A company that found any of its proprietary software in an OSS project can in most cases quickly determine who unlawfully submitted that code and sue that person for infringement. Software licenses, including those for open source software, are typically based on copyright law. Coat or jacket depending on the season. The public release also makes it easy to have copies of versions in many places, and to compare those versions, making it easy for many people to review changes. The regulation is available at. GOTS software should not be released when it implements a strategic innovation, i.e. Q: Is there a large risk that widely-used OSS unlawfully includes proprietary software (in violation of copyright)? However, you should examine past experience and your intended uses before depending on this as a primary mechanism for support. If the intent of a contract is to develop software to be released as open source software, it is best to expressly include release as OSS as part of the contract. Again, these are examples, and not official endorsements of any particular product or supplier. 7101-7109). Furthermore, 52.212-4(s) says: (s) Order of precedence. This formal training is supplemented by extensive on-the-job training and accumulated hands on experience gained throughout the Service member's career. The certification affirms that the Air Force OTI is authorized to use ASTi's products, which now appear in the OTI Evaluated/Approved Products List (OTI E/APL). In the commercial world, the copyright holders are typically the individuals and organizations that originally developed the software. The more potential users, the more potential developers. This isnt usually an issue because of how typical DoD contract clauses work under the DFARS. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to include existing open source software? Department of the Air Force updates policies, procedures to recruit for the future. .. DoD contractors who always ignore components because they are OSS, or because they have a particular OSS license they dont prefer, risk losing projects to more competitive bidders. The Air Force thinks it's finally found a way. Q: Why is it important to understand that open source software is commercial software? Government Cloud Brings DoD Systems in the 21st Century. OSS COTS tends to be lower cost than GOTS, in part for the same reasons as proprietary COTS: its costs are shared among more users. If the government modifies existing OSS, but fails to release those improvements back to the main OSS project, it risks: Similarly, if the government develops new software but does not release it as OSS, it risks: Clearly, classified software cannot be released back to the public as open source software. Problems must be fixed. Typically this will include source code version management system, a mailing list, and an issue tracker. By definition, OSS software permits arbitrary use of the software, and allows users to re-distribute the software to others. If this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. Q: Isnt OSS developed primarily by inexperienced students? Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. Commander offers insight during Black History celebration at Oklahoma Capitol. Since OSS licenses are quite generous, the only license-violating actions a developer is likely to try is to release software under a more stringent license and those will have little effect if they cannot be enforced in court. The government is not the copyright holder in such cases, but the government can still enforce its rights. Also, since there are a limited number of users, there is limited opportunity to gain from user innovation - which again can lead to obsolescence. In some other cases, the government lacks the rights to release the software to the public, e.g., the government may only have Government Purpose Rights (GPR). Anyone who is considering this approach should obtain a determination from general counsel first (and please let the FAQ authors know!). Are there guidance documents on OGOTS/GOSS? Q: Does the DoD already use open source software? Classified information may not be released to the public without special authorization to do so. The U.S. has granted a large number of software patents, making it difficult and costly to examine all of them. It also often has lower total cost-of-ownership than proprietary COTS, since acquiring it initially is often free or low-cost, and all other support activities (training, installation, modification, etc.) OTD depends on open standards and interfaces, open source software and designs, collaborative and distributed online tools, and technological agility. The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). DoD Directive 5000.1 states that open systems shall be employed, where feasible, and the European Commission identifies open standards as a major policy thrust. DoDIN Approved Products List. The usual federal non-DoD clause (FAR 52.227-14) also permits this by default as long as the government has not granted the contractor the right to assert copyright. 000+ postings in Shaw Air Force Base, SC and other big cities in USA. Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. Thus, avoid releasing software under only the original (4-clause) BSD license (which has been replaced by the new or revised 3-clause licence), the Academic Free License (AFL), the now-abandoned Common Public License 1.0 (CPL), the Open Software License (OSL), or the Mozilla Public License version 1.1 (MPL 1.1). Examples include GPL applications running on proprietary operating systems or wrappers, and GPL applications that use proprietary components explicitly marked as non-GPL. Thus, as long as the software has at least one non-governmental use, software licensed (or offered for license) to the public is a commercial product for procurement purposes. Acquisition Process Model. Q: How can I avoid failure to comply with an OSS license? In addition, important open source software is typically supported by one or more commercial firms. The DoD already uses a wide variety of software licensed under the GPL. There are many alternative clauses in the FAR and DFARS, and specific contracts can (and often do) have different agreements on who has which rights to software developed under a government contract. The Customs and Border Protection (CBP) has said, in an advisory ruling, that the country of origin of software is the place where the software is converted into object code (Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT), for purposes of granting waivers of certain Buy American restrictions in U.S. law or practice or products offered for sale to the U.S. Government.. That said, this does not mean that all OSS is superior to all proprietary software in all cases by all measures. In most cases, this GPL license term is not a problem. Many prefer unified diff patches, generated by diff -u or similar commands. Dynamic attacks (e.g., generating input patterns to probe for vulnerabilities and then sending that data to the program to execute) dont need source or binary. Wikipedia maintains an encyclopedia using approaches similar to open source software approaches. There are many general OSS review projects, such as those by OpenBSD and the Debian Security Audit team. Some protocols and formats have been specifically devised and reviewed to avoid patents; using them is more likely to avoid problems. Once software exists, all costs are due to maintenance and support of software. The owner of the mark exercises control over the use of the mark; however, because the sole purpose of a certification mark is to indicate that certain standards have been met, use of the mark is by others., You dont have to register a trademark to have a trademark. What is Open Technology Development (OTD)? At this time there is no widely-accepted term for software whose source code is available for review but does not meet the definition of open source software (due to restrictions on use, modification, or redistribution). If that competitors use of OSS results in an advantage to the DoD (such as lower cost, faster schedule, increased performance, or other factors such as increased flexibility), contractors should expect that the DoD will choose the better bid. Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. Air Force ROTC is offered at over 1,100 colleges and universities in the continental United States, Puerto Rico and Hawaii. Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). Can the DoD used GPL-licensed software? As with all commercial items, organizations must obey the terms of the commercial license, negotiate a different license if necessary, or not use the commercial item. Common licenses for each type are: - Permissive: MIT, BSD-new, Apache 2.0 - Weakly protective: LGPL (version 2 or 3) - Strongly protective: GPL (version 2 or 3). 150 Vandenberg Street, Suite 1105 Peterson AFB CO 80914-4420 . This need for legal analysis is one reason why creating new OSS licenses is strongly discouraged: It can be extremely difficult, costly, and time-consuming to analyze the interplay of many different licenses. This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. Yes. (3) Verbal waivers are NOT authorized. For example, the Government has public release rights when the software is developed by Government personnel, when the Government receives unlimited rights in software developed by a contractor at Government expense, or when pre-existing OSS is modified by or for the Government. And of course, individual OSS projects often have security review processes or methods (such as Mozillas bounty system). Others can obtain permission to use a copyrighted work by obtaining a license from the copyright holder. Enforcing the GNU GPL by Eben Moglen is a brief essay that argues why the GNU General Public License (GPL), specifically, is enforceable. The first-ever Oklahoma Black History Day was celebrated at the state Capitol Feb. 13 with Lt. Gen. Stacey Hawkins, Air Force Sustainment Center commander, serving as the keynote speaker for the event.Hosted by the Oklahoma Legislative Black Caucus, a focus of this . before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. It also risks reduced flexibility (including against cyberattack), since OSS permits arbitrary later modification by users in ways that some other license approaches do not. Whether or not this was intentional, it certainly had the same form as a malicious back door. Computer and electronic hardware that is designed in the same fashion as open source software (OSS) is sometimes termed open source hardware. An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). The travel and meal tickets you received the day you reported to ship out to basic training. In some cases access is limited to portions of the government instead of the entire government. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". The Creative Commons is a non-profit organization that provides free tools, including a set of licenses, to let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. In short, OSS more accurately reflects the economics of software development; some speculate that this is one reason why OSS has become so common. Vendor lock-in, aka lock-in, is the situation in which customers are dependent on a single supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without substantial costs and/or inconvenience. These lists apply to all NSA/CSS elements, contractors, and personnel, and pertains to all IS storage devices that they use. Some more military-specific OSS programs created-by or used in the military include: One approach is to use a general-purpose search engine (such as Google) and type in your key functional requirements. BPC-157. Some people like the term GOSS, because it indicates an intent to do OSS-like collaborative development, but within the government instead. This Open Source Software FAQ was originally developed on Intellipedia, using a variety of web browsers including Mozilla Firefox. If the goal is maximize the use of a technology or standard in a variety of different applications/implementations, including proprietary ones, permissive licenses may be especially useful. Read More 616th OC Airmen empower each other. In particular, U.S. law (10 USC 2377) requires a preference for commercial products for procurement of supplies or services. Two-day supply of clothing. Peterson AFB CO 80914-4420 . OSS is increasingly commercially developed and supported. The first meeting of the World Health Assembly (WHA), the agency's governing body, took place on 24 July of that year. The key issue with both versions of the GPL is that, unlike most other OSS licenses, the GPL licenses require that a recipient of a binary (executable) must be able to demand and receive the source code of that program, and the recipient must also be able to propogate the work under that license. Any reproduction of this computer software, or portions thereof, marked with this legend must also reproduce these markings.. First, get approval to publicly release the software. (See also Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011.). Under the current DoD contracting regime, the contractor usually retains the copyright for software developed with government funding, so in such cases the contractor (not the government) has the right to sue for copyright violation. As a result, it is difficult to develop software and be confident that it does not violate enforceable patents. . What it does mean, however, is that the DoD will not reject consideration of a COTS product merely because it is OSS. This includes the most popular OSS license, the, Weakly Protective (aka weak copyleft): These licenses are a compromise between permissive and strongly protective licenses. The GTG-F is a collection of web-based applications supporting the continuing evolution of the Department of Defense (DoD) Information Technology Standards. This also means that these particular licenses are compatible. Senior leaders across DoD see bridging the tactical edge and embedding resilience to scale as key issues moving forward. In some cases, the government obtains the copyright; in those cases, the government can sue for copyright violation. U.S. law governing federal procurement U.S. Code Title 41, Chapter 7, Section 103 defines commercial product as a product, other than real property, that- (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public . As noted in the article Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), the intent of the memo was not to issue a blanket requirement that all open source software come bundled with contractor support or else it cant be used If a Defense agency is able to sustain the open source software with its own skills and talents then that can be enough to satisfy the intent of the memo. In addition, How robust the support plan need be can also vary on the nature of the software itself For command and control software, the degree would have to be greater than for something thats not so critical to mission execution. Q: What are synonyms for open source software? Atty Gen.51 (1913)) that has become the leading case construing 31 U.S.C. A permissive license permits arbitrary use of the program, including making proprietary versions of it. The NSA/CSS Evaluated Products Lists equipment that meets NSA specifications. Requiring that all developers be cleared first can reduce certain risks (at substantial costs), where necessary, but even then there is no guarantee. disa.meade.ie.list.approved-products-certification-office@mail.mil. Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. Air Force Policy Directive 38-1, Manpower and Organization, 2 July 2019 Air Force instruction 33-360, Publications and Forms Management, 1 December 2015 Air Force Manual 33-363, Management of Records, 21 July 2016 Adopted Forms AF Form 847, Recommendation for Change of Publications Example: GPL and (unrelated) proprietary applications can be running at the same time on a desktop PC. This can create an avalanche-like virtuous cycle. This enables cost-sharing between users, as with proprietary development models. Whats more, proprietary software release practices make it more difficult to be confident that the software does not include malicious code. For additional information please contact: disa.meade.ie.list.approved-products-certification-office@mail.mil. When considering any software (OSS or proprietary), look for evidence that the risk of unlawful release is low. Q: Where can I release open source software that are new projects to the public? It points to various studies related to market share, reliability, performance, scalability, security, and total cost of ownership. The. There are two runways supporting an average of 47,000 aircraft operations . For local guidance, Airmen are encouraged to . Be sure to consider such costs over a period of time (typically the lifetime of the system including its upgrades), and use the same period when evaluating alternatives; otherwise, one-time costs (such as costs to transition from an existing proprietary system) can lead to erroneous conclusions. The Apache 2.0 license is compatible with the GPL version 3 license, but not the GPL version 2 license. No; this is a low-probability risk for widely-used OSS programs. Relevant government authorities make it clear that the Antideficiency Act (ADA) does not generally prohibit the use of OSS due to limitations on voluntary services. For almost as long as smartphones have existed, defense IT leaders have wondered aloud whether they'd ever be able to securely implement a bring-your-own-device (BYOD) approach to military networks. No. What contract applies, what are its terms, and what decisions have been made? Clarence Carpenter. Many governments, not just the U.S., view open systems as critically necessary. If using acronyms and abbreviations, only utilize those identified on the approved Air Force Acronym and Abbreviation List, unless noted by an approved category. TCG LinkPRO, TCG BOSS, and TCG GTS all earn placement on DOD's OTI evaluated/approved products list. Also, US citizens can attempt to embed malicious code into software, and many non-US citizens develop software without embedding malicious code. It may be found at, US Army Regulation 25-2, paragraph 4-6.h, provides guidance on software security controls that specifically addresses open source software. Prior art invalidates patents. If you are releasing OSS source code for Unix-like systems (including Linux and MacOS), you should follow the usual conventions for doing so as described below: You may use existing industry OSS project hosting services such as SourceForge, Savannah, GitHub, or Apache Software Foundation. Such developers need not be cleared, for example. For advice about a specific situation, however, consult with legal counsel. This should not be surprising; the DoD uses OSS extensively, and the GPL is the most popular OSS license. By default, the government has the necessary rights if it does not permit the contractor to assert copyright, but it loses those rights if the government permits the contractor to assert copyright. No, complying with OSS licenses is much easier than proprietary licenses if you only use the software in the same way that proprietary software is normally used. It would also remove the uniquely (OSS) ability to change infrastructure source code rapidly in response to new modes of cyberattack. Enables families, visitors and the public to locate gravesites, events or other points of interest throughout the cemetery. Such mixing can sometimes only occur when certain kinds of separation are maintained - and thus this can become a design issue. See the licenses listed in the FAQ question What are the major types of open source software licenses?. OTD is an approach to software/system development in which developers (in multiple organizations) collaboratively develop and maintain software or a system in a decentralized fashion. Where it is important, examining the security posture of the supplier (e.g., their processes that reduce risk) and scanning/testing/evaluating the software may also be wise. . U.S. government contractors (including those in the DoD) are often indemnified from patent infringement by the U.S. government as part of their contract. As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. As noted in the Secure Programming for Linux and Unix HOWTO, three conditions reduce the risks from unintentional vulnerabilities in OSS: The use of any commercially-available software, be it proprietary or OSS, creates the risk of executing malicious code embedded in the software. BSD TCP/IP suite - Provided the basis of the Internet, Greatly increased costs, due to the effort of self-maintaining its own version, Inability to use improvements (including security patches and innovations) by others, where it uses a non-standard version instead of the version being actively maintained, Greatly increased cost, due to having to bear the, Inability to use improvements (including security patches and innovations) by others, since they do not have the opportunity to aid in its development, Obsolescence due to the development and release of a competing commercial (e.g., OSS) project. An Airman at the 616th Operations Center empowered his fellow service members by organizing a professional development seminar for his unit. German courts have enforced the GPL. DSEI 2021, ExCel, LONDON, UK - 14 September 2021 - Curtiss-Wright's Defense Solutions division (Bays 22-26 ExCeL Exhibition Centre), a trusted supplier of tactical data link (TDL) software and hardware solutions engineered to succeed, announced that it has received certification from . By August 1941, American president Franklin Roosevelt and British prime minister Winston Churchill had drafted the Atlantic Charter to define goals for the post-war world. Flight Inspection. A copyright holder who releases creative works under one of the Creative Common licenses that permit commercial use and modifications would be using an OSS-like approach for such works. Volume II of its third edition, section 6.C.3, describes in detail this prohibition on voluntary services. Q: Can the government release software under an open source license if it was developed by contractors under government contract? Bruce Perens noted back in 1999, Do not write a new license if it is possible to use (a common existing license) The propagation of many different and incompatible licenses works to the detriment of Open Source software because fragments of one program cannot be used in another program with an incompatible license. Many view OSS license proliferation as a problem; Serdar Yegulalps 2008 Open Source Licensing Implosion (InformationWeek) noted that not only are there too many OSS licenses, but that the consequences for blithely creating new ones are finally becoming concrete the vast majority of open source products out there use a small handful of licenses Now that open source is becoming (gasp) a mainstream phenomenon, using one of the less-common licenses or coming up with one of your own works against you more often than not. Contractors for other federal agencies may have a different process to use, but after going through a process they can often release such software as open source software. Q: Does releasing software under an OSS license count as commercialization? The FAR and DFARS specifically permit different agreements to be struck, within certain boundaries, and other agencies have other supplements. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures. In practice, commercial software (OSS or not) tends to be developed globally, especially when you consider their developers and supply chains. All executables that is not on a base approval list will soon be blocked. Whether or not this will occur depends on factors such as the number of potential users (more potential users makes this more likely), the existence of competing OSS programs (which may out-compete the newly released component), and how difficult it is to install/use. Others do not like the term GOSS, because GOSS is not actually OSS, and they believe the term can be misleading. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. ), the . This greatly reduces contractors risks, enabling them to get work done (given this complex environment). Commercial software (both proprietary and OSS) is occasionally updated to fix errors (including security vulnerabilities), and your system should be designed so that it is relatively easy to accept these updates. In nearly all cases, pre-existing OSS are commercial products, and thus their use is governed by the rules for including any commercial products in the deliverable. Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage.
air force approved software list 2021