In many cases, yes, but this depends on the specific contract and circumstances. Examples include GPL applications running on proprietary operating systems or wrappers, and GPL applications that use proprietary components explicitly marked as non-GPL. On approval, such containers are granted a Certificate to Field designation by the Air Force Chief Software Officer. At the subsequent meeting of the Inter-Allied Council . Are there guidance documents on OGOTS/GOSS? Volume II of its third edition, section 6.C.3, describes in detail this prohibition on voluntary services. Some more military-specific OSS programs created-by or used in the military include: One approach is to use a general-purpose search engine (such as Google) and type in your key functional requirements. If the project is likely to become large, or must perform filtering for public release, it may be better to establish its own website. To manage the acquisition, development, and integration of Cybersecurity Tools and Methods for securing the Defense Information Infrastructure. Q: What are the risks of the government releasing software as OSS? If it is a modification of an existing project, or a plug-in to it, release it under the projects original license (and possibly other licenses). The public release also makes it easy to have copies of versions in many places, and to compare those versions, making it easy for many people to review changes. In particular, U.S. law (10 USC 2377) requires a preference for commercial products for procurement of supplies or services. However, if youre going to rely on the OSS community, you must make sure that the OSS community for that product is active, and that you have suitably qualified staff to implement the upgrades/enhancements developed by the community. The regulation is available at. If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. 1342, Limitation on voluntary services, US Government Accountability Office (GAO) Office of the General Counsels Principles of Federal Appropriations Law (aka the Red Book), the 1982 decision B-204326 by the U.S. Comptroller General, How to Evaluate Open Source Software / Free Software (OSS/FS) Programs, Capgeminis Open Source Maturity Model (OSMM), Top Tips For Selecting Open Source Software, Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), Code Analysis of the Linux Wireless Teams ath5k Driver, DFARS subpart 227.70infringement claims, licenses, and assignments, Prior Art and Its Uses: A Primer, by Theodore C. McCullough, this NASA Jet Propulsion Laboratory (JPL) project became a top level open source Apache Software Foundation project in 2011, Geographic Resources Analysis Support System (GRASS), Publicly Releasing Open Source Software Developed for the U.S. Government, CENDIs Frequently Asked Questions About Copyright, GPL FAQ, Question Can the US Government release a program under the GNU GPL?, Free Software Foundation License List, Public Domain, GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?, Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011, U.S. Code Title 41, Chapter 7, Section 103, follow standard source installation release practices, Open Source Software license by the Open Source Initiative (OSI), Free Software license by the Free Software Foundation (FSF), Many view OSS license proliferation as a problem, Serdar Yegulalps 2008 Open Source Licensing Implosion (InformationWeek), Open Source Initiative (OSI) maintains a list of Licenses that are popular and widely used or with strong communities, licenses accepted by the Google code hosting service, Producing Open Source Software: How to Run a Successful Free Software Project by Karl Fogel, Open Technology Development (OTD): Lessons Learned & Best Practices for Military Software, Recognizing and Avoiding Common Open Source Community Pitfalls, Releasing Free/Libre/Open Source Software (FLOSS) for Source Installation, GNU Coding Standards, especially on the release process, Wikipedias Comparison of OSS hosting facilities page, U.S. Patent and Trademark Office (PTO) page Trademark basics, U.S. Patent and Trademark Office (PTO) page Should I register my mark?, Open Technology Development Lessons Learned, Office of the Director of National Intelligence (ODNI) Government Open-Source Software (GOSS) Handbook for Govies, Military - Open Source Software (MIL-OSS) DoD/IC discussion list, Hosted by Defense Media Activity - WEB.mil, Open source software licenses are reviewed and approved as conforming to the, In practice, an open source software license must also meet the, Fedora reviews licenses and publishes a list of, The Department of Navy CIO issued a memorandum with guidance on open source software on 5 Jun 2007. 2019 Approved Software Developers and Transmitters (PDF 51.18 KB) Updated April 15, 2020. The CBP ruling points out that 19 U.S.C. Q: What is the legal basis of OSS licenses? In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. The purpose of Department of Defense Information Network Approved Products List (DODIN APL) is to maintain a single consolidated list of products that have completed Interoperability (IO) and Cybersecurity certification. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND GUARDIANS OF THE HIGH FRONTIER. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . The DoD has chosen to use the term open source software (OSS) in its official policy documents. Many development tools covered by the GPL include libraries and runtimes that are not covered by the GPL itself but the GPL with a runtime exception (e.g., the CLASSPATH exception) that specifically permits development of proprietary software. As long as a GPL program does not embed GPL software into its outputs, a GPL program can process classified/proprietary information without question. Fundamentally, a standard is a specification, so an open standard is a specification that is open. These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. Q: What is the country of origin for software? In contracts where this issue is important, you should examine the contract to find the specific definitions that are being used. Lock-in tends to raise costs substantially, reduces long-term value (including functionality, innovation, and reliability), and can become a serious security problem (since the supplier has little incentive to provide a secure product and to quickly fix problems found later). Thus, as long as the software has at least one non-governmental use, software released (or offered for release) to the public is a commercial product for procurement purposes, even if it was originally developed using public funds. Under the same reasoning, the CBP determined that building an object file from source code performed a substantial transformation into a new article. Since OSS licenses are quite generous, the only license-violating actions a developer is likely to try is to release software under a more stringent license and those will have little effect if they cannot be enforced in court. Permissive: These licenses permit the software to become proprietary (i.e., not OSS). . Q: Do choice of venue clauses automatically disqualify OSS licences? Senior leaders across DoD see bridging the tactical edge and embedding resilience to scale as key issues moving forward. PITTSFORD, N.Y., June 8, 2021 . Air Force, U.S. Navy, and U.S. Marine Corps, and to participating agencies in-volved with supportability analysis sum-maries and provisioning/item selection functions by, or for, Department of Defense weapons systems, equipment, publications, software and hardware, training, training devices, and support equipment. Depending on your goals, a trademark, service mark, or certification mark may be exactly what you need. Two-day supply of clothing. Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. - AF Form 1206, Nomination for Award (2 Aug 17) remains the standard AF award nomination form. For example, trademarks and certification marks can be used to differentiate one version of OSS from others, e.g., to designate certain releases as an official version. Q: What license should the government or contractor choose/select when releasing open source software? If it is an improvement to an existing project, release it to the main OSS project, in whatever format they prefer changes. Commercially-available software that is not open source software is typically called proprietary or closed source software. The government can typically release software as open source software once it has unlimited rights to the software. ASTi's Telestra systems integrate with a vast array of simulators across the Air Force Distributed Mission Operations (DMO) enterprise. DISA Tools Mission Statement. As more improvements are made, more people can use the product, creating more potential users as developers - like a snowball that gains mass as it rolls downhill. This legal analysis must determine if it is possible to meet the conditions of all relevant licenses simultaneously. A protective license protects the software from becoming proprietary, and instead enforces a share and share alike approach between parties. However, if the GPL software must be mixed with other proprietary/classified software, the GPL terms must still be followed. In some cases access is limited to portions of the government instead of the entire government. Launch video (9:47) This regulation only applies to the US Army, but may be a useful reference for others. The World Health Organization (WHO) is a specialized agency of the United Nations responsible for international public health. The release may also be limited by patent and trademark law. Her work has appeared in Air Force Magazine, Inside Defense, Inside Health Policy, the Frederick News-Post (Md. No. However, you should examine past experience and your intended uses before depending on this as a primary mechanism for support. Such software does not normally undergo widespread public review, indeed, the source code is typically not provided to the public and there are often license clauses that attempt to inhibit review further (e.g., forbidding reverse engineering and/or forbidding the public disclosure of analysis results). After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. Defense Information Systems Agency (DISA), National Centers of Academic Excellence in Cybersecurity (NCAE-C), Public Key Infrastructure/Enabling (PKI/PKE), https://dl.dod.cyber.mil/wp-content/uploads/home/img/img1.jpg. In 2017, the United States District Court for the Northern District of California, in Artifex Software, Inc.v. Hancom, Inc., issued a ruling confirming the enforceability of the GNU General Public License. This can be a cause of confusion, because without any markings, a recipient is often unaware that the government has unlimited rights to it, and if the government does not know it has certain rights, it becomes difficult for the government to exercise its rights. Q: What policies address the use of open source software (OSS) in the Department of Defense? At this time there is no widely-accepted term for software whose source code is available for review but does not meet the definition of open source software (due to restrictions on use, modification, or redistribution). This memo is available at, The Open Technology Development Roadmap was released by the office of the Deputy Under Secretary of Defense for Advanced Systems and Concepts, on 7 Jun 2006. OTD includes both OSS and OGOTS/GOSS. Licenses that meet all the criteria above include the MIT license, revised BSD license, the Apache 2.0 license (though Apache 2.0 is only compatible with GPL version 3 not GPL version 2), the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. The GPL version 2 and the GPL version 3 are in principle incompatible with each other, but in practice, most released OSS states that it is GPL version 2 or later or GPL version 3 or later; in these cases, version 3 is a common license and thus such software is compatible. In most cases, contributors to OSS projects intend for their contributions to be gratuitous, and provide them for all (not just for the Federal government), clearly distinguishing such OSS contributions from the voluntary services that the ADA was designed to prevent. These formats may, but need not, be the same. Establish vetting process(es) before government will use updated versions (testing, etc.). 150 Vandenberg Street, Suite 1105 Peterson AFB CO 80914-4420 . Q: How does open source software work with open systems/open standards? Conversely, if it widely-used, has many developers, and so on, the likelihood of review increases. A permissive license permits arbitrary use of the program, including making proprietary versions of it. Each government program must determine its needs, and then evaluate its options for meeting those needs. Proprietary COTS tend to be lower cost than GOTS, since the cost of development and maintenance is typically shared among a larger number of users (who typically pay to receive licenses to use the product). If using acronyms and abbreviations, only utilize those identified on the approved Air Force Acronym and Abbreviation List, unless noted by an approved category. In addition, widely-used licenses and OSS projects often include additional mechanisms to counter this risk. Software licenses, including those for open source software, are typically based on copyright law. Patents expire after 20 years, so any idea (invention) implemented in software publicly available for more than 20 years should not, in theory, be patentable. The WHO was established on 7 April 1948. In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. OSS projects typically seek financial gain in the form of improvements. when it implements novel functionality which is not already available to the public, and which significantly improves DoD mission outcomes or business processes. This includes the most popular OSS license, the, Weakly Protective (aka weak copyleft): These licenses are a compromise between permissive and strongly protective licenses. Knowledge is more important than the licensing scheme. Enforcing the GNU GPL by Eben Moglen is a brief essay that argues why the GNU General Public License (GPL), specifically, is enforceable. The Creative Commons is a non-profit organization that provides free tools, including a set of licenses, to let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. Vendor lock-in, aka lock-in, is the situation in which customers are dependent on a single supplier for some product (i.e., a good or service), or products, and cannot move to another vendor without substantial costs and/or inconvenience. Feb. 4, 2022 |. If the OSS is intended for use on Linux/Unix systems, follow standard source installation release practices so that it is easier for users to install. In 2015, a series of decisions regarding the GNU General Public License were issued by the United States District Courts for the Western District of Texas as well as the Northern District of California. Using a made-up word that has no Google hits is often a good start, but again, see the PTO site for more information. Typically, obtaining rights granted by the license can only be obtained when the requestor agrees to certain conditions. 1.1.3. The list consists of 21 equipment categories divided into categories, sub-categories and then . In many cases, weakly protective licenses are used for common libraries, while strongly protective licenses are used for applications. FAR 52.227-1 (Authorization and Consent), as prescribed by FAR 27.201-2(a)(1), inserts the clause that the Government authorizes and consents to all use and manufacturer of any invention (covered by) U.S. patent. As always, if there are questions, consult your attorney to discuss your specific situation. Software licenses (including OSS licenses) may also involve the laws for patent, trademark, and trade secrets, in addition to copyright. (3) Verbal waivers are NOT authorized. Wikipedias Comparison of OSS hosting facilities page may be helpful in identifying existing hosting facilities, as well as some of their pros and cons. This is in addition to the advantages from OSS because it can be reviewed, modified, and redistributed with few restrictions (inherent in the definition of OSS). The Department of Defense Information Network (DoDIN) Approved Products List (APL) is the single consolidated list of products that affect communication and collaboration across the DoDIN. Since OSS provides source code, there is no problem. Example: GPL and (unrelated) proprietary applications can be running at the same time on a desktop PC. In some other cases, the government lacks the rights to release the software to the public, e.g., the government may only have Government Purpose Rights (GPR). Tech must enable mission success. Q: When can the U.S. federal government or its contractors publicly release, as OSS, software developed with government funds? It is important to understand that open source software is commercial software, because there are many laws, regulations, policies, and so on regarding commercial software. Look at the Numbers! Q: Where can I release open source software that are new projects to the public? If it must work with other components, or is anticipated to work with other components, ensure that the license will permit those anticipated uses. Under U.S. copyright law, users must have permission (i.e. If some portion of the software is protected by copyright, then the combined software work can be released under a copyright license. As with all commercial items, the DoD must comply with the items license when using the item. Choosing between the various options - particularly between permissive, weakly protective, and strongly protective options - is perhaps the most difficult, because this selection depends on your goals, and there are many opinions on which licenses are most appropriate for different circumstances. (See also Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011.). The release of the software may be restricted by the International Traffic in Arms Regulation or Export Administration Regulation. Determine if there will be a government-paid lead. In addition, an attacker can often acquire the original source code from suppliers anyway (either because the supplier voluntarily provides it, or via attacks against the supplier); in such cases, if only the attacker has the source code, the attacker ends up with another advantage. If you are releasing OSS source code for Unix-like systems (including Linux and MacOS), you should follow the usual conventions for doing so as described below: You may use existing industry OSS project hosting services such as SourceForge, Savannah, GitHub, or Apache Software Foundation. Include upgrade/maintenance costs, including indirect costs (such as hardware replacement if necessary to run updated software), in the TCO. However, note that the advantages of cost-sharing only applies if there are many users; if no user/co-developer community is built up, then it can be as costly as GOTS. Note, however, that this may be negotiated; if the government agrees to only receive lesser rights (such as government-purpose rights or restricted rights) then the government does not have the rights necessary to release that software as open source software. Obviously, contractors cannot release anything (including software) to the public if it is classified. Do you have the necessary copyright-related rights? Section 6.C.3.a notes that the voluntary services provision is not new; it first appeared, in almost identical form, back in 1884. AEW and AEG/CCs may publish supplements to AFI 1-1, Air Force Standards, to address issues of community standards. Software that meets very high reliability/security requirements, aka high assurance software, must be specially designed to meet such requirements. Cisco takes a deep dive into the latest technologies to get it done. Otherwise, choose some existing OSS license, since all existing licenses add some legal protections from lawsuits. All new software products must go through the systems change request approval process and complete a satisfactory risk assessment. The FAR and DFARS specifically permit different agreements to be struck, within certain boundaries, and other agencies have other supplements. Computer and electronic hardware that is designed in the same fashion as open source software (OSS) is sometimes termed open source hardware. Again, if this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. OTD depends on open standards and interfaces, open source software and designs, collaborative and distributed online tools, and technological agility.