Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. It is usually far better to stick to licenses that have already gone through legal review and are widely used in the commercial world. 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation defines Commercial computer software as software developed or regularly used for non-governmental purposes which: (i) Has been sold, leased, or licensed to the public; (ii) Has been offered for sale, lease, or license to the public; (iii) Has not been offered, sold, leased, or licensed to the public but will be available for commercial sale, lease, or license in time to satisfy the delivery requirements of this contract; or (iv) Satisfies a criterion expressed in paragraph (a)(1)(i), (ii), or (iii) of this clause and would require only minor modification to meet the requirements of this contract.. In some cases, it may be wise to release software under multiple licenses (e.g., LGPL version 2.1 and version 3, GPL version 2 and 3), so that users can then pick which license they will use. If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. This enables cost-sharing between users, as with proprietary development models. If using acronyms and abbreviations, only utilize those identified on the approved Air Force Acronym and Abbreviation List, unless noted by an approved category. Air Force Command and Control at the Start of the New Millennium. Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). However, you should examine past experience and your intended uses before depending on this as a primary mechanism for support. Where it is important, examining the security posture of the supplier (e.g., their processes that reduce risk) and scanning/testing/evaluating the software may also be wise. For example, trademarks and certification marks can be used to differentiate one version of OSS from others, e.g., to designate certain releases as an official version. But what is radically different is that a user can actually make a change to the program itself (either directly, or by hiring someone to do it). Yes. Certification Report Security Target. Q: What are some military-specific open source software programs? Q: Is there a standard marking for software where the government has unlimited rights? In general, Security by Obscurity is widely denigrated. Colleges & Your Majors. Observing the output from inputs is often sufficient for attack. Choose a license that is recognized as an Open Source Software license by the Open Source Initiative (OSI), a Free Software license by the Free Software Foundation (FSF), and is acceptable to widely-used Linux distributions (such as being a good license for Fedora). Widespread availability and use of the software (which increases the likelihood of detection), Configuration management systems that record the identity of individual contributors (which acts as a deterrent), Licenses or development policies that warn against the unlawful inclusion of material, or require people to specifically assert that they are acting lawfully (which reduce the risk of unintentional infringement), Lack of evidence of infrigement (e.g., an Internet search for project name + copyright infringement turns up nothing). Q: What is the legal basis of OSS licenses? Government employees may also modify existing open source software. In contrast, typical proprietary software costs are per-seat, not per-improvement or service. Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. There are many alternative clauses in the FAR and DFARS, and specific contracts can (and often do) have different specific agreements on who has which rights to software developed under a government contract. Enables families, visitors and the public to locate gravesites, events or other points of interest throughout the cemetery. Around the Air Force: Accelerating the Legacy, Expanding Cyber Resiliency, Poppy Seed Warning. 7101-7109). Furthermore, 52.212-4(s) says: (s) Order of precedence. The GPL version 2 and the GPL version 3 are in principle incompatible with each other, but in practice, most released OSS states that it is GPL version 2 or later or GPL version 3 or later; in these cases, version 3 is a common license and thus such software is compatible. Q: How do GOTS, Proprietary COTS, and OSS COTS compare? The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. That said, this does not mean that all OSS is superior to all proprietary software in all cases by all measures. Parties are innocent until proven guilty, so if there. The first specific step towards the establishment of the United Nations was the Inter-Allied conference that led to the Declaration of St James's Palace on 12 June 1941. Q: Does the Antideficiency act (ADA) prohibit all use of OSS due to limitations on voluntary services? Even for many modifications (e.g., bug fixes) this causes no issues because in many cases the DoD has no interest in keeping those changes confidential. The usual DoD contract clause (DFARS 252.227-7014) permits this by default. Prior art invalidates patents. The real challenge is one of education - some developers incorrectly believe that just because something is free to download, it can be merged or changed without restriction. The 2003 MITRE study section 1.3.4 outlines several ways to legally mix GPL with proprietary or classified software: Often such separation can occur by separating information into data and a program that uses it, or by defining distinct layers. The Air Force thinks it's finally found a way. No, complying with OSS licenses is much easier than proprietary licenses if you only use the software in the same way that proprietary software is normally used. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. However, sometimes OGOTS/GOSS software is later released as OSS. DFARS 252.227-7014(a)(15) defines unlimited rights as rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? SUBJECT: Software Products Approval Process . Font size: 0G: Zero Gravity: Rate it: 106 RQW: 106th Rescue Wing: Rate it: 121ARW: 121st Air Refueling Wing: Rate it: 129 RQW: 129th Rescue Wing: Rate it: 1TS: No.1 Transmitting Station: Rate it: 920RQG: 920th Rescue Group: Rate it: A: Air Force Training . Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. 2019 Approved Software Developers and Transmitters (PDF 51.18 KB) Updated April 15, 2020. This Open Source Software FAQ was originally developed on Intellipedia, using a variety of web browsers including Mozilla Firefox. Are there guidance documents on OGOTS/GOSS? The DoD already uses a wide variety of software licensed under the GPL. Do not mistakenly use the term non-commercial software as a synonym for open source software. The use of commercial products is generally encouraged, and when there are commercial products, the government expects that it will normally use whatever license is offered to the public. A certification mark is any word, phrase, symbol or design, or a combination thereof owned by one party who certifies the goods and services of others when they meet certain standards. By definition, open source software provides more rights to users than proprietary software (at least in terms of use, modification, and distribution). Thus, components that have the potential to (eventually) support many users are more likely to succeed. Yes; Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). Also, there are rare exceptions for NIST and the US Postal Service employees where a US copyright can be obtained (see CENDIs Frequently Asked Questions About Copyright). Its flexibility is as high as GOTS, since it can be arbitrarily modified. Approved supplements are maintained by AFCENT/A1RR at afcent.a1rrshaw@afcent.af.mil. Dynamic attacks (e.g., generating input patterns to probe for vulnerabilities and then sending that data to the program to execute) dont need source or binary. No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. Public domain software (in this copyright-related sense) can be used by anyone for any purpose, and cannot by itself be released under a copyright license (including typical open source software licenses). If it is a modification of an existing project, or a plug-in to it, release it under the projects original license (and possibly other licenses). Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. This page is an educational resource for government employees and government contractors to understand the policies and legal issues relating to the use of open source software (OSS) in the United States Department of Defense (DoD). Very Important Notes: The Public version of DoD Cyber Exchange has limited content. Under the DFARS or the FAR, the government can release software as open source software once it receives unlimited rights to that software. The GPL and LGPL licenses specifically recommend that You should also get your employer (if you work as a programmer) or school, if any, to sign a copyright disclaimer for the program, if necessary., and point to additional information. The use of software with a proprietary license provides absolutely no guarantee that the software is free of malicious code. Thus, they are all strategies for sharing the development and maintenance costs of software, potentially reducing its cost. 1498, the exclusive remedy for patent or copyright infringement by or on behalf of the Government is a suit for monetary damages against the Government in the Court of Federal Claims. This eliminates future incompatibility and encourages future contributions by others. [ top of page] Headquartered in Geneva, Switzerland, it has six regional offices and 150 field offices worldwide.. The argument is that the classification rules are simply laws of the land (and not additional rules), the classification rules already forbid the release of the resulting binaries to those without proper clearances, and that the GPL only requires that source code be released to those who received a binary. A Boston Consulting Group study found that the average age of OSS developers was 30 years old, the majority had training in information technology and/or computer science, and on average had 11.8 years of computer programming experience. Certain FAR clause alternatives (such as FAR 52.227-17) require the contractor to assign the copyright to the government. Software that meets very high reliability/security requirements, aka high assurance software, must be specially designed to meet such requirements. If it is already available to the public and is used unchanged, it is usually COTS. Thus, if there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. These lists apply to all NSA/CSS elements, contractors, and personnel, and pertains to all IS storage devices that they use. (See GPL FAQ, Can I use the GPL for something other than software?.). The program available to the public may improve over time, through contributions not paid for by the U.S. government. Q: Where can I release open source software that are new projects to the public?