air force approved software list 2021

In general, Security by Obscurity is widely denigrated. Services that are intended and agreed to be gratuitous do not conflict with this statute. Software that meets very high reliability/security requirements, aka high assurance software, must be specially designed to meet such requirements. Q: What license should the government or contractor choose/select when releasing open source software? These include: If you are looking for smaller pieces of code to reuse, search engines specifically for code may be helpful. Otherwise, choose some existing OSS license, since all existing licenses add some legal protections from lawsuits. Note that most commercial software is not intended to be used where the impact of any error of any kind is extremely high (e.g., a large number of lives are likely to be immediately lost if even the slightest software error occurs). The term open source software is sometimes hyphenated as open-source software. Open standards make it easier for users to (later) adopt an open source software program, because users of open standards arent locked into a particular implementation. Thus, even this FAQ was developed using open source software. For more information, see the. The list consists of 21 equipment categories divided into categories, sub-categories and then . Similarly, U.S. Code Title 41, Section 104 defines the term Commercially available off-the-shelf (COTS) item; software is COTS if it is (a) a commercial product, (b) sold in substantial quantities in the commercial marketplace, and (c) is offered to the Federal Government, without modification, in the same form in which it is sold in the commercial marketplace. Instead, Government employees must ensure that they do not accept services rendered in the hope that Congress will subsequently recognize a moral obligation to pay for the benefits conferred. These prevent the software component (often a software library) from becoming proprietary, yet permit it to be part of a larger proprietary program. Q: When can the U.S. federal government or its contractors publicly release, as OSS, software developed with government funds? The Defense Innovation Unit (DIU) is a . The GPL and LGPL licenses specifically recommend that You should also get your employer (if you work as a programmer) or school, if any, to sign a copyright disclaimer for the program, if necessary., and point to additional information. U.S. law governing federal procurement U.S. Code Title 41, Section 103 defines commercial product as including a product, other than real property, that (A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes; and (B) has been sold, leased, or licensed, or offered for sale, lease, or license, to the general public. Indeed, according to Walli, Standards exist to encourage & enable multiple implementations. Commercial software (including OSS) that has widespread use often has lower risk, since there are often good reasons for its widespread use. Application Mixing GPL can rely on other software to provide it with services, provided either that those services are either generic (e.g., operating system services) or have been explicitly exempted by the GPL software designer as non-GPL components. There are many general OSS review projects, such as those by OpenBSD and the Debian Security Audit team. The services focus on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and . In 2017, the United States District Court for the Northern District of California, in Artifex Software, Inc.v. Hancom, Inc., issued a ruling confirming the enforceability of the GNU General Public License. DISA Tools Mission Statement. It also notes that OSS is a disruptive technology, in particular, that it is a move away from a product to a service based industry. Commercial software (both proprietary and OSS) is occasionally updated to fix errors (including security vulnerabilities), and your system should be designed so that it is relatively easy to accept these updates. Q: Under what conditions can GPL-licensed software be mixed with proprietary/classified software? This assessment is slated to conclude in the fourth quarter of this fiscal year (FY2022) and all updates to the DoDIN APL process are expected to be published and available by March 2023. Many programs and DAAs do choose to use commercial support, and in many cases that is the best approach. The 2003 MITRE study, Use of Free and Open Source Software (FOSS) in the U.S. Department of Defense, for analysis purposes, posed the hypothetical question of what would happen if OSS software were banned in the DoD, and found that OSS plays a far more critical role in the DoD than has been generally recognized (especially in) Infrastructure Support, Software Development, Security, and Research. Cisco takes a deep dive into the latest technologies to get it done. Although the government cannot directly sue for copyright violation, in such cases it can still sue for breach of license and, presumably, get injunctive relief to stop the breach and money damages to recover royalties obtained by breaching the license (and perhaps other damages as well). Coronavirus (COVID-19) Update Information. The real challenge is one of education - some developers incorrectly believe that just because something is free to download, it can be merged or changed without restriction. Going through our RMF/DICAP and cannot find the Air Force Approved Software List anywhere. Examples of OSS that are in widespread use include: There are many Linux distributions which provides suites of such software such as Red Hat Enterprise Linux, Fedora, SUSE, Debian and Ubuntu. In addition, important open source software is typically supported by one or more commercial firms. This memorandum surveys U.S. economic sanctions and anti-money laundering ("AML") developments and trends in 2022 and provides an outlook for 2023. GOTS software should not be released when it implements a strategic innovation, i.e. Q: What are the major types of open source software licenses? OpenSSL - SSL/cryptographic library implementation, GNAT - Ada compiler suite (technically this is part of gcc), perl, Python, PHP, Ruby - Scripting languages, Samba - Windows - Unix/Linux interoperability. Typically, obtaining rights granted by the license can only be obtained when the requestor agrees to certain conditions. Each hosting service tends to be focused on particular kinds of projects, so prefer a hosting service that well-matches the project. Public Law 115-232 defines OSS defines OSS as software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of such software. Use typical OSS infrastructure, tools, etc. Thus, avoid releasing software under only the original (4-clause) BSD license (which has been replaced by the new or revised 3-clause licence), the Academic Free License (AFL), the now-abandoned Common Public License 1.0 (CPL), the Open Software License (OSL), or the Mozilla Public License version 1.1 (MPL 1.1). Typically this will include source code version management system, a mailing list, and an issue tracker. However, there are advantages to registering a trademark, especially for enforcement. (Note that such software would often be classifed.). 97-258, 96 Stat. No, complying with OSS licenses is much easier than proprietary licenses if you only use the software in the same way that proprietary software is normally used. There are many definitions for the term open standard. This eliminates future incompatibility and encourages future contributions by others. The U.S. Court of Appeals for the Federal Circuits 2008 ruling on Jacobsen v. Katzer made it clear that OSS licenses are enforceable, even if money is not exchanged. They can obtain this by receiving certain authorization clauses in their contracts. Conversely, where source code is hidden from the public, attackers can attack the software anyway as described above. This greatly reduces contractors risks, enabling them to get work done (given this complex environment). The NASA FAR Supplement (NFS) 1852.227-14 gives NASA the right, under typical conditions, to demand that a contractor assert copyright and then assign the copyright to the government, which would again give the government the right to release the software as open source software. MEMORANDUM FOR ALL MAJCOMs/FOAs/DRUs . The example of Borlands InterBase/Firebird is instructive. A company that found any of its proprietary software in an OSS project can in most cases quickly determine who unlawfully submitted that code and sue that person for infringement. Spouse's information if you have one. BPC-157. Marines - (703) 432-1134, DSN 378. You must release it without any copyright protection (e.g., as not subject to copyright protection in the United States) if you release it at all and if it was developed wholly by US government employee(s) as part of their official duties. Q: Has the U.S. government released OSS projects or improvements? Yes, extensively. A GPLed engine program can be controlled by classified data that it reads without issue. Observing the output from inputs is often sufficient for attack. how to ensure the interoperability of systems; how to build systems that are manageable. Similarly, OSS (as well as proprietary software) may indeed have malicious code embedded in it. Browse 817 acronyms and abbreviations related to the Air Force terminology and jargon. Establish project website. For local guidance, Airmen are encouraged to . Delivers the latest news from each branch of the U.S . Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures. The cases are too complicated to summarize here, other than to say that the GPLv2 was clearly regarded as enforceable by the courts. DFARS 252.227-7014(a)(15) defines unlimited rights as rights to use, modify, reproduce, release, perform, display, or disclose computer software or computer software documentation in whole or in part, in any manner and for any purpose whatsoever, and to have or authorize others to do so. Licenses that meet all the criteria above include the MIT license, revised BSD license, the Apache 2.0 license (though Apache 2.0 is only compatible with GPL version 3 not GPL version 2), the GNU Lesser General Public License (LGPL) versions 2.1 or 3, and the GNU General Public License (GPL) versions 2 or 3. In practice, OSS projects tend to be remarkably clean of such issues. The owner of the mark exercises control over the use of the mark; however, because the sole purpose of a certification mark is to indicate that certain standards have been met, use of the mark is by others., You dont have to register a trademark to have a trademark. In particular, note that the costs borne by a particular organization are typically only those for whatever improvements or services are used (e.g., installation, configuration, help desk, etc.). Air Force football finishes signing class with 28 three-star recruits, most in Mountain West. Thus, if there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. After all, most proprietary software licenses explicitly forbid modifying (or even reverse-engineering) the program, so the GPL actually provides additional rights not present in most proprietary software. Tech must enable mission success. And of course, individual OSS projects often have security review processes or methods (such as Mozillas bounty system). It may be found at, US Army Regulation 25-2, paragraph 4-6.h, provides guidance on software security controls that specifically addresses open source software. It states that in 1913, the Attorney General developed an opinion (30 Op. Note, however, that this risk has little to do with OSS, but is instead rooted in the risks of U.S. patent infringement for all software, and the patent indemnification clauses in their contract. Using industry OSS project hosting services makes it easier to collaborate with other parties outside the U.S. DoD or U.S. government. This strengthens evaluations by focusing on technology specific security requirements. If it is an improvement to an existing project, release it to the main OSS project, in whatever format they prefer changes. Many software developers find software patents difficult to understand, making it difficult for them to determine if a given patent even applies to a given program. Q: Can the government or contractor use trademarks, service marks, and/or certification marks with OSS projects? All executables that is not on a base approval list will soon be blocked. Relevant government authorities make it clear that the Antideficiency Act (ADA) does not generally prohibit the use of OSS due to limitations on voluntary services. Government Cloud Brings DoD Systems in the 21st Century. A very small percentage of such users determine that they can make a change valuable to them, and contribute it back (to avoid maintenance costs). Q: What is the legal basis of OSS licenses? The DoD has not expressed a position on whether or not software should be patented, but it is interested in ensuring that software that effectively supports its missions can be developed in a cost-effective, timely, and legal manner. The GPL and government unlimited rights terms have similar goals, but differ in details. If you are looking for an application that has wide use, one of the various lists of open source alternatives may help. AFCENT/A1RR will publish approved local supplements to the Air Force Reporting Units. However, often software can be split into various components, some of which are classified and some of which are not, and it is to these unclassified portions that this text addresses. In particular, it found that DoD security depends on (OSS) applications and strategies, and that a hypothetic ban would have immediate, broad, and in some cases strongly negative impacts on the ability of the DoD to analyze and protect its own networks against hostile intrusion. By default, the government has the necessary rights if it does not permit the contractor to assert copyright, but it loses those rights if the government permits the contractor to assert copyright. In addition, widely-used licenses and OSS projects often include additional mechanisms to counter this risk. Any inconsistencies in this solicitation or contract shall be resolved by giving precedence in the following order: (1) the schedule of supplies/services; (2) the Assignments, Disputes, Payments, Invoice, Other Compliances, and Compliance with Laws Unique to Government Contracts paragraphs of this clause; (3) the clause at 52.212-5; (4) addenda to this solicitation or contract, including any license agreements for computer software; . This is not merely theoretical; in 2003 the Linux kernel development process resisted an attack. .. Only some developers are allowed to modify the trusted repository directly: the trusted developers. Determine if there will be a government-paid lead. The usual DoD contract clause (DFARS 252.227-7014) permits this by default. This page is an educational resource for government employees and government contractors to understand the policies and legal issues relating to the use of open source software (OSS) in the United States Department of Defense (DoD). It also often has lower total cost-of-ownership than proprietary COTS, since acquiring it initially is often free or low-cost, and all other support activities (training, installation, modification, etc.) Many OSS licenses do not have a choice of venue clause, and thus cannot have an issue, although some do. Can the DoD used GPL-licensed software? Others do not like the term GOSS, because GOSS is not actually OSS, and they believe the term can be misleading. What are good practices for use of OSS in a larger system? However, note that the advantages of cost-sharing only applies if there are many users; if no user/co-developer community is built up, then it can be as costly as GOTS. The WHO was established on 7 April 1948. Gartner Groups Mark Driver stated in November 2010 that, Open source is ubiquitous, its unavoidable having a policy against open source is impractical and places you at a competitive disadvantage.. Indeed, because a calculation of damages is inherently speculative, these types of license restrictions might well be rendered meaningless absent the ability to enforce through injunctive relief. In short, it determined that the OSS license at issue in the case (the Artistic license) was indeed an enforceable license. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. These lists apply to all NSA/CSS elements, contractors, and personnel, and pertains to all IS storage devices that they use. The U.S. government can often directly combine GPL and proprietary, classified, or export-controlled software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government. Once the government has unlimited rights, it may release that software to the public under any terms it wishes - including by using the GPL. The United States Air Force operates a service called "Iron Bank", which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. This shows that proprietary software can include functionality that could be described as malicious, yet remain unfixed - and that at least in some cases OSS is reviewed and fixed. Software might not infringe on a patent when it was released, yet the same software may later infringe on a patent if the patent was granted after the softwares release. Most of the Air Force runs on excel VBA because of this. OSS implementations can help rapidly increase adoption/use of the open standard. Bases. An example is (connecting) a GPL utility to a proprietary software component by using the Unix pipe mechanism, which allows one-way flow of data to move between software components. No. The. Yes, but the following considerations apply: As stated above, software developed by government employees as part of their official duties is not subject to copyright protection in the United States. It is usually far better to stick to licenses that have already gone through legal review and are widely used in the commercial world. This clause establishes that the choice of venue clause (category 4) is superseded by the Contract Disputes Act (category 2), and thus the conflict is typically moot. The term Free software predates the term open source software, but the term Free software has sometimes been misinterpreted as meaning no cost, which is not the intended meaning in this context. In most cases, yes. Under the same reasoning, the CBP determined that building an object file from source code performed a substantial transformation into a new article. This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. Choose a license that has passed legal reviews and is clearly accepted as an OSS license. 2019 Approved Software Developers of Paper 2D Forms (PDF 47.33 KB) Final as of April 2, 2020. In contracts where this issue is important, you should examine the contract to find the specific definitions that are being used. Yes. Contractors for other federal agencies may have a different process to use, but after going through a process they can often release such software as open source software. The following questions discuss some specific cases. Video conferencing platforms Zoom and Microsoft Teams are both FedRamp approved, but while Zoom offers end-to-end encryption, Microsoft Teams does not, according to the National Security Agency . Conversely, if it widely-used, has many developers, and so on, the likelihood of review increases. Fundamentally, a standard is a specification, so an open standard is a specification that is open. Thus, components that have the potential to (eventually) support many users are more likely to succeed. For almost as long as smartphones have existed, defense IT leaders have wondered aloud whether they'd ever be able to securely implement a bring-your-own-device (BYOD) approach to military networks. As noted above, in nearly all cases, open source software is considered commercial software by U.S. law, the FAR, and the DFARS. In addition, a third party who breaches a software license (including for OSS) granted by the government risks losing rights they would normally have due to the doctrine of unclean hands. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . Been retired for a few years but work for a company that has a contract with the Air Force and Army. The lack of money changing hands in open source licensing should not be presumed to mean that there is no economic consideration, however. These definitions in U.S. law govern U.S. acquisition regulations, namely the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). Software/hardware for which the implementation, proofs of its properties, and all required tools are released under an OSS license are termed open proofs(see the open proofs website for more information). As stated in FAR 25.103 Exceptions item (e), The restriction on purchasing foreign end products does not apply to the acquisition of information technology that is a commercial item, when using fiscal year 2004 or subsequent fiscal year funds (Section 535(a) of Division F, Title V, Consolidated Appropriations Act, 2004, and similar sections in subsequent appropriations acts).. ), (See also GPL FAQ, Question Can the US Government release a program under the GNU GPL?). Classified information may not be released to the public without special authorization to do so. Contractors must still abide with all other laws before being allowed to release anything to the public. In the DoD, the GIG Technical Guidance Federation is a useful resource for identifying recommended standards (which tend to be open standards). The regulation is available at. Approved supplements are maintained by AFCENT/A1RR at afcent.a1rrshaw@afcent.af.mil. In many cases, yes, but this depends on the specific contract and circumstances. Not under typical open source software licenses based on copyright, but there is an alternative with the same practical effect. The list of products, referred to as "Blue sUAS," come from 5 different manufacturers: Skydio, Parrot, Altavian, Teal Drones, and Vantage Robotics. This has a reduced likelihood if the program is niche or rarely-used, has few developers, uses a rare computer language, or is not really OSS. U.S. courts have determined that the GPL does not violate anti-trust laws. As noted in the Secure Programming for Linux and Unix HOWTO, three conditions reduce the risks from unintentional vulnerabilities in OSS: The use of any commercially-available software, be it proprietary or OSS, creates the risk of executing malicious code embedded in the software. Some have found that community support can be very helpful. Q: Does the Antideficiency act (ADA) prohibit all use of OSS due to limitations on voluntary services? Whether or not this will occur depends on factors such as the number of potential users (more potential users makes this more likely), the existence of competing OSS programs (which may out-compete the newly released component), and how difficult it is to install/use. This enables cost-sharing between users, as with proprietary development models. Service Mixing GPL can provide generic services to other software. For additional information please contact: disa.meade.ie.list.approved-products-certification-office@mail.mil. Q: Is there a standard marking for software where the government has unlimited rights? (See also Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011.). OSS licenses can be grouped into three main categories: Permissive, strongly protective, and weakly protective. It's likely that peptides are in fact banned from the military, but until we get a straight answer we'll leave this question open-ended. In most cases, contributors to OSS projects intend for their contributions to be gratuitous, and provide them for all (not just for the Federal government), clearly distinguishing such OSS contributions from the voluntary services that the ADA was designed to prevent.