The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. Q: Are non-commercial software, freeware, or shareware the same thing as open source software? Depending on the contract and its interpretation, contractors may be required to get governmental permission to include commercial components in their deliverables; where this applies, this would be true for OSS components as well as proprietary components. If there are reviewers from many different backgrounds (e.g., different countries), this can also reduce certain risks. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. For example, the LGPL permits the covered software (usually a library) to be embedded in a larger work under many different licenses (including proprietary licenses), subject to certain conditions. FAR 52.227-1 (Authorization and Consent), as prescribed by FAR 27.201-2(a)(1), inserts the clause that the Government authorizes and consents to all use and manufacturer of any invention (covered by) U.S. patent. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. 150 Vandenberg Street, Suite 1105 . Q: What are antonyms for open source software? This includes the, Strongly Protective (aka strong copyleft): These licenses prevent the software from becoming proprietary, and instead enforce a share and share alike approach. This can create an avalanche-like virtuous cycle. Q: Can OSS licenses and approaches be used for material other than software? In short, OSS more accurately reflects the economics of software development; some speculate that this is one reason why OSS has become so common. While budget constraints and reduced staffing have forced the APL process to operate in a limited manner, In some cases, export-controlled software may be licensed for export under the condition that the source code not be released; this would prevent release of software that had mixed GPL and export-controlled software. Direct deposit form. The DoD already uses a wide variety of software licensed under the GPL. PITTSFORD, N.Y., June 8, 2021 . Questions about why the government - who represents the people - is not releasing software (that the people paid for) back to the people. (4) Waivers for non-FDA approved medications will not be considered. Where it is unclear, make it clear what the source or source code means. Commercial support can either be through companies with specialize in OSS support (in general or for specific products), or through contractors who specialize in supporting customers and provide the OSS support as part of a larger service. Approved software is listed on the DCMA Approved Software List. The Department of Defense Information Network (DoDIN) Approved Products List (APL) is the single consolidated list of products that affect communication and collaboration across the DoDIN. Q: Why is it important to understand that open source software is commercial software? Elite RHVAC. Ipamorelin. These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. The 2009 DoD CIO memo on open source software says, in attachment 2, 2(d), The use of any software without appropriate maintenance and support presents an information assurance risk. It also risks reduced flexibility (including against cyberattack), since OSS permits arbitrary later modification by users in ways that some other license approaches do not. This need for legal analysis is one reason why creating new OSS licenses is strongly discouraged: It can be extremely difficult, costly, and time-consuming to analyze the interplay of many different licenses. If it is an improvement to an existing project, release it to the main OSS project, in whatever format they prefer changes. Q: Do choice of venue clauses automatically disqualify OSS licences? For example, trademarks and certification marks can be used to differentiate one version of OSS from others, e.g., to designate certain releases as an official version. Do not use spaces when performing a product number/title search (e.g. In some cases, the government obtains the copyright; in those cases, the government can sue for copyright violation. Indeed, because a calculation of damages is inherently speculative, these types of license restrictions might well be rendered meaningless absent the ability to enforce through injunctive relief. In short, it determined that the OSS license at issue in the case (the Artistic license) was indeed an enforceable license. Instead, Government employees must ensure that they do not accept services rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. The NASA FAR Supplement (NFS) 1852.227-14 gives NASA the right, under typical conditions, to demand that a contractor assert copyright and then assign the copyright to the government, which would again give the government the right to release the software as open source software. Rachel Cohen joined Air Force Times as senior reporter in March 2021. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . Use a widely-used existing license. In contracts where this issue is important, you should examine the contract to find the specific definitions that are being used. Clarence Carpenter. The Air Force's program comes with a slight caveat: it's actually called Bring Your Own Approved Device (BYOAD); airmen won't be able to . In some cases, there are nationally strategic reasons the software should not be released to the public (e.g., it is classified). An alternative is to not include the OSS component in the deliverable, but simply depend on it, as long as that is acceptable to the government. Note that enforcing such separation has many other advantages as well. Thus, if there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. Q: What are indicators that a specific OSS program will have fewer unintentional vulnerabilities? Q: How can I find open source software that meets my specific needs? In particular, U.S. law (10 USC 2377) requires a preference for commercial products for procurement of supplies or services. U.S. law governing federal procurement U.S. Code Title 41, Chapter 7, Section 103 defines commercial product as a product, other than real property, that- (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public . In general, Security by Obscurity is widely denigrated. A component of Air University and Air Education and Training Command, AFIT is committed to providing defense-focused graduate and professional continuing education and research to sustain the technological . Peterson AFB CO 80914-4420 . At project start, the project creators (who create the initial trusted repository) are the trusted developers, and they determine who else may become a trusted developer of this initial trusted repository. when it implements novel functionality which is not already available to the public, and which significantly improves DoD mission outcomes or business processes. Such source code may not be adequate to cost-effectively. Services that are intended and agreed to be gratuitous do not conflict with this statute. disa.meade.ie.list.approved-products-certification-office@mail.mil. 75 Years of Dedicated Service. . Others do not like the term GOSS, because GOSS is not actually OSS, and they believe the term can be misleading. Q: Does the Antideficiency act (ADA) prohibit all use of OSS due to limitations on voluntary services? Thus, avoid releasing software under only the original (4-clause) BSD license (which has been replaced by the new or revised 3-clause licence), the Academic Free License (AFL), the now-abandoned Common Public License 1.0 (CPL), the Open Software License (OSL), or the Mozilla Public License version 1.1 (MPL 1.1). Thus, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator. Government Off-the-Shelf (GOTS), proprietary commercial off-the-shelf (COTS), and OSS COTS are all methods to enable reuse of software across multiple projects. OSS is increasingly commercially developed and supported. For DoD contractors, if the standard DFARS contract clauses are used (in particular DFARS 252.227-7014) then the contractor who developed the software retains the copyright to the software and has the right to release it to others, even if the software was developed exclusively with government funds. Full Residential Load Calculation. The following marking should be added to software source code when the government has unlimited rights due to the use of the DFARS 252.227-7014 contract: The U.S. Government has Unlimited Rights in this computer software pursuant to the clause at DFARS 252.227-7014. Six pairs of ankle socks. However, the required FAR Clause 52.212-4(d) establishes that This contract is subject to the Contract Disputes Act of 1978, as amended (41 U.S.C. The government can typically release software as open source software once it has unlimited rights to the software. Each product must be examined on its own merits. The DSOP is joint effort of the DOD's Chief Information Officer, Office of the Undersecretary of Defense for Acquisition and Sustainment. The term has primarily been used to reflect the free release of information about the hardware design, such as schematics, bill of materials and PCB layout data, or its representation in a hardware description language (HDL), often with the use of open source software to drive the hardware. Public definitions include those of the European Interoperability Framework (EIF), the Digistan definition of open standard (based on the EIF), and Bruce Perens Open Standards: Principles and Practice. In some cases, it may be wise to release software under multiple licenses (e.g., LGPL version 2.1 and version 3, GPL version 2 and 3), so that users can then pick which license they will use. Q: Is there a name for software whose source code is publicly available, but does not meet the definition of open source software? They can obtain this by receiving certain authorization clauses in their contracts. In particular, note that the costs borne by a particular organization are typically only those for whatever improvements or services are used (e.g., installation, configuration, help desk, etc.). Delivers the latest news from each branch of the U.S . A trademark is a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of the goods of one party from those of others.. Software licenses, including those for open source software, are typically based on copyright law. Document from where and when any external software was acquired, as well as the license conditions, so that future users and maintainers can easily comply with the license terms. There are many alternative clauses in the FAR and DFARS, and specific contracts can (and often do) have different agreements on who has which rights to software developed under a government contract. . It is far better to fix vulnerabilities before deployment - are such efforts occuring? . To provide Cybersecurity tools to . Q: Is open source software the same as open systems/open standards? Choose a license that is recognized as an Open Source Software license by the Open Source Initiative (OSI), a Free Software license by the Free Software Foundation (FSF), and is acceptable to widely-used Linux distributions (such as being a good license for Fedora). DISA has updated the APL Integrated Tracking System, a web-based user database, to list products that have been approved and the current status of remaining items that are still in process. Thus, even this FAQ was developed using open source software. Another useful source is the list of licenses accepted by the Google code hosting service. Guglielmo Marconi. This resource contains Facility-Related Control Systems (FRCS) guidance, reference materials, checklists and templates.The DoD has adopted the Risk Management Framework (RMF) for all Information Technology and Operational Technology networks, components and devices to include FRCS. SAF/AQC 1060 Air Force Pentagon Washington, DC 20330-1060 (571) 256-2397 DSN 260-2397 Fax: (571) 256-2431 Fax: DSN 260-2431 Featured Links. For example, users of proprietary software must typically pay for a license to use a copy or copies. An Open Source Community can update the codebase, but they cannot patch your servers. Thus, components that have the potential to (eventually) support many users are more likely to succeed. When including externally-developed software in a larger system (e.g., as a library), make it clearly separable from the other components and easy to update. If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. Any software not listed on the Approved Software List is prohibited. Note that this also applies to proprietary software, which often have even stricter limits on if/how the software may be changed. In nearly all cases, OSS is commercial software, so the policies regarding commercial software continue to apply to OSS. Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). This shows that proprietary software can include functionality that could be described as malicious, yet remain unfixed - and that at least in some cases OSS is reviewed and fixed. Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? If the intent of a contract is to develop software to be released as open source software, it is best to expressly include release as OSS as part of the contract. Thus, open systems require standards that are widely-supported and consensus-based; standards that meet these (and possibly some additional conditions) may be termed open standards. Air Force, U.S. Navy, and U.S. Marine Corps, and to participating agencies in-volved with supportability analysis sum-maries and provisioning/item selection functions by, or for, Department of Defense weapons systems, equipment, publications, software and hardware, training, training devices, and support equipment. You can support OSS either through a commercial organization, or you can self-support OSS; in either case, you can use community support as an aid. When taking this approach, contractors hired to modify the software must not retain copyright or other rights to the result (else the software would be conveyed outside the U.S. government); see GPL version 3 section 2, paragraph 2 which states this explicitly. The use of software with a proprietary license provides absolutely no guarantee that the software is free of malicious code. Q: What are the risks of the government releasing software as OSS? Most projects prefer to receive a set of smaller changes, so that they can review each change for correctness. Various organizations have been formed to reduce patent risks for OSS. According to the U.S. Patent and Trademark Office (PTO): For more about trademarks, see the U.S. Patent and Trademark Office (PTO) page Trademark basics. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, did suggest developing a Generally Recognized As Safe (GRAS) list, but such a list has not been developed. 2019 Approved Software Developers and Transmitters (PDF 51.18 KB) Updated April 15, 2020. In some cases, the sources of information for OSS differ. Defense Information Systems Agency (DISA), National Centers of Academic Excellence in Cybersecurity (NCAE-C), Public Key Infrastructure/Enabling (PKI/PKE), https://dl.dod.cyber.mil/wp-content/uploads/home/img/img1.jpg. 000+ postings in Shaw Air Force Base, SC and other big cities in USA. . DoDIN Approved Products List. If the contract includes the typical FAR 52.227-14 (Rights in data - general) clause, without any special alternatives or additions, then the contractor must make a written request for permission to assert copyright in works containing data first produced under the contract. This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. [ top of page] Browse 817 acronyms and abbreviations related to the Air Force terminology and jargon. Q: How does open source software relate to the Buy American Act? There are many other reasons to believe nearly all OSS is commercial software: This is confirmed by Clarifying Guidance Regarding Open Source Software (OSS) (2009) and the Department of the Navy Open Source Software Guidance (signed June 5, 2007). Similarly, in Wallace v. IBM, Red Hat, and Novell, the U.S. Court of Appeals for the Seventh Circuit found in November 2006 that the GNU General Public License (GPL) and open-source software have nothing to fear from the antitrust laws. Most of the Air Force runs on excel VBA because of this. As long as a GPL program does not embed GPL software into its outputs, a GPL program can process classified/proprietary information without question. The release may also be limited by patent and trademark law. . Careful legal review is required to determine if a given license is really an open source software license. FROM: HQ AFSPC/A6 . This has a reduced likelihood if the program is niche or rarely-used, has few developers, uses a rare computer language, or is not really OSS. It's like it dropped off the face of the earth. Software might not infringe on a patent when it was released, yet the same software may later infringe on a patent if the patent was granted after the softwares release. Proprietary COTS is especially appropriate when there is an existing proprietary COTS product that meets the need. Choose a GPL-compatible license. We maintain more than 8,000 acres of land, a physical plant of over 16 million square feet and provide operational support for more than 100 associate units located at Wright-Patterson. Patent examiners have relatively little time to review each patent, and do not have effective access to most prior art in software, which may lead them to grant patents for previously-published inventions or obvious inventions. The use of commercial products is generally encouraged, and when there are commercial products, the government expects that it will normally use whatever license is offered to the public. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND . Widely-used programs include the Apache web server, Firefox web browser, Linux kernel, and many other programs. Approved by AF/SG3/5P on 13 May 2019 7700 Arlington Blvd., Falls Church, VA 22042-5158 Category Acquisition Common Portal Environment. Use a common OSS license well-known to be OSS (GPL, LGPL, MIT/X, BSD-new, Apache 2.0) dont write your own license. Q: Is there a large risk that widely-used OSS unlawfully includes proprietary software (in violation of copyright)? In addition, important open source software is typically supported by one or more commercial firms. As noted in the article Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), the intent of the memo was not to issue a blanket requirement that all open source software come bundled with contractor support or else it cant be used If a Defense agency is able to sustain the open source software with its own skills and talents then that can be enough to satisfy the intent of the memo. In addition, How robust the support plan need be can also vary on the nature of the software itself For command and control software, the degree would have to be greater than for something thats not so critical to mission execution. These prevent the software component (often a software library) from becoming proprietary, yet permit it to be part of a larger proprietary program. Q: In what form should I release open source software? Q: What are the risks of failing to consider the use of OSS components or approaches? As with proprietary software, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier (the OSS project) and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator (e.g., from the main project site or a trusted distributor). Permissive: These licenses permit the software to become proprietary (i.e., not OSS). Units. Atty Gen.51 (1913)) that has become the leading case construing 31 U.S.C. The summary of changes section reads as follows as of Dec. 3, 2021: This interim change revises DAFI 36-2903 by adding Chief of Staff of the Air Force-approved Air Force Virtual Uniform Board items, standardizing guidance for the maintenance duty uniform, republishing guidance from Department of the Air Force guidance memorandum for female hair . "Delivering a more lethal force requires the ability to evolve faster and be more adaptable . Static attacks (e.g., analyzing the code instead of its execution) can use pattern-matches against binaries - source code is not needed for them either. The release of the software may be restricted by the International Traffic in Arms Regulation (ITAR) or Export Administration Regulation (EAR). Choosing between the various options - particularly between permissive, weakly protective, and strongly protective options - is perhaps the most difficult, because this selection depends on your goals, and there are many opinions on which licenses are most appropriate for different circumstances. The release may also be limited by patent and trademark law. Cisco Firepower Threat Defense (FTD) 6.4 with FMC and AnyConnect. Be sure to consider total cost of ownership (TCO), not just initial download costs. This definition is essentially identical to what the DoD has been using since publication of the 16 October 2009 memorandum from the DoD CIO, Clarifying Guidance Regarding Open Source Software (OSS). AFCWWTS 2021 GUEST LIST Coming Soon. Army - (703) 602-7420, DSN 332. This also pressures proprietary implementations to limit their prices, and such lower prices for proprietary software also encourages use of the standard. GOTS is especially appropriate when the software must not be released to the public (e.g., it is classified) or when licenses forbid more extensive sharing (e.g., the government only has government-purpose rights to the software). This clause establishes that the choice of venue clause (category 4) is superseded by the Contract Disputes Act (category 2), and thus the conflict is typically moot. DISA Tools Mission Statement. These licenses include the MIT license, revised BSD license (and its 2-clause variant), the Apache 2.0 license, the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. 2019 Approvals. Unfortunately, the government must pay for all development and maintenance costs of GOTS; since these can be substantial, GOTS runs the risk of becoming obsolete when the government cannot afford those costs. Indeed, according to Walli, Standards exist to encourage & enable multiple implementations. is a survey paper that provides quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures.. (its) goal is to show that you should consider using OSS/FS when acquiring software.