GCN Tech Blog

By GCN Staff

Blog archive

Does FAR include open source software?

An article in the latest issue of the DoD Software Tech News (free registration required) poses an interesting question: Does the Federal Acquisition Regulation demand agencies look at open source software as a possibility when procuring software?

In his paper for the issue, Institute for Defense Analysis' David Wheeler believes this to be the case.

FAR, of course, requires agencies look at what commercial software when procuring a new application, as commercial software can, of course, offer a lower-cost alternative than commissioning a contractor to write a program anew. Wheeler argues that open source software, even when available for free, still should be considered commercial software. As a result, "An agency that fails to consider OSS options is in direct violation of the FAR, because it would be failing to consider commercial items," he wrote.

Perhaps, though as Open Source Software Institute head John Weathersby notes in another article, any Defense Department agency thinking about using open source software should check with their legal departments before doing so. Unless, of course, your service already has issued a policy on open source software.

Software Tech News is new to us, by the way. John Scott, one of the authors of a paper that appeared in the issue had passed along the link. It is published by the Defense Department Information Analysis Center. Other interesting tidbits we found in this issue (the "open source" issue) is that The Army is Red Hat's single largest install base and the Navy has started a open source repository of defense contractor-developed code, called SHARE.


Posted by Joab Jackson on Jul 06, 2007 at 9:39 AM


Reader Comments

Mon, Oct 19, 2009 shopping carts http://www.artologics.com/

FAR, of course, requires agencies look at what commercial software when procuring a new application,

Sat, Jul 14, 2007 David Wheeler VA

I'm David A. Wheeler, the author of the noted article, and I thought it'd be helpful to add a few comments. These are my own comments, not an official statement by any organization.After I wrote that article, the Navy released a memo saying the same thing. The U.S. Navy's June 5, 2007 memo 'Department of the Navy Open Source Software Guidance' specifically affirms that open source software (OSS) that meets the FAR/U.S. law definition of a "commercial item" (as most do) is commercial software. Note that the FAR (and DFARS) definition is based in U.S. law. U.S. Code Title 41, Chapter 7, section 403, gives essentially the same definition as the FAR - that is, software that is licensed to the public, and has non-government uses, is a commercial item.A much longer explanation on why OSS is simply another kind of commercial software (the other being proprietary software) is given here:http://www.dwheeler.com/essays/commercial-floss.htmlOne poster (Kuraksm) said that people must "rule out the use of OSS in order to satisfy the requirements of DOD 8500.2 (Information Assurance)" - I disagree. I don't see anything in those policies that forbid the use of OSS. A particular piece of software may not be appropriate for a particular use (regardless of whether it's OSS or proprietary) but that has nothing to do with being OSS. A 2003 MITRE report found that the DoD already widely uses OSS and it would be severely hobbled if it couldn't. Yes, there are cases where Common Criteria or FIPS evaluations are required, but OSS products can and have undergone such evaluations. For example, Red Hat and Novell Linux distributions have gone through Common Criteria evaluations. Sun Solaris has too (and its kernel and many other components are OSS). OpenSSL has gotten through a FIPS 140-2 evaluation (crypto module) as well.This is not new. It's all consistent with the 2003 DoD policy memo that specifically stated that the DoD was neutral on OSS, and the U.S. federal government made the same policy statement in 2004. OSS is to be considered the same way as non-OSS is: on its merits.The "Project A" example makes many false assumptions, such as presuming that it is impossible or illegal to have commercial support for OSS, that doing something yourself cannot ever have the lowest TCO, and even that OSS programs aren't COTS. In practice there are many companies that provide commercial support for OSS programs. MySQL AB sells/supports MySQL (one of the most popular OSS databases), Red Hat and Novell have a variety of enterprise support options for the Linux distributions, ACT has been selling support for their OSS Ada compiler for years, and so on. Indeed, venture capitalist-backed OSS companies are routinely springing up right now. Sometimes self-support really IS the least expensive way, too. If you determine that your best approach is to self-support OSS, you can do it.... but you do not HAVE to.You still need to do the total cost of ownership (TCO) calculations. OSS does NOT always have the lowest TCO, and no one is saying otherwise. The referenced paper above says the same thing! When you factor in all the costs (including initial and ongoing costs), often OSS _does_ have the lowest TCO, or it has enough other advantages (such as changeability) that the cost difference is worthwhile. Therefore, OSS is worth considering as an option.

Thu, Jul 12, 2007 John Weathersby MS

Apples and oranges. You're assuming that OSS is not available in commercially viable COTS solutions, which is not the case. There are many programs/applications which are readily available, such as Linux OS (Red Hat or SuSE), database (MySQL, Postgres, Ingres), security/crypto (OpenSSL/OpenSSH/Apache mod_ssl), etc...which provide viable, enterprise-level open source solutions and are supported by commercial vendors or by multiple vendors, so you're NOT starting from scratch, as implied. What programs like the Open Technology Development roadmap are striving for is for govt to use (at least consider) these options when appropriate. It does not mandate, but encourages. As a taxpayer myself, I don't want my dollars spent re-inventing the wheel over-and-over-and-over-and-over, which is the case with vendor/SIs now. Open source is an option which needs to at least be available.jmw

Mon, Jul 9, 2007 Sylvia Webb CA

As a taxpayer, I have serious concerns about productivity and cost when open source software is used. I have yet to see any evidence that Government IT departments are concerned about total cost.Let's say that Project A requires creation of an application based on a database. The total budgeted hours is 100. Instead of using a commercially available, off-the-shelf database, a decision is made to use a open source one. Midway through the project, the programmer runs into serious problems. He searches the internet, sends emails, etc and it takes him 20 hours over 7 workdays to find a solution. In addition, his time is spent writing a patch for the problem. Instead of spending this time completing Project A, he/she have spent their time fixing the Open Source product.How does this equate to greater efficiency, a benefit to taxpayers and government IT users, and fewer dollars?

Mon, Jul 9, 2007 Justin Seiferth

Practically speaking the FAR does allow OSS and of course there are STIGS for testing it. That said- moving one step closer to reality- good luck getting it through a source selection (I've tried) or onto a base locked down by the Standard Desktop. I'm not saying it can't be done, but you'll need to have stars to do it.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities