DOD readies open source memo

The Defense Department's Office of the Chief Information Officer is preparing a memorandum that further clarifies how open source may be procured and used within the services.

Military IT folks wondering if their use of Apache, Perl, Linux and other open source software is copacetic with the brass will soon get some answers from the Defense Department's Office of the Chief Information Officer.

The office is preparing a memorandum that further clarifies how open source may be procured and used within the services.

The memo should answer many lingering questions still surrounding the open source, said Daniel Risacher, the data strategy leader for the Office of Secretary of Defense who is drafting the memo. The draft may point out some potential benefits as well.

"Those factors that are in favor of open source have not been appreciated to date," said Risacher, speaking at the Red Hat Government Users and Developers conference, being held today. The DOD CIO office is aiming to release the memo by early November.

From Risacher's description of the draft, the memo may reinforce the acceptability of using open source software within the Defense Department, as well as for other federal agencies. It may even broaden procedures for procuring commercial software.

"Those mandates [in which] we have to consider commercial off-the-shelf software, we have to apply that to open source software as well," Risacher said. "And that is not well appreciated within government."

Risacher said that he first started working on the memo last summer at the behest of the Defense Deputy CIO, David Wennergren. Although widely used in federal government, open source software, due to its unusual form of distribution, has raised questions among regulation-minded program managers.

In 2004, the Office of Management and Budget, issued a memorandum, M-04-16, that called on agencies to exercise the same procurement procedures for open source as they would for commercial software, as per guidelines set in OMB Circulars A-11 and A-130 and the Federal Acquisition Regulation policies. And in 2003, then-defense CIO John Stenbit issued memo reminding services that any open source software they use should be held to the same levels of security and licensing accountability as commercial software.

The new memo aims to address various questions that have arisen since these memos.

One of the primary issues to be addressed is if open source software is a form of commercial off-the-shelf software (COTS). The Defense Department has a number of mandates that compel the services to seek COTS software packages before commissioning custom code. If open source is COTS, then it needs to be included in the procurement process.

It is, Risacher confirmed. Risacher notes that COTS is generally defined as "software that is for sale, lease or licensed to the public, and is available to the government as well." Open source fits under this definition.

The memo should also dispel lingering ideas that open source software may not be used because it is a form of shareware or freeware. A 2003 policy, titled Information Assurance Implementation (8500.2) states that the military should not use "freeware" or "shareware" software.

Risacher noted that the policy stated shareware and freeware should not be used because the "government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government," as the policy states. Obviously, Risacher argued, open source would not apply to these conditions.

The memo will also confirm that it is acceptable for an agency to contribute source code back into a public open source project. It is acceptable, Risacher qualified, assuming the agency has the rights to the code, that releasing the code is in the government's interest and that sharing the code does not violate any other government restrictions, such as the International Traffic in Arms Regulations (ITAR). Risacher also cautioned that government employees may not copyright any work that they do, so any contributions will be in the public domain.

In addition to defining the relationship open source has with COTS, shareware and copyright, the memo may also articulate some of the possible advantages of deploying open source.

When we use the term "open source software," we are actually talking about three inter-related things, Risacher explained. One is the body of code of the software program, which, like the software itself, is freely available. Another aspect is the development methodology, which encourages volunteer developers to help write the code. And the third aspect of open source is the licensing, which sets the rules for the lightly-controlled creation and usage of the software.

Defense agencies could benefit from all these aspects, Risacher said. By using open-source software, the services can update their software as soon as a vulnerability is found or an update is needed, rather than wait for the vendor to supply a patch. Open source also promises faster prototyping of systems, and lower barriers to exit. And if a government-written application is released into open source, outside developers could work to fix the problem, lowering maintenance costs of software.

Open source also tends to have fewer restrictions than proprietary software, Risacher said.

"We have a lot of examples of restrictions in end user licenses that turn out to prevent the DOD from doing things [it] wanted to do," he said. "We find that problematic."