Q: Can government employees develop software as part of their official duties and release it under an open source license? No, OSS is developed by a wide variety of software developers, and the average developer is quite experienced. See the licenses listed in the FAQ question What are the major types of open source software licenses?. In many cases, yes, but this depends on the specific contract and circumstances. Q: In what form should I release open source software? Yes, in general. Application Mixing GPL can rely on other software to provide it with services, provided either that those services are either generic (e.g., operating system services) or have been explicitly exempted by the GPL software designer as non-GPL components. This General Service Administration (GSA . (4) Waivers for non-FDA approved medications will not be considered. The summary of changes section reads as follows as of Dec. 3, 2021: This interim change revises DAFI 36-2903 by adding Chief of Staff of the Air Force-approved Air Force Virtual Uniform Board items, standardizing guidance for the maintenance duty uniform, republishing guidance from Department of the Air Force guidance memorandum for female hair . Similarly, U.S. Code Title 41, Section 104 defines the term Commercially available off-the-shelf (COTS) item; software is COTS if it is (a) a commercial product, (b) sold in substantial quantities in the commercial marketplace, and (c) is offered to the Federal Government, without modification, in the same form in which it is sold in the commercial marketplace. Air Force Command and Control at the Start of the New Millennium. You can support OSS either through a commercial organization, or you can self-support OSS; in either case, you can use community support as an aid. No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. For software delivered under federal contracts, any choice of venue clauses in the license generally conflict with the Contract Disputes Act. References to specific products or organizations are for information only, and do not constitute an endorsement of the product/company. Can the DoD used GPL-licensed software? The public release of the item is not restricted by other law or regulation, such as the Export Administration Regulations or the International Traffic in Arms Regulation, and the item qualifies for Distribution Statement A, per DoD Directive 5230.24 (reference (i)).". AFCWWTS 2021 BREAKOUT SESSION Coming Soon. Delivers the latest news from each branch of the U.S . The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. Q: Does the Antideficiency act (ADA) prohibit all use of OSS due to limitations on voluntary services? Such developers need not be cleared, for example. A primary reason that this is low-probability is the publicity of the OSS source code itself (which almost invariably includes information about those who made specific changes). Q: Is OSS commercial software? OSS COTS tends to be lower cost than GOTS, in part for the same reasons as proprietary COTS: its costs are shared among more users. The Office of the Chief Software Officer is leading the mission to make the Digital Air Force a reality by supporting our Airmen with Software Enterprise Capabilities.We are enabling adoption of innovative software best practices, cyber security solutions, Artificial Intelligence and Machine Learning technologies across AF programs while removing impediments to DevSecOps and IT innovation. This is not uncommon. Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. Ipamorelin. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . Note that under the DoD definition of open source software, such public domain software is open source software. DoD contractors who always ignore components because they are OSS, or because they have a particular OSS license they dont prefer, risk losing projects to more competitive bidders. OSS projects typically seek financial gain in the form of improvements. Choose a widely-used existing license; do not create a new license. Atty Gen.51 (1913)) that has become the leading case construing 31 U.S.C. In contracts where this issue is important, you should examine the contract to find the specific definitions that are being used. So, while open systems/open standards are different from open source software, they are complementary and can work well together. Air Force Policy Directive 38-1, Manpower and Organization, 2 July 2019 Air Force instruction 33-360, Publications and Forms Management, 1 December 2015 Air Force Manual 33-363, Management of Records, 21 July 2016 Adopted Forms AF Form 847, Recommendation for Change of Publications Thus, they are all strategies for sharing the development and maintenance costs of software, potentially reducing its cost. [ top of page] This is not merely theoretical; in 2003 the Linux kernel development process resisted an attack. Many development tools covered by the GPL include libraries and runtimes that are not covered by the GPL itself but the GPL with a runtime exception (e.g., the CLASSPATH exception) that specifically permits development of proprietary software. These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. Other documents that you may find useful include: An official website of the United States government, Frequently Asked Questions regarding Open Source Software (OSS) and the Department of Defense (DoD). In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. SUBJECT: Software Applications Approval Process . This regulation only applies to the US Army, but may be a useful reference for others. 2518(4)(B) says that, An article is a product of a country or instrumentality only if (i) it is wholly the growth, product, or manufacture of that country or instrumentality, or (ii) in the case of an article which consists in whole or in part of materials from another country or instrumentality, it has been substantially transformed into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was so transformed. The CBP also pointed out a ruling (Data General v. United States, 4 CIT 182 (1982)), that programming a PROM performed a substantial transformation. No. Q: Can contractors develop software for the government and then release it under an open source license? There are many other reasons to believe nearly all OSS is commercial software: This is confirmed by Clarifying Guidance Regarding Open Source Software (OSS) (2009) and the Department of the Navy Open Source Software Guidance (signed June 5, 2007). The release may also be limited by patent and trademark law. Be sure to consider total cost of ownership (TCO), not just initial download costs. ), (See also GPL FAQ, Question Can the US Government release a program under the GNU GPL?). Choosing between the various options - particularly between permissive, weakly protective, and strongly protective options - is perhaps the most difficult, because this selection depends on your goals, and there are many opinions on which licenses are most appropriate for different circumstances. Search. What is its relationship to OSS? Q: What are the risks of failing to consider the use of OSS components or approaches? If you know of an existing proprietary product meets your needs, searching for its name plus open source source may help. Q: Where can I release open source software that are new projects to the public? When including externally-developed software in a larger system (e.g., as a library), make it clearly separable from the other components and easy to update. Avenir MJ8 Editions of HeatCAD and LoopCAD. The U.S. government can often directly combine GPL and proprietary, classified, or export-controlled software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government. OTD depends on open standards and interfaces, open source software and designs, collaborative and distributed online tools, and technological agility. These prevent the software component (often a software library) from becoming proprietary, yet permit it to be part of a larger proprietary program. Salesforce Government Cloud takes advantage of the same cloud-based CRM technology that has made Salesforce a household name among businesses large and small. If the government modifies existing OSS, but fails to release those improvements back to the main OSS project, it risks: Similarly, if the government develops new software but does not release it as OSS, it risks: Clearly, classified software cannot be released back to the public as open source software. This legal analysis must determine if it is possible to meet the conditions of all relevant licenses simultaneously. All executables that is not on a base approval list will soon be blocked. The following externally-developed evaluation processes or tips may be of use: Migrating from an existing system to an OSS approach requires addressing the same issues that any migration involves. Software licenses, including those for open source software, are typically based on copyright law. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. Fundamentally, a standard is a specification, so an open standard is a specification that is open. German courts have enforced the GPL. 1342, Limitation on voluntary services. On approval, such containers are granted a Certificate to Field designation by the Air Force Chief Software Officer. Contact Contracting. Any inconsistencies in this solicitation or contract shall be resolved by giving precedence in the following order: (1) the schedule of supplies/services; (2) the Assignments, Disputes, Payments, Invoice, Other Compliances, and Compliance with Laws Unique to Government Contracts paragraphs of this clause; (3) the clause at 52.212-5; (4) addenda to this solicitation or contract, including any license agreements for computer software; . This can be a cause of confusion, because without any markings, a recipient is often unaware that the government has unlimited rights to it, and if the government does not know it has certain rights, it becomes difficult for the government to exercise its rights. This greatly reduces contractors risks, enabling them to get work done (given this complex environment). Cisco Firepower Threat Defense (FTD) 6.4 with FMC and AnyConnect. Q: What additional material is available on OSS in the government or DoD? Execution Mixing GPL and other software can run at the same time on the same computer or network. This includes the most popular OSS license, the, Weakly Protective (aka weak copyleft): These licenses are a compromise between permissive and strongly protective licenses. Q: Does releasing software under an OSS license count as commercialization? If a legal method for using the GPL software for a particular application cannot be devised, and a different license cannot be negotiated, then the GPL-licensed component cannot be used for that particular purpose. These services must be genuinely generic in the sense that the applications that use them must not depend on the detailed design of the GPL software to work. . Support for OSS is often sold separately for OSS; in such cases, you must comply with the support terms for those uses to receive support, but these are typically the same kinds of terms that apply to proprietary software (and they tend to be simpler in practice). Be sure to consider such costs over a period of time (typically the lifetime of the system including its upgrades), and use the same period when evaluating alternatives; otherwise, one-time costs (such as costs to transition from an existing proprietary system) can lead to erroneous conclusions. Marines - (703) 432-1134, DSN 378. If that competitors use of OSS results in an advantage to the DoD (such as lower cost, faster schedule, increased performance, or other factors such as increased flexibility), contractors should expect that the DoD will choose the better bid. Review really does happen. Establish vetting process(es) before government will use updated versions (testing, etc.). The following questions discuss some specific cases. In addition, an attacker can often acquire the original source code from suppliers anyway (either because the supplier voluntarily provides it, or via attacks against the supplier); in such cases, if only the attacker has the source code, the attacker ends up with another advantage. For example, software that can only be used for government purposes is not OSS, since it cannot be used for any purpose. Example: GPL and (unrelated) proprietary applications can be running at the same time on a desktop PC. Any company can easily review OSS to look for proprietary code that should not be there; there are even OSS tools that can find common code. Software licensed under the GPL can be mixed with software released under other licenses, and mixed with classified or export-controlled software, but only under conditions that do not violate any license. Clarifying Guidance Regarding Open Source Software (OSS) states that "Software items, including code fixes and enhancements, developed for the Government should be released to the public (such as under an open source license) when all of the following conditions are met: The government or contractor must determine the answer to these questions: Source: Publicly Releasing Open Source Software Developed for the U.S. Government. On approval, such containers are granted a "Certificate to Field" designation by the Air Force Chief Software Officer. The Secretary of the Air Force approved the activation plan on 25 January 1972 and the college was established 1 April 1972 at Randolph AFB, Texas. Yes. The U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer made it clear that OSS licenses are enforceable, even if money is not exchanged. The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). In some cases, the government obtains the copyright; in those cases, the government can sue for copyright violation. Distribution Mixing GPL and other software can be stored and transmitted together. If this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. In effect, the malicious developer could lose many or all rights over their license-violating result, even rights they would normally have had! A Boston Consulting Group study found that the average age of OSS developers was 30 years old, the majority had training in information technology and/or computer science, and on average had 11.8 years of computer programming experience. Indeed, because a calculation of damages is inherently speculative, these types of license restrictions might well be rendered meaningless absent the ability to enforce through injunctive relief. In short, it determined that the OSS license at issue in the case (the Artistic license) was indeed an enforceable license. Of them, 40 Airmen voluntarily left the service and 14 officers retired, according to Undersecretary of the Air Force Gina Ortiz Jones at a House Armed Services Committee hearing Feb. 28. For the DoD, the risks of failing to consider the use of OSS where appropriate are of increased cost, increased schedule, and/or reduced performance (including reduced innovation or security) to the DoD due to the failure to use the commercial software that best meets the needs (when that is the case). (See GPL FAQ, Can I use the GPL for something other than software?.). The GPL version 2 and the GPL version 3 are in principle incompatible with each other, but in practice, most released OSS states that it is GPL version 2 or later or GPL version 3 or later; in these cases, version 3 is a common license and thus such software is compatible. Department of the Air Force updates policies, procedures to recruit for the future. The terms that apply to usage and redistribution tend to be trivially easy to meet (e.g., you must not remove the license or author credits when re-distributing the software). Note that this also applies to proprietary software, which often have even stricter limits on if/how the software may be changed. Where it is important, examining the security posture of the supplier (e.g., their processes that reduce risk) and scanning/testing/evaluating the software may also be wise. Thus, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator. dress & appearance Policy. At project start, the project creators (who create the initial trusted repository) are the trusted developers, and they determine who else may become a trusted developer of this initial trusted repository. Under the DFARS or the FAR, the government can release software as open source software once it receives unlimited rights to that software. Commercially-available software that is not open source software is typically called proprietary or closed source software. disa.meade.ie.list.approved-products-certification-office@mail.mil. Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. Yes, its possible. A copyright holder who releases creative works under one of the Creative Common licenses that permit commercial use and modifications would be using an OSS-like approach for such works. The use of commercial products is generally encouraged, and when there are commercial products, the government expects that it will normally use whatever license is offered to the public. Very Important Notes: The Public version of DoD Cyber Exchange has limited content. is a survey paper that provides quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures.. (its) goal is to show that you should consider using OSS/FS when acquiring software. PITTSFORD, N.Y., June 8, 2021 . It costs essentially nothing to download a file. African nations hold Women, Peace and Security Panel at AACS 2023. Q: What are Open Government Off-the-Shelf (OGOTS) or Government OSS (GOSS)? In some cases, it may be wise to release software under multiple licenses (e.g., LGPL version 2.1 and version 3, GPL version 2 and 3), so that users can then pick which license they will use. However, there are advantages to registering a trademark, especially for enforcement. Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. 7101-7109). Furthermore, 52.212-4(s) says: (s) Order of precedence. Around the Air Force: Accelerating the Legacy, Expanding Cyber Resiliency, Poppy Seed Warning. Numbered Air Forces. The doctrine of unclean hands, per law.com, is a legal doctrine which is a defense to a complaint, which states that a party who is asking for a judgment cannot have the help of the court if he/she has done anything unethical in relation to the subject of the lawsuit. What contract applies, what are its terms, and what decisions have been made? Cisco Systems, Inc. 170 West Tasman Dr. San Jose, CA 95134-1706 USA. 150 Vandenberg Street, Suite 1105 Peterson AFB CO 80914-4420 . (US Air Force/Airman 1st Class Jacob T. Stephens) . If there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. As noted by the OSJTF definition for open systems, be sure to test such systems with more than one web browser (e.g., Google Chrome, Microsoft Edge and Firefox), to reduce the risk of vendor lock-in. This does not mean that existing OSS elements should always be chosen, but it means that they must be considered. The argument is that the classification rules are simply laws of the land (and not additional rules), the classification rules already forbid the release of the resulting binaries to those without proper clearances, and that the GPL only requires that source code be released to those who received a binary. It points to various studies related to market share, reliability, performance, scalability, security, and total cost of ownership. In most cases, yes. No, although they work well together, and both are strategies for reducing vendor lock-in. Since OSS licenses are quite generous, the only license-violating actions a developer is likely to try is to release software under a more stringent license and those will have little effect if they cannot be enforced in court. Depending on the contract and its interpretation, contractors may be required to get governmental permission to include commercial components in their deliverables; where this applies, this would be true for OSS components as well as proprietary components. As far as I have heard, unless you are a programmer then you aren't getting any actual development software. Examples include: If you know of others who have similar needs, ask them for leads. The NSA/CSS Evaluated Products Lists equipment that meets NSA specifications. Many governments, not just the U.S., view open systems as critically necessary. This control enhancement is based in the need for some way to update software to fix problems after they are discovered. Feb. 4, 2022 |. Classified information may not be released to the public without special authorization to do so. It would also remove the uniquely (OSS) ability to change infrastructure source code rapidly in response to new modes of cyberattack. As noted in the Secure Programming for Linux and Unix HOWTO, three conditions reduce the risks from unintentional vulnerabilities in OSS: The use of any commercially-available software, be it proprietary or OSS, creates the risk of executing malicious code embedded in the software. A weakly-protective license is a compromise between the two, preventing the covered library from becoming proprietary yet permitting it to be embedded in larger proprietary works. Include upgrade/maintenance costs, including indirect costs (such as hardware replacement if necessary to run updated software), in the TCO. This is in part because such a ban would prevent DoD groups from using the same analysis and network intrusion applications that hostile groups could use to stage cyberattacks. OSS is increasingly commercially developed and supported. The GPL and government unlimited rights terms have similar goals, but differ in details. OGOTS/GOSS software is often not OSS; software is only OSS if it meets the definition of OSS. 2019 Approved Software Developers and Transmitters (PDF 51.18 KB) Updated April 15, 2020. Estimating the Total Development Cost of a Linux Distribution estimates that the Fedora 9 Linux distribution, which contains over 5,000 software packages, represents about $10.8 billion of development effort in 2008 dollars. This memo is available at, The Open Technology Development Roadmap was released by the office of the Deputy Under Secretary of Defense for Advanced Systems and Concepts, on 7 Jun 2006. FAR 52.227-1 (Authorization and Consent), as prescribed by FAR 27.201-2(a)(1), inserts the clause that the Government authorizes and consents to all use and manufacturer of any invention (covered by) U.S. patent.