Military IT folks wondering whether their use of Apache, Perl, Linux and other open-source software is copacetic with the brass will soon get some answers from DOD's CIO.
Military IT folks wondering if their use of Apache, Perl, Linux
and other open source software is copacetic with the brass will
soon get some answers from the Defense Department's Office of the
Chief Information Officer.
The office is preparing a memorandum that further clarifies how
open source may be procured and used within the services.
The memo should answer many lingering questions still
surrounding the open source, said Daniel Risacher, the data
strategy leader for the Office of Secretary of Defense who is
drafting the memo. The draft may point out some potential benefits
"Those factors that are in favor of open source have not been
appreciated to date," said Risacher, speaking at the Red Hat
Government Users and Developers conference, being held today. The
DOD CIO office is aiming to release the memo by early November.
From Risacher's description of the draft, the memo may reinforce
the acceptability of using open source software within the Defense
Department, as well as for other federal agencies. It may even
broaden procedures for procuring commercial software.
"Those mandates [in which] we have to consider commercial
off-the-shelf software, we have to apply that to open source
software as well," Risacher said. "And that is not well appreciated
Risacher said that he first started working on the memo last
summer at the behest of the Defense Deputy CIO, David Wennergren.
Although widely used in federal government, open source software,
due to its unusual form of distribution, has raised questions among
regulation-minded program managers.
In 2004, the Office of Management and Budget, issued a
memorandum, M-04-16, that called on agencies to exercise the same
procurement procedures for open source as they would for commercial
software, as per guidelines set in OMB Circulars A-11 and A-130 and
the Federal Acquisition Regulation policies. And in 2003,
then-defense CIO John Stenbit issued memo reminding services that
any open source software they use should be held to the same levels
of security and licensing accountability as commercial
The new memo aims to address various questions that have arisen
since these memos.
One of the primary issues to be addressed is if open source
software is a form of commercial off-the-shelf software (COTS). The
Defense Department has a number of mandates that compel the
services to seek COTS software packages before commissioning custom
code. If open source is COTS, then it needs to be included in the
It is, Risacher confirmed. Risacher notes that COTS is generally
defined as "software that is for sale, lease or licensed to the
public, and is available to the government as well." Open source
fits under this definition.
The memo should also dispel lingering ideas that open source
software may not be used because it is a form of shareware or
freeware. A 2003 policy, titled InformationAssurance Implementation (8500.2) states that the military
should not use "freeware" or "shareware" software.
Risacher noted that the policy stated shareware and freeware
should not be used because the "government does not have access to
the original source code and there is no owner who could make such
repairs on behalf of the Government," as the policy states.
Obviously, Risacher argued, open source would not apply to these
The memo will also confirm that it is acceptable for an agency
to contribute source code back into a public open source project.
It is acceptable, Risacher qualified, assuming the agency has the
rights to the code, that releasing the code is in the government's
interest and that sharing the code does not violate any other
government restrictions, such as the International Traffic in Arms
Regulations (ITAR). Risacher also cautioned that government
employees may not copyright any work that they do, so any
contributions will be in the public domain.
In addition to defining the relationship open source has with
COTS, shareware and copyright, the memo may also articulate some of
the possible advantages of deploying open source.
When we use the term "open source software," we are actually
talking about three inter-related things, Risacher explained. One
is the body of code of the software program, which, like the
software itself, is freely available. Another aspect is the
development methodology, which encourages volunteer developers to
help write the code. And the third aspect of open source is the
licensing, which sets the rules for the lightly-controlled creation
and usage of the software.
Defense agencies could benefit from all these aspects, Risacher
said. By using open-source software, the services can update their
software as soon as a vulnerability is found or an update is
needed, rather than wait for the vendor to supply a patch. Open
source also promises faster prototyping of systems, and lower
barriers to exit. And if a government-written application is
released into open source, outside developers could work to fix the
problem, lowering maintenance costs of software.
Open source also tends to have fewer restrictions than
proprietary software, Risacher said.
"We have a lot of examples of restrictions in end user licenses
that turn out to prevent the DOD from doing things [it] wanted to
do," he said. "We find that problematic."
NEXT STORY: Solid Security: JumpDrive Solo Vault