In practice, OSS projects tend to be remarkably clean of such issues. However, you should examine past experience and your intended uses before depending on this as a primary mechanism for support. The Department of Defense (DoD) Software Modernization Strategy was approved Feb. 1. The cases are too complicated to summarize here, other than to say that the GPLv2 was clearly regarded as enforceable by the courts. an Air Force community college and on 9 November 1971, General John D. Ryan, Air Force Chief of Staff, approved the establishment of the Community College of the Air Force. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to include existing open source software? For almost as long as smartphones have existed, defense IT leaders have wondered aloud whether they'd ever be able to securely implement a bring-your-own-device (BYOD) approach to military networks. To provide Cybersecurity tools to . Observing the output from inputs is often sufficient for attack. Contractors for other federal agencies may have a different process to use, but after going through a process they can often release such software as open source software. U.S. courts have determined that the GPL does not violate anti-trust laws. This Open Source Software FAQ was originally developed on Intellipedia, using a variety of web browsers including Mozilla Firefox. Acquisition Common Portal Environment. A primary reason that this is low-probability is the publicity of the OSS source code itself (which almost invariably includes information about those who made specific changes). As with all commercial items, organizations must obey the terms of the commercial license, negotiate a different license if necessary, or not use the commercial item. There are two runways supporting an average of 47,000 aircraft operations . The CBP ruling points out that 19 U.S.C. There is a fee for registering a trademark. ASTi's Telestra systems integrate with a vast array of simulators across the Air Force Distributed Mission Operations (DMO) enterprise. Her work has appeared in Air Force Magazine, Inside Defense, Inside Health Policy, the Frederick News-Post (Md. (The MIT license is similar to public domain release, but with some legal protection from lawsuits.). In some cases, export-controlled software may be licensed for export under the condition that the source code not be released; this would prevent release of software that had mixed GPL and export-controlled software. Air Force ROTC is offered at over 1,100 colleges and universities in the continental United States, Puerto Rico and Hawaii. Q: What are the risks of failing to consider the use of OSS components or approaches? 2518(4)(B) says that, An article is a product of a country or instrumentality only if (i) it is wholly the growth, product, or manufacture of that country or instrumentality, or (ii) in the case of an article which consists in whole or in part of materials from another country or instrumentality, it has been substantially transformed into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was so transformed. The CBP also pointed out a ruling (Data General v. United States, 4 CIT 182 (1982)), that programming a PROM performed a substantial transformation. BSD TCP/IP suite - Provided the basis of the Internet, Greatly increased costs, due to the effort of self-maintaining its own version, Inability to use improvements (including security patches and innovations) by others, where it uses a non-standard version instead of the version being actively maintained, Greatly increased cost, due to having to bear the, Inability to use improvements (including security patches and innovations) by others, since they do not have the opportunity to aid in its development, Obsolescence due to the development and release of a competing commercial (e.g., OSS) project. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND GUARDIANS OF THE HIGH FRONTIER. What are good practices for use of OSS in a larger system? The release may also be limited by patent and trademark law. Indeed, vulnerability databases such as CVE make it clear that merely hiding source code does not counter attacks: Hiding source code does inhibit the ability of third parties to respond to vulnerabilities (because changing software is more difficult without the source code), but this is obviously not a security advantage. Choose a widely-used existing license; do not create a new license. . At the subsequent meeting of the Inter-Allied Council . Include upgrade/maintenance costs, including indirect costs (such as hardware replacement if necessary to run updated software), in the TCO. SAF/AQC 1060 Air Force Pentagon Washington, DC 20330-1060 (571) 256-2397 DSN 260-2397 Fax: (571) 256-2431 Fax: DSN 260-2431 Featured Links. The, Educate all software developers that they must comply with all valid licenses - including both proprietary. OTD includes both OSS and OGOTS/GOSS. Very Important Notes: The Public version of DoD Cyber Exchange has limited content. In the commercial world, the copyright holders are typically the individuals and organizations that originally developed the software. This isnt usually an issue because of how typical DoD contract clauses work under the DFARS. Navy - 1-877-418-6824. PDF Administrative Change to AFI 38-206, Additional Duty Management Before award, a contractor may identify the components that will have more restrictive rights (e.g., so the government can prefer proposals that give the government more rights), and under limited conditions the list can be modified later (e.g., for error correction). The ruling was a denial of a motion for summary judgement, and the parties ultimately settled the claim out-of-court. 75th Anniversary Article. Even if OSS has no cost to download, there is still a cost for OSS due to installation, support, and so on (whether done in-house or through external organizations). The usual federal non-DoD clause (FAR 52.227-14) also permits this by default as long as the government has not granted the contractor the right to assert copyright. These services must be genuinely generic in the sense that the applications that use them must not depend on the detailed design of the GPL software to work. REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C&A) Q: Is OSS commercial software? Even if a commercial program did not originally have vulnerabilities, both proprietary and OSS program binaries can be modified (e.g., with a hex editor or virus) so that it includes malicious code. The Defense Information Systems Agency maintains the DOD Information Network (DODIN) Approved Products List (APL) process, as outlined in DOD Instruction 8100.04 on behalf of the Department of Defense. Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? As with all commercial items, the DoD must comply with the items license when using the item. The Air Force separated 610 Airmen for declining the once-mandated COVID-19 vaccination. Open source software that has at least one non-governmental use, and is licensed to the public, is commercial software. DFARS 252.227-7014 specifically defines commercial computer software in a way that includes nearly all OSS, and defines noncommercial computer software as software that does not qualify as commercial computer software. Some have found that community support can be very helpful. The Customs and Border Protection (CBP) has said, in an advisory ruling, that the country of origin of software is the place where the software is converted into object code (Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT), for purposes of granting waivers of certain Buy American restrictions in U.S. law or practice or products offered for sale to the U.S. Government.. Choosing between the various options - particularly between permissive, weakly protective, and strongly protective options - is perhaps the most difficult, because this selection depends on your goals, and there are many opinions on which licenses are most appropriate for different circumstances. If you have concerns about using in-house staff, augmented by the OSS community for those components, then select and pay a commercial organization to provide the necessary support. disa.meade.ie.list.approved-products-certification-office@mail.mil. This assessment is slated to conclude in the fourth quarter of this fiscal year (FY2022) and all updates to the DoDIN APL process are expected to be published and available by March 2023. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. Also, there are rare exceptions for NIST and the US Postal Service employees where a US copyright can be obtained (see CENDIs Frequently Asked Questions About Copyright). U.S. law governing federal procurement U.S. Code Title 41, Chapter 7, Section 103 defines commercial product as a product, other than real property, that- (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public . You may only claim that a trademark is registered if it is actually registered. Only some developers are allowed to modify the trusted repository directly: the trusted developers. Under the current DoD contracting regime, the contractor usually retains the copyright for software developed with government funding, so in such cases the contractor (not the government) has the right to sue for copyright violation. However, there are advantages to registering a trademark, especially for enforcement. If such software includes third-party components that were not produced in performace of that contract, the contractor is generally responsible for acquiring those components with acceptable licenses that premit the government to use that software. Use a widely-used existing license. This is not a copyright license, it is the absence of a license. Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. Curtiss-Wright Receives Security Authorization from U.S. Air Force for Any inconsistencies in this solicitation or contract shall be resolved by giving precedence in the following order: (1) the schedule of supplies/services; (2) the Assignments, Disputes, Payments, Invoice, Other Compliances, and Compliance with Laws Unique to Government Contracts paragraphs of this clause; (3) the clause at 52.212-5; (4) addenda to this solicitation or contract, including any license agreements for computer software; . The World Health Organization (WHO) is a specialized agency of the United Nations responsible for international public health. Peterson AFB CO 80914-4420 . Q: Isnt using open source software (OSS) forbidden by DoD Information Assurance (IA) Policy? There is no DoD policy forbidding or limiting the use of software licensed under the GNU General Public License (GPL). The Creative Commons is a non-profit organization that provides free tools, including a set of licenses, to let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. Before approving the use of software (including OSS), system/program managers, and ultimately Designated Approving Authorities (DAAs), must ensure that the plan for software support (e.g., commercial or Government program office support) is adequate for mission need. Note that Government program office support is specifically identified as a possibly-appropriate approach. Here's a list of potentially banned peptides: Adipotide FTPP. Using a made-up word that has no Google hits is often a good start, but again, see the PTO site for more information. If it is a modification of an existing project, or a plug-in to it, release it under the projects original license (and possibly other licenses). 1.1.3. Yes, in general. They can obtain this by receiving certain authorization clauses in their contracts. This clause establishes that the choice of venue clause (category 4) is superseded by the Contract Disputes Act (category 2), and thus the conflict is typically moot. Intellipedia is implemented using MediaWiki, the open source software developed to implement Wikipedia. The DoD does not have a single required process for evaluating OSS. Proprietary COTS tend to be lower cost than GOTS, since the cost of development and maintenance is typically shared among a larger number of users (who typically pay to receive licenses to use the product). It also provides the latest updates and changes to policy from Air Force senior leadership and the Uniform Board. Widespread availability and use of the software (which increases the likelihood of detection), Configuration management systems that record the identity of individual contributors (which acts as a deterrent), Licenses or development policies that warn against the unlawful inclusion of material, or require people to specifically assert that they are acting lawfully (which reduce the risk of unintentional infringement), Lack of evidence of infrigement (e.g., an Internet search for project name + copyright infringement turns up nothing). To manage the acquisition, development, and integration of Cybersecurity Tools and Methods for securing the Defense Information Infrastructure. This control enhancement is based in the need for some way to update software to fix problems after they are discovered. Since both terms are in use, the rest of this document will use the term OGOTS/GOSS. Software licenses, including those for open source software, are typically based on copyright law. The U.S. government can often directly combine GPL and proprietary, classified, or export-controlled software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government. For software delivered under federal contracts, any choice of venue clauses in the license generally conflict with the Contract Disputes Act. Note that most commercial software is not intended to be used where the impact of any error of any kind is extremely high (e.g., a large number of lives are likely to be immediately lost if even the slightest software error occurs). No changes since that date. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. Such developers need not be cleared, for example. The certification affirms that the Air Force OTI is authorized to use ASTi's products, which now appear in the OTI Evaluated/Approved Products List (OTI E/APL). Yes, extensively. U.S. Air Force Places ASTi on Approved Products List According to the U.S. Patent and Trademark Office (PTO): For more about trademarks, see the U.S. Patent and Trademark Office (PTO) page Trademark basics. Approved Software List : r/AirForce - reddit With the Acrobat Reader, you can view, navigate, print and present any Portable Document Format (PDF) file. In either case, it is important to understand that GOSS is typically not OSS, though GOSS may be a stepping stone towards later OSS release. This regulation only applies to the US Army, but may be a useful reference for others. Patents expire after 20 years, so any idea (invention) implemented in software publicly available for more than 20 years should not, in theory, be patentable. In nearly all cases, OSS is commercial software, so the policies regarding commercial software continue to apply to OSS. (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). There are many general OSS review projects, such as those by OpenBSD and the Debian Security Audit team. Since it is typically not legal to modify proprietary software at all, or it is legal only in very limited ways, it is trivial to determine when these additional terms may apply. Look at the Numbers! PDF By Order of The Commander, United U.s. Air Forces Central States Air SUBJECT: Software Products Approval Process . The Office of the Chief Software Officer is leading the mission to make the Digital Air Force a reality by supporting our Airmen with Software Enterprise Capabilities.We are enabling adoption of innovative software best practices, cyber security solutions, Artificial Intelligence and Machine Learning technologies across AF programs while removing impediments to DevSecOps and IT innovation. It costs essentially nothing to download a file. OSS COTS tends to be lower cost than GOTS, in part for the same reasons as proprietary COTS: its costs are shared among more users. Do you have the necessary other intellectual rights (e.g., patents)? Q: Can the government release software under an open source license if it was developed by contractors under government contract? No, although they work well together, and both are strategies for reducing vendor lock-in. Computer and electronic hardware that is designed in the same fashion as open source software (OSS) is sometimes termed open source hardware. Currently there is no APL Memo available for this Tracking Number. African nations hold Women, Peace and Security Panel at AACS 2023. This has a reduced likelihood if the program is niche or rarely-used, has few developers, uses a rare computer language, or is not really OSS. The red book section 6.C.3.b explains this prohibition in more detail. Many DoD capabilities are accessible via web browsers using open standards such as TCP/IP, HTTP, and HTML; in such cases, it is relatively easy to use or switch to open source software implementations (since the platforms used to implement the client or server become less relevant). The DoD Antivirus Software License Agreement with McAfee allows active DoD employees to utilize the antivirus software for home use. Q: How do GOTS, Proprietary COTS, and OSS COTS compare? The Air Force Institute of Technology, or AFIT, is the Air Force's graduate school of engineering and management as well as its institution for technical professional continuing education. Q: Is there a large risk to DoD contractors that widely-used OSS violates enforceable software patents? The following questions discuss some specific cases. There are other ways to reduce the risk of software patent infringement (in the U.S.) as well: Yes, both entirely new programs and improvements of existing OSS have been developed using U.S. government funds. In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. The first meeting of the World Health Assembly (WHA), the agency's governing body, took place on 24 July of that year. Depending on your goals, a trademark, service mark, or certification mark may be exactly what you need. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. When including externally-developed software in a larger system (e.g., as a library), make it clearly separable from the other components and easy to update. Unfortunately, the government must pay for all development and maintenance costs of GOTS; since these can be substantial, GOTS runs the risk of becoming obsolete when the government cannot afford those costs. Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). It may be found at, US Army Regulation 25-2, paragraph 4-6.h, provides guidance on software security controls that specifically addresses open source software.
Maximum Probable Loss Vs Maximum Possible Loss, Articles A