FROM: Air Force Authorizing Official . It is difficult for software developers (OSS or not) to be confident that they have avoided software patent infringement in the United States, for a variety of reasons. The CBP ruling points out that 19 U.S.C. An OSS implementation can be read and modified by anyone; such implementations can quickly become a working reference model (a sample implementation or an executable specification) that demonstrates what the specification means (clarifying the specification) and demonstrating how to actually implement it. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". The Buy American Act does not apply to information technology that is a commercial item, so there is usually no problem for OSS. REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C . Otherwise, choose some existing OSS license, since all existing licenses add some legal protections from lawsuits. Most OSS projects have a trusted repository, that is, some (web) location where people can get the official version of the program, as well as related information (documentation, bug report system, mailing lists, etc.). By definition, open source software provides more rights to users than proprietary software (at least in terms of use, modification, and distribution). SAF/AQC 1060 Air Force Pentagon Washington, DC 20330-1060 (571) 256-2397 DSN 260-2397 Fax: (571) 256-2431 Fax: DSN 260-2431 Featured Links. The release may also be limited by patent and trademark law. September 22, 2022. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. Delivers the latest news from each branch of the U.S . CCRA Certificate. At the subsequent meeting of the Inter-Allied Council . These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. Q: What is the legal basis of OSS licenses? Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. If you are releasing OSS source code for Unix-like systems (including Linux and MacOS), you should follow the usual conventions for doing so as described below: You may use existing industry OSS project hosting services such as SourceForge, Savannah, GitHub, or Apache Software Foundation. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. For example, software that can only be used for government purposes is not OSS, since it cannot be used for any purpose. Also, there are rare exceptions for NIST and the US Postal Service employees where a US copyright can be obtained (see CENDIs Frequently Asked Questions About Copyright). OSS is typically developed through a collaborative process. The joint OnGuard system and XProtect video solution was tested and approved to protect Air Force Protection Level 1 (PL-1) non-nuclear through PL-4 sites around . Bases. Do not mistakenly use the term non-commercial software as a synonym for open source software. Commercial software (both proprietary and OSS) is occasionally updated to fix errors (including security vulnerabilities), and your system should be designed so that it is relatively easy to accept these updates. As noted by the 16 October 2009 policy memorandum from the DoD CIO, in almost all cases OSS is a commercial item as defined by US Law (Title 41) and regulation (the FAR). It's like it dropped off the face of the earth. Conversely, if it widely-used, has many developers, and so on, the likelihood of review increases. In that case, the U.S. government might choose to continue to use the version to which it has unlimited rights, or it might use the publicly-available commercial version available to the government through that versions commercial license (the GPL in this case). (US Air Force/Airman 1st Class Jacob T. Stephens) . This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. Clarifying Guidance Regarding Open Source Software (OSS) states that "Software items, including code fixes and enhancements, developed for the Government should be released to the public (such as under an open source license) when all of the following conditions are met: The government or contractor must determine the answer to these questions: Source: Publicly Releasing Open Source Software Developed for the U.S. Government. Vendor lock-in, aka lock-in, is the situation in which customers are dependent on a single supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without substantial costs and/or inconvenience. For more discussion on this topic, see the article Open Source Software Is Commercial. can be competed, and the cost of some improvements may be borne by other users of the software. The first-ever Oklahoma Black History Day was celebrated at the state Capitol Feb. 13 with Lt. Gen. Stacey Hawkins, Air Force Sustainment Center commander, serving as the keynote speaker for the event.Hosted by the Oklahoma Legislative Black Caucus, a focus of this . Each government program must determine its needs, and then evaluate its options for meeting those needs. Creating any interface is an effort, and having a pre-defined standard helps reduce that effort greatly. 2 Commanders Among 6 Fired from Jobs at Minot Air Force Base Col. Gregory Mayer, the commander of the 5th Mission Support Group, and Maj. Jonathan Welch, the commander of the 5th. . This regulation only applies to the US Army, but may be a useful reference for others. However, sometimes OGOTS/GOSS software is later released as OSS. how to ensure the interoperability of systems; how to build systems that are manageable. Yes, but the following considerations apply: As stated above, software developed by government employees as part of their official duties is not subject to copyright protection in the United States. It can sometimes be a challenge to find a good name. If the contractor was required to transfer copyright to the government for works produced under contract (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply to it), then the government can release the software as open source software, because the government owns the copyright. DAF COVID-19 Statistics - January 2022. Certification Report Security Target. Adobe Acrobat Reader. If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. German courts have enforced the GPL. This memorandum surveys U.S. economic sanctions and anti-money laundering ("AML") developments and trends in 2022 and provides an outlook for 2023. Public domain software (in this copyright-related sense) can be used by anyone for any purpose, and cannot by itself be released under a copyright license (including typical open source software licenses). The good news is that, by definition, OSS provides its source code, enabling a more informed evaluation than is typically available for other kinds of COTS products. Whether or not this was intentional, it certainly had the same form as a malicious back door. However, note that the advantages of cost-sharing only applies if there are many users; if no user/co-developer community is built up, then it can be as costly as GOTS. And of course, individual OSS projects often have security review processes or methods (such as Mozillas bounty system). Consider anticipated uses. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. Knowledge is more important than the licensing scheme. Been retired for a few years but work for a company that has a contract with the Air Force and Army. Users can send bug reports to the distributor or trusted repository, just as they could for a proprietary program. Can the DoD used GPL-licensed software? However, the public domain portions may be extracted from such a joint work and used by anyone for any purpose. In nearly all cases, OSS is commercial software, so the policies regarding commercial software continue to apply to OSS. Performance Statements are plain language and avoid using uncommon acronyms and abbreviations. Q: Is the GPL compatible with Government Unlimited Rights contracts, or does the requirement to display the license, etc, violate Government Unlimited Rights contracts? DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND GUARDIANS OF THE HIGH FRONTIER. Some OSS is very secure, while others are not; some proprietary software is very secure, while others are not. Everything just redirects to the DISA Approved Product list which only covers hardware. Thus, GPLed compilers can compile classified programs (since the compilers treat the classified program as data), and a GPLed implementation of a virtual machine (VM) can execute classified software (since the VM implementation runs the software as data). Windows Services for UNIX 3.0 is a good example of commercial use of GPL application mixing. A trademark is a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of the goods of one party from those of others.. Open source software is also called Free software, libre software, Free/open source software (FOSS or F/OSS), and Free/Libre/Open Source Software (FLOSS). There is no DoD policy forbidding or limiting the use of software licensed under the GNU General Public License (GPL). If a legal method for using the GPL software for a particular application cannot be devised, and a different license cannot be negotiated, then the GPL-licensed component cannot be used for that particular purpose. Even if an OTD project is not OSS itself, an OTD project will typically use, improve, or create OSS components. The 2003 MITRE study section 1.3.4 outlines several ways to legally mix GPL with proprietary or classified software: Often such separation can occur by separating information into data and a program that uses it, or by defining distinct layers. What is more, the supplier may choose to abandon the product; source-code escrow can reduce these risks somewhat, but in these cases the software becomes GOTS with its attendant costs. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND . The real challenge is one of education - some developers incorrectly believe that just because something is free to download, it can be merged or changed without restriction. The services focus on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and . Search and apply for the latest Hourly pay jobs in Randolph Air Force Base, TX. The GNU General Public License (GPL) is the most common OSS license; while you do not need to use the GPL, it is often unwise to choose a license incompatible with the majority of OSS. Execution Mixing GPL and other software can run at the same time on the same computer or network. This greatly reduces contractors risks, enabling them to get work done (given this complex environment). The DoDIN APL is managed by the Approved Products Certification Office (APCO). This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. Similarly, in Wallace v. IBM, Red Hat, and Novell, the U.S. Court of Appeals for the Seventh Circuit found in November 2006 that the GNU General Public License (GPL) and open-source software have nothing to fear from the antitrust laws. OSS and Security/Software Assurance/System Assurance/Supply Chain Risk Management. Indeed, according to Walli, Standards exist to encourage & enable multiple implementations. As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. See the licenses listed in the FAQ question What are the major types of open source software licenses?. Q: What are the risks of the government releasing software as OSS? However, it must be noted that the OSS model is much more reflective of the actual costs borne by development organizations. Q: What additional material is available on OSS in the government or DoD? Acquisition Process Model. As a result, it is difficult to develop software and be confident that it does not violate enforceable patents. U.S. courts have determined that the GPL does not violate anti-trust laws. Typically, obtaining rights granted by the license can only be obtained when the requestor agrees to certain conditions. In 2015, a series of decisions regarding the GNU General Public License were issued by the United States District Courts for the Western District of Texas as well as the Northern District of California. This definition is essentially identical to what the DoD has been using since publication of the 16 October 2009 memorandum from the DoD CIO, Clarifying Guidance Regarding Open Source Software (OSS). Some people like the term GOSS, because it indicates an intent to do OSS-like collaborative development, but within the government instead. It would also remove the uniquely (OSS) ability to change infrastructure source code rapidly in response to new modes of cyberattack. Are there guidance documents on OGOTS/GOSS? Air Force football finishes signing class with 28 three-star recruits, most in Mountain West. This webpage is a one-stop reference to help answer questions regarding proper wear of approved Air Force uniform items, insignias, awards and decorations, etc. A service mark is "a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of a service rather than goods. Thus, to reduce the risk of executing malicious code, potential users should consider the reputation of the supplier and the experience of other users, prefer software with a large number of users, and ensure that they get the real software and not an imitator. Widely-used programs include the Apache web server, Firefox web browser, Linux kernel, and many other programs. Establish vetting process(es) before government will use updated versions (testing, etc.). In most cases, this GPL license term is not a problem. The GPL and LGPL licenses specifically recommend that You should also get your employer (if you work as a programmer) or school, if any, to sign a copyright disclaimer for the program, if necessary., and point to additional information. Yes. Resources for further information include: In brief, the MIT and 2-clause BSD license are dominated by the 3-clause BSD license, which are all dominated by the LGPL licenses, which are all dominated by the GPL licenses. This way, the software can be incorporated in the existing project, saving time and money in support. In addition, an attacker can often acquire the original source code from suppliers anyway (either because the supplier voluntarily provides it, or via attacks against the supplier); in such cases, if only the attacker has the source code, the attacker ends up with another advantage. The release of the software may be restricted by the International Traffic in Arms Regulation (ITAR) or Export Administration Regulation (EAR). The government is not the copyright holder in such cases, but the government can still enforce its rights. In short, the ADAs limitation on voluntary services does not broadly forbid the government from working with organizations and people who identify themselves as volunteers, including those who develop OSS. However, often software can be split into various components, some of which are classified and some of which are not, and it is to these unclassified portions that this text addresses. 000+ postings in Shaw Air Force Base, SC and other big cities in USA. Using a made-up word that has no Google hits is often a good start, but again, see the PTO site for more information. OSS is increasingly commercially developed and supported. The Government has the rights to reproduce and release the item, and to authorize others to do so. In the Intelligence Community (IC), the term open source typically refers to overt, publicly available sources (as opposed to covert or classified sources). 31 U.S.C. Also, US citizens can attempt to embed malicious code into software, and many non-US citizens develop software without embedding malicious code. 7101-7109). Furthermore, 52.212-4(s) says: (s) Order of precedence. Flight Inspection. After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. Q: Is there a large risk to DoD contractors that widely-used OSS violates enforceable software patents? Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. Atty Gen.51 (1913)) that has become the leading case construing 31 U.S.C. As with all commercial items, the DoD must comply with the items license when using the item. However, there are advantages to registering a trademark, especially for enforcement. OSS implementations can help create and keep open standards open. Guglielmo Marconi. Distribution Mixing GPL and other software can be stored and transmitted together. The FAR and DFARS specifically permit different agreements to be struck (within certain boundaries). In general, Security by Obscurity is widely denigrated. Document the projects purpose, scope, and major decisions - users must be able to quickly determine if this project might meet their needs. See GPL FAQ, Who has the power to enforce the GPL?. Document from where and when any external software was acquired, as well as the license conditions, so that future users and maintainers can easily comply with the license terms. Careful legal review is required to determine if a given license is really an open source software license. As of 2021, the terms freeware and shareware, do not appear to have official definitions used by the United States Government, but historically (for example in the now-superseded DoD Instruction 8500.2) these terms have been used specifically for software distributed without cost where the Government does not have access to the original source code.