air force approved software list 2021 air force approved software list 2021

Careful legal review is required to determine if a given license is really an open source software license. Contact Contracting. Permissive: These licenses permit the software to become proprietary (i.e., not OSS). No, DoD policy does not require you to have commercial support for OSS, but you must have some plan for support. - AF Form 1206, Nomination for Award (2 Aug 17) remains the standard AF award nomination form. However, it must be noted that the OSS model is much more reflective of the actual costs borne by development organizations. The GPL version 2 and the GPL version 3 are in principle incompatible with each other, but in practice, most released OSS states that it is GPL version 2 or later or GPL version 3 or later; in these cases, version 3 is a common license and thus such software is compatible. In most cases, this GPL license term is not a problem. OSS can often be purchased (directly, or as a support contract), and such purchases often include some sort of indemnification. Even when the original source is necessary for in-depth analysis, making source code available to the public significantly aids defenders and not just attackers. Can the DoD used GPL-licensed software? Even for many modifications (e.g., bug fixes) this causes no issues because in many cases the DoD has no interest in keeping those changes confidential. Clarifying Guidance Regarding Open Source Software (OSS), a list of licenses which have successfully gone through the approval process and comply with the Open Source Definition, publishes a list of licenses that meet the Free Software Definition, good licenses that Fedora has determined are open source software licenses, Federal Source Code Policy, OMB Memo 16-21, National Defense Authorization Act for FY2018, http://www.doncio.navy.mil/contentview.aspx?id=312, http://www.dtic.mil/dtic/tr/fulltext/u2/a450769.pdf, http://www.whitehouse.gov/omb/memoranda/fy04/m04-16.html, http://www.army.mil/usapa/epubs/pdf/r25_2.pdf, Defense Federal Acquisition Regulation Supplement (DFARS), 40 CFR, Section 252.227-7014 Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation, European Interoperability Framework (EIF), Bruce Perens Open Standards: Principles and Practice, U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer, The Free-Libre / Open Source Software (FLOSS) License Slide, GPL linking exception term (such as the Classpath exception), Maintaining Permissive-Licensed Files in a GPL-Licensed Project: Guidelines for Developers (Software Freedom Law Center), Creative Commons does not recommend that you use one of their licenses for software, GPL FAQ, Can I use the GPL for something other than software?, GPL FAQ, Who has the power to enforce the GPL?, 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, Secure Programming for Linux and Unix HOWTO, in 2003 the Linux kernel development process resisted an attack, Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT, Gartner Groups Mark Driver stated in November 2010, Estimating the Total Development Cost of a Linux Distribution, Open Source Software for Imagery & Mapping (OSSIM), Open Source Alternatives (Ben Balter et al.). At this time there is no widely-accepted term for software whose source code is available for review but does not meet the definition of open source software (due to restrictions on use, modification, or redistribution). Direct deposit form. Open standards make it easier for users to (later) adopt an open source software program, because users of open standards arent locked into a particular implementation. Such source code may not be adequate to cost-effectively. By some definitions this is technically not an open source license, because no license is needed, but such public domain software can be legally used, modified, and combined with other software without restriction. This enables cost-sharing between users, as with proprietary development models. Thus, in many cases a choice of venue clause is not an insurmountable barrier to acceptance of the software delivery by the government. DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE SPACE COMMAND GUARDIANS OF THE HIGH FRONTIER. Whether or not this was intentional, it certainly had the same form as a malicious back door. Commercial software (both proprietary and OSS) is occasionally updated to fix errors (including security vulnerabilities), and your system should be designed so that it is relatively easy to accept these updates. The CBP ruling points out that 19 U.S.C. A weakly-protective license is a compromise between the two, preventing the covered library from becoming proprietary yet permitting it to be embedded in larger proprietary works. Q: What are the major types of open source software licenses? Widespread availability and use of the software (which increases the likelihood of detection), Configuration management systems that record the identity of individual contributors (which acts as a deterrent), Licenses or development policies that warn against the unlawful inclusion of material, or require people to specifically assert that they are acting lawfully (which reduce the risk of unintentional infringement), Lack of evidence of infrigement (e.g., an Internet search for project name + copyright infringement turns up nothing). Q: Does the Antideficiency act (ADA) prohibit all use of OSS due to limitations on voluntary services? After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. . Examine if it is truly community-developed - or if there are only a very few developers. Many DoD capabilities are accessible via web browsers using open standards such as TCP/IP, HTTP, and HTML; in such cases, it is relatively easy to use or switch to open source software implementations (since the platforms used to implement the client or server become less relevant). Thus, as long as the software has at least one non-governmental use, software released (or offered for release) to the public is a commercial product for procurement purposes, even if it was originally developed using public funds. Contracts under the federal government FAR, but not the DFARS, often use clause FAR 52.227-14 (Rights in Data - General). No, OSS is developed by a wide variety of software developers, and the average developer is quite experienced. Many OSS licenses do not have a choice of venue clause, and thus cannot have an issue, although some do. These decisions largely held that the GNU General Public License, version 2 was enforceable in a series of five related legal cases loosely referred to as Versata v. Ameriprise, although there were related suits against Versata by XimpleWare. This eliminates future incompatibility and encourages future contributions by others. Performance Statements are plain language and avoid using uncommon acronyms and abbreviations. 1.1.4. The government can typically release software as open source software once it has unlimited rights to the software. OSS COTS is especially appropriate when there is an existing OSS COTS product that meets the need, or one can be developed and supported by a wide range of users/co-developers. Depending on the contract and its interpretation, contractors may be required to get governmental permission to include commercial components in their deliverables; where this applies, this would be true for OSS components as well as proprietary components. A component of Air University and Air Education and Training Command, AFIT is committed to providing defense-focused graduate and professional continuing education and research to sustain the technological . The DoD is, of course, not the only user of OSS. .. Others can obtain permission to use a copyrighted work by obtaining a license from the copyright holder. The good news is that, by definition, OSS provides its source code, enabling a more informed evaluation than is typically available for other kinds of COTS products. Intellipedia is implemented using MediaWiki, the open source software developed to implement Wikipedia. Many perceive this openness as an advantage for OSS, since OSS better meets Saltzer & Schroeders Open design principle (the protection mechanism must not depend on attacker ignorance). The DoD does not have a single required process for evaluating OSS. Observing the output from inputs is often sufficient for attack. Q: How can I get support for OSS that already exists? Q: Can government employees develop software as part of their official duties and release it under an open source license? Most commercial software (including OSS) is not designed for such purposes. In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. The certification affirms that the Air Force OTI is authorized to use ASTi's products, which now appear in the OTI Evaluated/Approved Products List (OTI E/APL). This assessment is slated to conclude in the fourth quarter of this fiscal year (FY2022) and all updates to the DoDIN APL process are expected to be published and available by March 2023. GOTS is especially appropriate when the software must not be released to the public (e.g., it is classified) or when licenses forbid more extensive sharing (e.g., the government only has government-purpose rights to the software). (Free in Free software refers to freedom, not price.) Q: When can the U.S. federal government or its contractors publicly release, as OSS, software developed with government funds? Whats more, proprietary software release practices make it more difficult to be confident that the software does not include malicious code. It may be found at, US Army Regulation 25-2, paragraph 4-6.h, provides guidance on software security controls that specifically addresses open source software. Under the same reasoning, the CBP determined that building an object file from source code performed a substantial transformation into a new article. Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). Note that under the DoD definition of open source software, such public domain software is open source software. It points to various studies related to market share, reliability, performance, scalability, security, and total cost of ownership. Dynamic attacks (e.g., generating input patterns to probe for vulnerabilities and then sending that data to the program to execute) dont need source or binary. The DoD has chosen to use the term open source software (OSS) in its official policy documents. Questions about why the government - who represents the people - is not releasing software (that the people paid for) back to the people. The 2009 DoD CIO memo on open source software says, in attachment 2, 2(d), The use of any software without appropriate maintenance and support presents an information assurance risk. Military orders. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. Commercially-available software that is not open source software is typically called proprietary or closed source software. What contract applies, what are its terms, and what decisions have been made? Elite RHVAC. Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. 2 Commanders Among 6 Fired from Jobs at Minot Air Force Base Col. Gregory Mayer, the commander of the 5th Mission Support Group, and Maj. Jonathan Welch, the commander of the 5th. As described in FAR 27.404-3(a)(2), a contracting officer should grant such a request only when [that] will enhance appropriate dissemination or use but release as open source software would typically qualify as a justification for enhanced dissemination and use. Yes. In particular, will it be directly linked with proprietary or classified code? The Air Force will conduct its next "BRAVO" hackathon in March, and any U.S. citizen may apply. (Such terms might include open source software, but could also include other software). All other developers can make changes to their local copies, and even post their versions to the Internet (a process made especially easy by distributed software configuration management tools), but they must submit their changes to a trusted developer to get their changes into the trusted repository. Before approving the use of software (including OSS), system/program managers, and ultimately Designated Approving Authorities (DAAs), must ensure that the plan for software support (e.g., commercial or Government program office support) is adequate for mission need. Note that Government program office support is specifically identified as a possibly-appropriate approach. It depends on the goals for the project, however, here are some guidelines: Public domain where required by law. Q: What is the country of origin for software? Numbered Air Forces. Q: Is there a large risk to DoD contractors that widely-used OSS violates enforceable software patents? When examining a specific OSS project, look for evidence that review (both by humans and tools) does take place. Font size: 0G: Zero Gravity: Rate it: 106 RQW: 106th Rescue Wing: Rate it: 121ARW: 121st Air Refueling Wing: Rate it: 129 RQW: 129th Rescue Wing: Rate it: 1TS: No.1 Transmitting Station: Rate it: 920RQG: 920th Rescue Group: Rate it: A: Air Force Training . The products listed below are evaluated against a NIAP-approved Protection Profile, which encompasses the security requirements and test activities suitable across the technology with no EAL assigned - hence the conformance claim is "PP". What is its relationship to OSS? Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. Q: What are the risks of the government releasing software as OSS? More recent decisions, such as the 1982 decision B-204326 by the U.S. Comptroller General, continue to confirm this distinction between gratuitous and voluntary service. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, identified some of many OSS programs that the DoD is already using, and concluded that OSS plays a more critical role in the [Department of Defense (DoD)] than has generally been recognized. In contracts where this issue is important, you should examine the contract to find the specific definitions that are being used. This is not merely theoretical; in 2003 the Linux kernel development process resisted an attack. Anyone who is considering this approach should obtain a determination from general counsel first (and please let the FAQ authors know!). For example, the Government has public release rights when the software is developed by Government personnel, when the Government receives unlimited rights in software developed by a contractor at Government expense, or when pre-existing OSS is modified by or for the Government. When the software is already deployed, does the project develop and deploy fixes? For more discussion on this topic, see the article Open Source Software Is Commercial. For example, users of proprietary software must typically pay for a license to use a copy or copies. Q: In what form should I release open source software? The United States Air Force operates a service called Iron Bank, which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. before starting have a clear understanding of the reasons to migrate; ensure that there is active support for the change from IT staff and users; make sure that there is a champion for change the higher up in the organisation the better; build up expertise and relationships with the OSS movement; ensure that each step in the migration is manageable. The term open source software is sometimes hyphenated as open-source software. In practice, commercial software (OSS or not) tends to be developed globally, especially when you consider their developers and supply chains. Several static tool vendors support analysis of OSS (such as Coverity and Sonatype) as a way to improve their tools and gain market use. OSS implementations can help create and keep open standards open. Choose a widely-used existing license; do not create a new license. That said, this does not mean that all OSS is superior to all proprietary software in all cases by all measures. An OSS implementation can be read and modified by anyone; such implementations can quickly become a working reference model (a sample implementation or an executable specification) that demonstrates what the specification means (clarifying the specification) and demonstrating how to actually implement it. Q: How can you determine if different open source software licenses are compatible? Q: Can OSS licenses and approaches be used for material other than software? This list was generated on Friday, March 3, 2023, at 5:54 PM. This General Service Administration (GSA . Do you have permission to release to the public (classification, distribution statements, export controls)? See GPL FAQ, Who has the power to enforce the GPL?. In some cases, the sources of information for OSS differ. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . Commercial software (including OSS) that has widespread use often has lower risk, since there are often good reasons for its widespread use. Such developers need not be cleared, for example. [ top of page] The Customs and Border Protection (CBP) has said, in an advisory ruling, that the country of origin of software is the place where the software is converted into object code (Software comes from the place where its converted into object code, says CBP, FierceGovernmentIT), for purposes of granting waivers of certain Buy American restrictions in U.S. law or practice or products offered for sale to the U.S. Government.. - White space on the right margin of a populated AF Form 1206 is both accepted and expected; white space will not be an indicator of quality. Software that meets very high reliability/security requirements, aka high assurance software, must be specially designed to meet such requirements. No, although they work well together, and both are strategies for reducing vendor lock-in. Note that many of the largest commercially-supported OSS projects have their own sites. Instead, Government employees must ensure that they do not accept services rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. Using a made-up word that has no Google hits is often a good start, but again, see the PTO site for more information. While this argument may be valid, we know of no court decision or legal opinion confirming this. Q: Doesnt hiding source code automatically make software more secure? Acquisition Common Portal Environment. As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. . However, this approach should not be taken lightly. These formats may, but need not, be the same. The DDR&E, Advanced Capabilities Modular Open Systems Approach web page also provides some useful background. The FAR and DFARS do not currently mandate any specific marking for software where the government has unlimited rights. Here is an explanation of these categories, along with common licenses used in each category (see The Free-Libre / Open Source Software (FLOSS) License Slide): In general, legal analysis is required to determine if multiple programs, covered by different OSS licenses, can be legally combined into a single larger work. If the contractor was required to transfer copyright to the government for works produced under contract (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply to it), then the government can release the software as open source software, because the government owns the copyright. Contractors for other federal agencies may have a different process to use, but after going through a process they can often release such software as open source software. disa.meade.ie.list.approved-products-certification-office@mail.mil. Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. Notepad, PowerShell, and Excel are great alternatives. This greatly reduces contractors risks, enabling them to get work done (given this complex environment). The Authorized Equipment List (AEL) is a list of approved equipment types allowed under FEMA's preparedness grant programs. Adobe Acrobat Reader software is copyrighted software which gives users instant access to documents in their original form, independent of computer platform. OSS is increasingly commercially developed and supported. However, using a support vendor is not the only approach or the best approach in all cases; system/program managers and DAAs must look at the specific situation to make a determination. Yes. In most cases, contributors to OSS projects intend for their contributions to be gratuitous, and provide them for all (not just for the Federal government), clearly distinguishing such OSS contributions from the voluntary services that the ADA was designed to prevent. In effect, the malicious developer could lose many or all rights over their license-violating result, even rights they would normally have had! In many cases, yes, but this depends on the specific contract and circumstances. No. In nearly all cases, pre-existing OSS are commercial products, and thus their use is governed by the rules for including any commercial products in the deliverable. Air Force - (618)-229-6976, DSN 779. Public Law 115-232 defines OSS defines OSS as software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of such software. As noted in the article Open Source memo doesnt mandate a support vendor (by David Perera, FierceGovernmentIT, May 23, 2012), the intent of the memo was not to issue a blanket requirement that all open source software come bundled with contractor support or else it cant be used If a Defense agency is able to sustain the open source software with its own skills and talents then that can be enough to satisfy the intent of the memo. In addition, How robust the support plan need be can also vary on the nature of the software itself For command and control software, the degree would have to be greater than for something thats not so critical to mission execution. This control enhancement is based in the need for some way to update software to fix problems after they are discovered. The 2003 MITRE study section 1.3.4 outlines several ways to legally mix GPL with proprietary or classified software: Often such separation can occur by separating information into data and a program that uses it, or by defining distinct layers. If the OSS is intended for use on Linux/Unix systems, follow standard source installation release practices so that it is easier for users to install. Similarly, SourceForge/Apache (in 2001) and Debian (in 2003) countered external attacks. If the standard DFARS contract clauses are used (see DFARS 252.227-7014), then unless other arrangements are made, the government has unlimited rights to a software component when (1) it pays entirely for the development of it (see DFARS 252.227-7014(b)(1)(i)), or (2) it is five years after contract signature if it partly paid for its development (see DFARS 252.227-7014(b)(2)). The joint OnGuard system and XProtect video solution was tested and approved to protect Air Force Protection Level 1 (PL-1) non-nuclear through PL-4 sites around . Obviously, software that does not meet the U.S. governments definition of commercial computer software is not considered commercial software by the U.S. governments acquisition processes. However, often software can be split into various components, some of which are classified and some of which are not, and it is to these unclassified portions that this text addresses. OSS options should be evaluated in principle the same way you would evaluate any option, considering need, cost, and so on. Open standards also make it easier for OSS developers to create their projects, because the standard itself helps developers know what to do. For example, software that can only be used for government purposes is not OSS, since it cannot be used for any purpose. An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). Any software not listed on the Approved Software List is prohibited. The project manager, program manager, or other comparable official determines that it is in the Governments interest to do so, such as through the expectation of future enhancements by others. Home use of the antivirus products will not only protect personal PCs, but will also potentially lessen the threat of malicious logic being introduced to the workplace and compromising DoD networks. Download Adobe Acrobat Reader. CCRA Certificate. The intended audience of this tool is emergency managers, first responders, and other homeland security professionals. If the project is likely to become large, or must perform filtering for public release, it may be better to establish its own website. Her work has appeared in Air Force Magazine, Inside Defense, Inside Health Policy, the Frederick News-Post (Md.