Q: How can you determine if different open source software licenses are compatible? The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, did suggest developing a Generally Recognized As Safe (GRAS) list, but such a list has not been developed. Even if an OTD project is not OSS itself, an OTD project will typically use, improve, or create OSS components. Specific patents can also be authorized using clause FAR 52.227-5 or via listed exceptions of FAR 52.227-3. Many OSS licenses do not have a choice of venue clause, and thus cannot have an issue, although some do. CJC-1295 DAC. It also often has lower total cost-of-ownership than proprietary COTS, since acquiring it initially is often free or low-cost, and all other support activities (training, installation, modification, etc.) BSD TCP/IP suite - Provided the basis of the Internet, Greatly increased costs, due to the effort of self-maintaining its own version, Inability to use improvements (including security patches and innovations) by others, where it uses a non-standard version instead of the version being actively maintained, Greatly increased cost, due to having to bear the, Inability to use improvements (including security patches and innovations) by others, since they do not have the opportunity to aid in its development, Obsolescence due to the development and release of a competing commercial (e.g., OSS) project. For example, users of proprietary software must typically pay for a license to use a copy or copies. 1.1.4. FROM: Air Force Authorizing Official . Thus, they are all strategies for sharing the development and maintenance costs of software, potentially reducing its cost. Any company can easily review OSS to look for proprietary code that should not be there; there are even OSS tools that can find common code. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. When examining a specific OSS project, look for evidence that review (both by humans and tools) does take place. In either case, it is important to understand that GOSS is typically not OSS, though GOSS may be a stepping stone towards later OSS release. (See next question. See also DFARS subpart 227.70infringement claims, licenses, and assignments and 28 USC 1498. Widespread availability and use of the software (which increases the likelihood of detection), Configuration management systems that record the identity of individual contributors (which acts as a deterrent), Licenses or development policies that warn against the unlawful inclusion of material, or require people to specifically assert that they are acting lawfully (which reduce the risk of unintentional infringement), Lack of evidence of infrigement (e.g., an Internet search for project name + copyright infringement turns up nothing). According to the U.S. Patent and Trademark Office (PTO): For more about trademarks, see the U.S. Patent and Trademark Office (PTO) page Trademark basics. Gartner Groups Mark Driver stated in November 2010 that, Open source is ubiquitous, its unavoidable having a policy against open source is impractical and places you at a competitive disadvantage.. The DoD does not have a single required process for evaluating OSS. Many programs and DAAs do choose to use commercial support, and in many cases that is the best approach. African nations hold Women, Peace and Security Panel at AACS 2023. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to include existing open source software? Static attacks (e.g., analyzing the code instead of its execution) can use pattern-matches against binaries - source code is not needed for them either. Six pairs of ankle socks. The project manager, program manager, or other comparable official determines that it is in the Governments interest to do so, such as through the expectation of future enhancements by others. The list of products, referred to as "Blue sUAS," come from 5 different manufacturers: Skydio, Parrot, Altavian, Teal Drones, and Vantage Robotics. The usual federal non-DoD clause (FAR 52.227-14) also permits this by default as long as the government has not granted the contractor the right to assert copyright. First of all, being a US firm has little relationship to the citizenship of its developers and its suppliers developers. Thus, complex license management processes to track every installation or use of the software, or who is permitted to use the software, is completely unnecessary. Typically, obtaining rights granted by the license can only be obtained when the requestor agrees to certain conditions. Q: Is there a name for software whose source code is publicly available, but does not meet the definition of open source software? An Open Source Community can update the codebase, but they cannot patch your servers. This list was generated on Friday, March 3, 2023, at 5:54 PM. As a result, it is difficult to develop software and be confident that it does not violate enforceable patents. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . A certification mark is any word, phrase, symbol or design, or a combination thereof owned by one party who certifies the goods and services of others when they meet certain standards. Under the current DoD contracting regime, the contractor usually retains the copyright for software developed with government funding, so in such cases the contractor (not the government) has the right to sue for copyright violation. DFARS 252.227-7014(a)(15) defines unlimited rights as rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. Currently there is no APL Memo available for this Tracking Number. Examples of OSS that are in widespread use include: There are many Linux distributions which provides suites of such software such as Red Hat Enterprise Linux, Fedora, SUSE, Debian and Ubuntu. This approach may inhibit later release of the combined result to other parties (e.g., allies), as release to an ally would likely be considered distribution as defined in the GPL. Software licenses (including OSS licenses) may also involve the laws for patent, trademark, and trade secrets, in addition to copyright. Acquisition Process Model. (Smaller employers - those with annual revenues below $323,000 in 2021 - can pay the lower federal minimum wage. Each government program must determine its needs, and then evaluate its options for meeting those needs. Approved by AF/SG3/5P on 13 May 2019 7700 Arlington Blvd., Falls Church, VA 22042-5158 Category So, while open systems/open standards are different from open source software, they are complementary and can work well together. Since OSS provides source code, there is no problem. Q: Is there a standard marking for software where the government has unlimited rights? And of course, individual OSS projects often have security review processes or methods (such as Mozillas bounty system). (3) Verbal waivers are NOT authorized. (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). Q: Is open source software the same as open systems/open standards? Salesforce Government Cloud takes advantage of the same cloud-based CRM technology that has made Salesforce a household name among businesses large and small. Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. Guglielmo Marconi. Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. can be competed, and the cost of some improvements may be borne by other users of the software. Browse 817 acronyms and abbreviations related to the Air Force terminology and jargon. how to ensure the interoperability of systems; how to build systems that are manageable. View the complete AFI 36-2903 for more details. Q: Do choice of venue clauses automatically disqualify OSS licences? The. Some have found that community support can be very helpful. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. In 2015, a series of decisions regarding the GNU General Public License were issued by the United States District Courts for the Western District of Texas as well as the Northern District of California. The DoD has chosen to use the term open source software (OSS) in its official policy documents. Failing to understand that open source software is commercial software would result in failing to follow the laws, regulations, policies, and so on regarding commercial software. Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? The rules for many other U.S. departments may be very different. Careful legal review is required to determine if a given license is really an open source software license. 1342 the Attorney General drew a distinction that the Comptroller of the Treasury thereafter adopted, and that GAO and the Justice Department continue to follow to this daythe distinction between voluntary services and gratuitous services. Some key text from this opinion, as identified by the red book, are: [I]t seems plain that the words voluntary service were not intended to be synonymous with gratuitous service it is evident that the evil at which Congress was aiming was not appointment or employment for authorized services without compensation, but the acceptance of unauthorized services not intended or agreed to be gratuitous and therefore likely to afford a basis for a future claim upon Congress. Unlike proprietary COTS, GOTS has the advantage that the government has the right to change the software whenever the government chooses to do so. By dominate, that means that when software is merged which have those pairs of licenses, the dominating license essentially governs the resulting combination because the dominating license essentially includes all the key terms of the other license. In that case, the U.S. government might choose to continue to use the version to which it has unlimited rights, or it might use the publicly-available commercial version available to the government through that versions commercial license (the GPL in this case). It is difficult for software developers (OSS or not) to be confident that they have avoided software patent infringement in the United States, for a variety of reasons. OTD is an approach to software/system development in which developers (in multiple organizations) collaboratively develop and maintain software or a system in a decentralized fashion. Coat or jacket depending on the season. Some more military-specific OSS programs created-by or used in the military include: One approach is to use a general-purpose search engine (such as Google) and type in your key functional requirements. Even if source code is necessary (e.g., for source code analyzers), adequate source code can often be regenerated by disassemblers and decompilers sufficiently to search for vulnerabilities. As with all commercial items, organizations must obey the terms of the commercial license, negotiate a different license if necessary, or not use the commercial item. Elite RHVAC. disa.meade.ie.list.approved-products-certification-office@mail.mil. By U.S. Cybercom Command Public Affairs | Aug. 12, 2022. U.S. government contractors (including those in the DoD) are often indemnified from patent infringement by the U.S. government as part of their contract. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? In addition, DISA has initiated an assessment of the APL process, which was enacted nearly a decade ago, to ensure that current procedures align with new and evolving departmental priorities. Q: What are some military-specific open source software programs? While budget constraints and reduced staffing have forced the APL process to operate in a limited manner,
The red book section 6.C.3.b explains this prohibition in more detail. The GPL and government unlimited rights terms have similar goals, but differ in details. Many development tools covered by the GPL include libraries and runtimes that are not covered by the GPL itself but the GPL with a runtime exception (e.g., the CLASSPATH exception) that specifically permits development of proprietary software. The release of the software may be restricted by the International Traffic in Arms Regulation or Export Administration Regulation. Even if OSS has no cost to download, there is still a cost for OSS due to installation, support, and so on (whether done in-house or through external organizations). DoD Directive 5000.1 states that open systems shall be employed, where feasible, and the European Commission identifies open standards as a major policy thrust. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, identified some of many OSS programs that the DoD is already using, and concluded that OSS plays a more critical role in the [Department of Defense (DoD)] than has generally been recognized. In some cases, it may be wise to release software under multiple licenses (e.g., LGPL version 2.1 and version 3, GPL version 2 and 3), so that users can then pick which license they will use. However, support from in-house staff, augmented by the OSS community, may be (and often is) sufficient. DoDIN APL is managed by the APCO | disa.meade.ie.list.approved-products-certification-office@mail.mil. is a survey paper that provides quantitative data that, in many cases, using open source software / free software (abbreviated as OSS/FS, FLOSS, or FOSS) is a reasonable or even superior approach to using their proprietary competition according to various measures.. (its) goal is to show that you should consider using OSS/FS when acquiring software. Observing the output from inputs is often sufficient for attack. Launch video (9:47) If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. All new software products must go through the systems change request approval process and complete a satisfactory risk assessment. No, the DoD does not have an official recommendation for any particular OSS product or set of products, nor a Generally Recognized as Safe/Mature list. The Free Software Foundation (FSF) interprets linking a GPL program with another program as creating a derivative work, and thus imposing this license term in such cases. The following marking should be added to software source code when the government has unlimited rights due to the use of the DFARS 252.227-7014 contract: The U.S. Government has Unlimited Rights in this computer software pursuant to the clause at DFARS 252.227-7014. Q: Can contractors develop software for the government and then release it under an open source license? Very Important Notes: The Public version of DoD Cyber Exchange has limited content. Indeed, because a calculation of damages is inherently speculative, these types of license restrictions might well be rendered meaningless absent the ability to enforce through injunctive relief. In short, it determined that the OSS license at issue in the case (the Artistic license) was indeed an enforceable license. German courts have enforced the GPL. Execution Mixing GPL and other software can run at the same time on the same computer or network. However, it must be noted that the OSS model is much more reflective of the actual costs borne by development organizations. Special Series. As noted in the Secure Programming for Linux and Unix HOWTO, three conditions reduce the risks from unintentional vulnerabilities in OSS: The use of any commercially-available software, be it proprietary or OSS, creates the risk of executing malicious code embedded in the software. The following organizations examine licenses; licenses should pass at least the first two industry review processes, and preferably all of them, else they have a greatly heightened risk of not being an open source software license: In practice, nearly all open source software is released under one of a very few licenses that are known to meet this definition. An Airman at the 616th Operations Center empowered his fellow service members by organizing a professional development seminar for his unit. However, the public domain portions may be extracted from such a joint work and used by anyone for any purpose. The Linux kernel project requires that a person proposing a change add a Signed-off-by tag, attesting that the patch, to the best of his or her knowledge, can legally be merged into the mainline and distributed under the terms of (the license).. It is important to understand that open source software is commercial software, because there are many laws, regulations, policies, and so on regarding commercial software.