Thus, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator. More recent decisions, such as the 1982 decision B-204326 by the U.S. Comptroller General, continue to confirm this distinction between gratuitous and voluntary service. The cases are too complicated to summarize here, other than to say that the GPLv2 was clearly regarded as enforceable by the courts. The real challenge is one of education - some developers incorrectly believe that just because something is free to download, it can be merged or changed without restriction. The DoD has not expressed a position on whether or not software should be patented, but it is interested in ensuring that software that effectively supports its missions can be developed in a cost-effective, timely, and legal manner. This control enhancement is based in the need for some way to update software to fix problems after they are discovered. If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. OSS implementations can help rapidly increase adoption/use of the open standard. Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. There are many alternative clauses in the FAR and DFARS, and specific contracts can (and often do) have different specific agreements on who has which rights to software developed under a government contract. So if the program is being used and not modified (a very common case), this additional term has no impact. Many governments, not just the U.S., view open systems as critically necessary. Home use of the antivirus products will not only protect personal PCs, but will also potentially lessen the threat of malicious logic being introduced to the workplace and compromising DoD networks. Q: How does open source software work with open systems/open standards? Thus, the government may receive custom-developed, non-commercial software as a deliverable and receive unlimited rights for that new code, but also acquire only commercial rights to the third-party (possibly OSS) components. Two-day supply of clothing. Senior leaders across DoD see bridging the tactical edge and embedding resilience to scale as key issues moving forward. But in practice, publicly-released OSS nearly always meets the various government definitions for commercial computer software and thus is nearly always considered commercial software. OSS-like development approaches within the government. 2 Commanders Among 6 Fired from Jobs at Minot Air Force Base Col. Gregory Mayer, the commander of the 5th Mission Support Group, and Maj. Jonathan Welch, the commander of the 5th. The red book section 6.C.3.b explains this prohibition in more detail. OGOTS/GOSS software is often not OSS; software is only OSS if it meets the definition of OSS. This page is an educational resource for government employees and government contractors to understand the policies and legal issues relating to the use of open source software (OSS) in the United States Department of Defense (DoD). Authors of a creative work, or their employer, normally receive the copyright once the work is in a fixed form (e.g., written/typed). BIG-IP logout page - Cyber Rachel Cohen joined Air Force Times as senior reporter in March 2021. Yes, its possible. In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. What it does mean, however, is that the DoD will not reject consideration of a COTS product merely because it is OSS. 923, is in 31 U.S.C. For local guidance, Airmen are encouraged to . All other developers can make changes to their local copies, and even post their versions to the Internet (a process made especially easy by distributed software configuration management tools), but they must submit their changes to a trusted developer to get their changes into the trusted repository. Can the DoD used GPL-licensed software? Also, US citizens can attempt to embed malicious code into software, and many non-US citizens develop software without embedding malicious code. Application Mixing GPL can rely on other software to provide it with services, provided either that those services are either generic (e.g., operating system services) or have been explicitly exempted by the GPL software designer as non-GPL components. It may be illegal to modify proprietary software, but that will normally not slow an attacker. Instead, Government employees must ensure that they do not accept services rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. an Air Force community college and on 9 November 1971, General John D. Ryan, Air Force Chief of Staff, approved the establishment of the Community College of the Air Force. Indeed, vulnerability databases such as CVE make it clear that merely hiding source code does not counter attacks: Hiding source code does inhibit the ability of third parties to respond to vulnerabilities (because changing software is more difficult without the source code), but this is obviously not a security advantage. Adobe Acrobat Reader. 1342 the Attorney General drew a distinction that the Comptroller of the Treasury thereafter adopted, and that GAO and the Justice Department continue to follow to this daythe distinction between voluntary services and gratuitous services. Some key text from this opinion, as identified by the red book, are: [I]t seems plain that the words voluntary service were not intended to be synonymous with gratuitous service it is evident that the evil at which Congress was aiming was not appointment or employment for authorized services without compensation, but the acceptance of unauthorized services not intended or agreed to be gratuitous and therefore likely to afford a basis for a future claim upon Congress. It is usually far better to stick to licenses that have already gone through legal review and are widely used in the commercial world. Specifically, the federal governments IA controls, as documented in NIST SP 800-53 revision 5 includes a control enhancement, CM-7(8). For more information, see the. However, this cost-sharing is done in a rather different way than in proprietary development. Q: What are synonyms for open source software? Her work has appeared in Air Force Magazine, Inside Defense, Inside Health Policy, the Frederick News-Post (Md. Home USCYBERCOM The key issue with both versions of the GPL is that, unlike most other OSS licenses, the GPL licenses require that a recipient of a binary (executable) must be able to demand and receive the source code of that program, and the recipient must also be able to propogate the work under that license. This eliminates future incompatibility and encourages future contributions by others. Q: How can I avoid failure to comply with an OSS license? As noted above, OSS projects have a trusted repository that only certain developers (the trusted developers) can directly modify. Air Force - (618)-229-6976, DSN 779. The 1997 InfoWorld Best Technical Support award was won by the Linux User Community. Download Adobe Acrobat Reader. Clarifying Guidance Regarding Open Source Software (OSS), a list of licenses which have successfully gone through the approval process and comply with the Open Source Definition, publishes a list of licenses that meet the Free Software Definition, good licenses that Fedora has determined are open source software licenses, Federal Source Code Policy, OMB Memo 16-21, National Defense Authorization Act for FY2018, http://www.doncio.navy.mil/contentview.aspx?id=312, http://www.dtic.mil/dtic/tr/fulltext/u2/a450769.pdf, http://www.whitehouse.gov/omb/memoranda/fy04/m04-16.html, http://www.army.mil/usapa/epubs/pdf/r25_2.pdf, Defense Federal Acquisition Regulation Supplement (DFARS), 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation, European Interoperability Framework (EIF), Bruce Perens Open Standards: Principles and Practice, U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer, The Free-Libre / Open Source Software (FLOSS) License Slide, GPL linking exception term (such as the Classpath exception), Maintaining Permissive-Licensed Files in a GPL-Licensed Project: Guidelines for Developers (Software Freedom Law Center), Creative Commons does not recommend that you use one of their licenses for software, GPL FAQ, Can I use the GPL for something other than software?, GPL FAQ, Who has the power to enforce the GPL?, 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, Secure Programming for Linux and Unix HOWTO, in 2003 the Linux kernel development process resisted an attack, Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT, Gartner Groups Mark Driver stated in November 2010, Estimating the Total Development Cost of a Linux Distribution, Open Source Software for Imagery & Mapping (OSSIM), Open Source Alternatives (Ben Balter et al.). Fundamentally, a standard is a specification, so an open standard is a specification that is open. Coat or jacket depending on the season. Q: What is the country of origin for software? For DoD contractors, if the standard DFARS contract clauses are used (in particular DFARS 252.227-7014) then the contractor who developed the software retains the copyright to the software and has the right to release it to others, even if the software was developed exclusively with government funds. However, you should examine past experience and your intended uses before depending on this as a primary mechanism for support. If you have concerns about using in-house staff, augmented by the OSS community for those components, then select and pay a commercial organization to provide the necessary support. There is no DoD policy forbidding or limiting the use of software licensed under the GNU General Public License (GPL). Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. This might occur, for example, if the government originally only had Government Purpose Rights (GPR), but later the government received unlimited rights and released the software as OSS. German courts have enforced the GPL. . Air Force ROTC is offered at over 1,100 colleges and universities in the continental United States, Puerto Rico and Hawaii. PDF By Order of The Commander, United U.s. Air Forces Central States Air Certification Report Security Target. This should not be surprising; the DoD uses OSS extensively, and the GPL is the most popular OSS license. A choice of venue clause is a clause that states where a dispute is to be resolved (e.g., which court). a license) from the copyright holder(s) before they can obtain a copy of software to run on their system(s). It can sometimes be a challenge to find a good name. This greatly reduces contractors risks, enabling them to get work done (given this complex environment). So, while open systems/open standards are different from open source software, they are complementary and can work well together. In some other cases, the government lacks the rights to release the software to the public, e.g., the government may only have Government Purpose Rights (GPR). After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. Specific patents can also be authorized using clause FAR 52.227-5 or via listed exceptions of FAR 52.227-3. Guglielmo Marconi. Yes, both the government and contractors may obtain and use trademarks, service marks, and/or certification marks for software, including OSS. PDF Headquarters Air Force Space Command - Af Such software does not normally undergo widespread public review, indeed, the source code is typically not provided to the public and there are often license clauses that attempt to inhibit review further (e.g., forbidding reverse engineering and/or forbidding the public disclosure of analysis results). Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). Air Force Approved Software List? : r/AirForce - Reddit There are valid business reasons, unrelated to security, that may lead a commercial company selling proprietary software to choose to hide source code (e.g., to reduce the risk of copyright infringement or the revelation of trade secrets). Be sure to consider total cost of ownership (TCO), not just initial download costs. Do you have the materials (e.g., source code) and are all materials properly marked? In 2017, the United States District Court for the Northern District of California, in Artifex Software, Inc.v. Hancom, Inc., issued a ruling confirming the enforceability of the GNU General Public License. These licenses include the MIT license, revised BSD license (and its 2-clause variant), the Apache 2.0 license, the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. A weakly-protective license is a compromise between the two, preventing the covered library from becoming proprietary yet permitting it to be embedded in larger proprietary works. The release of the software may be restricted by the International Traffic in Arms Regulation (ITAR) or Export Administration Regulation (EAR). It is important to understand that open source software is commercial software, because there are many laws, regulations, policies, and so on regarding commercial software.