Intelligence (OSINT) is form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. It also often has lower total cost-of-ownership than proprietary COTS, since acquiring it initially is often free or low-cost, and all other support activities (training, installation, modification, etc.) The DoD does not have a single required process for evaluating OSS. OTD is an approach to software/system development in which developers (in multiple organizations) collaboratively develop and maintain software or a system in a decentralized fashion. The 2009 DoD CIO memo on open source software says, in attachment 2, 2(d), The use of any software without appropriate maintenance and support presents an information assurance risk. Q: What are synonyms for open source software? If you are applying for a scholarship as a high school student, you must be accepted to the program and academic major that you indicate on your scholarship application. Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. (The MIT license is similar to public domain release, but with some legal protection from lawsuits.). Release modifications under same license. 150 Vandenberg Street, Suite 1105 . As an aid, the Open Source Initiative (OSI) maintains a list of Licenses that are popular and widely used or with strong communities. Open source software is also called Free software, libre software, Free/open source software (FOSS or F/OSS), and Free/Libre/Open Source Software (FLOSS). One way to deal with potential export control issues is to make this request in the same way as approving public release of other data/documentation. This strengthens evaluations by focusing on technology specific security requirements.