DOD puts open-source software on level playing field

Defense Department agencies are free to use open-source software as long as they comply with the same security and validation requirements as those imposed on other types of software.

In a May 28 memorandum, Defense CIO John P. Stenbit said Defense users of open-source code must make sure that the software complies with all policies that govern off-the-shelf software.

Specifically, the software must comply with the security and validation requirements in National Security Telecommunications and Information Systems Security Policy Number 11 and other DOD configuration guidelines.

The memo cites the Linux operating system as an example of software that is licensed under the GNU General Public License, which keeps modified versions of the software under the same terms and conditions as the original code.

Stenbit's memo follows a report that the Mitre Corp. of Bedford, Mass., did last fall on open-source software within the DOD. Mitre's survey, conducted via e-mail, located 115 open-source software applications within DOD and 251 examples of how those apps are being used. The study concluded that open-source software 'plays a more critical role in the DOD than has generally been recognized.'

'We looked at that [study], and we realized that there was a lot of open source being used in the Department of Defense, and we wanted to make sure it meets the requirements,' said Robert Gorrie, deputy director of the Defense Information Assurance Program.

Tony Stanco, associate director of the Cyber Security Policy and Research Institute at George Washington University, called the memo a 'huge deal' because it is the first time DOD has said that it doesn't give preference to proprietary software over open source.

Some Defense users have employed Linux for various projects, even weapons systems, but more cautious individuals have been waiting for official clearance before installing the open-source operating system, Stanco said.

'There's policy in government, and then there's what people do,' Stanco said.

Stanco has posted a (PDF) copy of Stenbit's memo on the Web site of the Center for Open Source and Government at www.egovos.org.

inside gcn

  • security compliance

    Security fundamentals: Policy compliance

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group