Use of Free and Open-Source Software (FOSS) within the U.S. Department of Defense is a 2003 report by The MITRE Corporation that documented widespread use of and reliance on free software (termed "FOSS") within the United States Department of Defense (DoD). The report helped end a debate about whether FOSS should be banned from U.S. DoD systems, and helped redirect the dialogue in the direction of the present official U.S. FOSS and proprietary software as equals. The FOSS report started in early 2002 as a request relayed to Terry Bollinger of The MITRE Corporation to gather information on how FOSS was being used in U.S. DoD methods. The driver for the request was an ongoing debate within the U.S. DoD about whether to ban the use of FOSS in its programs, and particularly whether or not to ban GNU General Public License (GPL) software. The U.S. Defense Information Systems Agency (DISA) was additionally involved, and agreed to sponsor the report. The first draft was accomplished two weeks later, and version 1.0 was released a couple of weeks after that. It quickly gained notoriety for its documentation of widespread use of FOSS within the U.S. Department of Defense, and consequently was talked about in an article about free software in the Washington Post. The eye resulted in a brand new round of reviews and edits. Microsoft Corporation requested that Ira Rubinstein, their authorized counsel and liaison for DoD software policy points, be permitted to participate. Rubinstein, who is listed within the preface as the first reviewer, produced probably the most detailed critique of the report. His suggestions resulted in a massive expansion of the protection and evaluation of free software program licenses. January 2, 2003. It was first published on the DISA net site, and is now accessible on the DoD CIO internet site on open source software program assets. Previous to this report, very little information had been available about how-and even whether or not-FOSS was used extensively in U.S. DoD techniques. The report changed this facet of the dialogue instantly, proving past any cheap doubt that the U.S. DoD was already a significant consumer of FOSS. More importantly, the report documented that FOSS was being utilized in important and even mission-critical conditions. One of the more shocking findings documented within the report is that the cyber security group was the most upset of any group at the prospect of FOSS being banned. From their perspective, FOSS provides high code visibility and the ability to repair safety flaws quickly and quietly. As a result of the findings, any critical consideration of banning FOSS was dropped. The broader influence could be realized by recognizing that if the security-conscious U.S. DoD had banned FOSS, it is probably going many other federal elements, state and local governments, companies, and international groups would have followed swimsuit. The consequence would have been a world much less friendly both to FOSS and to FOSS-like efforts. Below is the govt summary of the report. The full report was published in a number of formats, which may be discovered together with associated open supply software program assets on Bollinger's personal webpage. This report documents the outcomes of a brief e mail-mediated research by The MITRE Corporation on the usage of free and open-source software (FOSS) in the U.S. Department of Defense (DoD). FOSS is distinctive because it gives customers the best to run, copy, distribute, study, change, and improve it as they see fit, with out having to ask permission from or make fiscal funds to any external group or particular person. The autonomy properties of FOSS make it useful for DoD purposes akin to speedy responses to cyberattacks, for which gradual, low-security exterior update processes are neither practical nor advisable, and for functions where fast, open, and group-wide sharing of software parts is desirable. On the other hand, the identical autonomy properties complicate the interactions of FOSS with non-FOSS software program, leading to concerns-some valid and a few not-about how and where FOSS needs to be utilized in complex DoD techniques. The phrase free in FOSS refers not to fiscal price, but to the autonomy rights that FOSS grants its customers. The phrase open source emphasizes the best of users to check, change, and improve the source code-that's, the detailed design-of FOSS applications. Software that qualifies as free almost always additionally qualifies as open supply, and vice versa, since both phrases derive from the same set of software program user rights formulated in the late 1980s by Richard Stallman of the Free Software Foundation. The targets of the MITRE research had been to develop as complete an inventory of FOSS functions used in the DoD as possible, and to gather representative examples of how those functions are getting used. Over a two-week period the survey identified a complete of 115 FOSS purposes and 251 examples of their use. To help analyze the resulting data, the hypothetical query was posed of what would happen if FOSS software program were banned in the DoD. Surprisingly, over the course of the evaluation it was discovered that this hypothetical question has an actual-world analog in the form of proprietary licenses that if widely used would effectively ban most types of FOSS. For the purpose of the analysis, the consequences of the hypothetical ban were evaluated based on how FOSS is presently being utilized in survey examples. In the case of niche-dominating FOSS products similar to Sendmail (ubiquitous for Internet e-mail) and GCC (a equally ubiquitous compiler), a large amplification factor must even be taken into consideration when estimating such impacts. The actual levels of DoD use of such ubiquitous purposes is prone to be hundreds, thousands, or even tens of hundreds of time bigger than the variety of examples identified in the brief survey. The primary conclusion of the analysis was that FOSS software program plays a extra crucial role within the DoD than has usually been recognized. FOSS applications are most necessary in 4 broad areas: Infrastructure Support, Software Development, Security, and Research. One unexpected outcome was the diploma to which Security will depend on FOSS. Banning FOSS would remove certain types of infrastructure components (e.g., OpenBSD) that presently help assist network security. It might additionally limit DoD access to-and overall expertise in-using powerful FOSS analysis and detection functions that hostile teams could use to assist stage cyberattacks. Finally, it will take away the demonstrated means of FOSS functions to be up to date rapidly in response to new forms of cyberattack. Taken together, these components imply that banning FOSS would have fast, broad, and strongly unfavorable impacts on the power of many delicate and safety-targeted DoD teams to defend towards cyberattacks. For Infrastructure Support, the sturdy historical link between FOSS and the advent of the Internet signifies that removing FOSS applications would lead to a strongly unfavourable impression on the power of the DoD to assist internet and Internet-primarily based purposes. Software Development can be hit especially laborious for languages equivalent to Perl that are direct outgrowths of the Internet, and would also undergo severe setbacks for development in conventional languages reminiscent of C and Ada. Finally, Research could be impacted by a large to very large increase in help prices, and by loss of the distinctive potential of FOSS to help sharing of research results within the form of executable software program. Neither the survey nor the evaluation supports the premise that banning or severely restricting FOSS would benefit DoD security or defensive capabilities. To the contrary, the mix of an ambiguous status and largely ungrounded fears that it cannot be used with different types of software program are holding FOSS from reaching optimum ranges of use. Create a "Generally Recognized As Safe" FOSS list. This record would supply fast official recognition of FOSS purposes which can be (a) commercially supported, (b) broadly used, and (c) have proven observe information of security and reliability-e.g., as measured by speed of closures of CERT studies in comparison to closed-source options. In formulating the list, quick consideration needs to be given in particular to excessive value, closely used infrastructure and development instruments similar to Linux, OpenBSD, NetBSD, FreeBSD, Samba, Apache, Perl, GCC, GNAT, XFree86, OpenSSH, BIND, and sendmail. Develop Generic, Infrastructure, Development, Security, & Research Policies. The DoD should develop generic insurance policies each to advertise broader and more practical use of FOSS, and to encourage the use of commercial products that work effectively with FOSS. A great instance of the latter is the Microsoft Windows Services for UNIX product, which depends on FOSS (GPL) software program to scale back improvement prices and dramatically increase its energy. A second layer of customized policies should be created to deal with main use areas. For Infrastructure and Development, these insurance policies ought to focus on enabling simpler use of GRAS merchandise akin to Apache, Linux, and GCC which might be already in huge use, but which regularly undergo from an ambiguous approval standing. For Security, use of GPL within groups with well-outlined safety boundaries must be inspired to advertise sooner, more regionally autonomous responses to cyber threats. Finally, for Research the policies ought to encourage appropriate use of FOSS each to share and publish fundamental analysis, and to encourage faster commercial innovation. Encourage use of FOSS to advertise product diversity. FOSS functions tend to be a lot lower in cost than their proprietary equivalents, but they often provide high levels of performance with good person acceptance. This makes them good candidates to offer product diversity in both the acquisition and architecture of DoD techniques. Acquisition range reduces the associated fee and security dangers of being absolutely dependent on a single software product, while architectural diversity lowers the danger of catastrophic cyber attacks based mostly on automated exploitation of specific options or flaws of very broadly deployed merchandise. Terry Bollinger, Use of Free and Open-Source Software (FOSS) within the U.S. This page was final edited on 10 January 2024, at 13:28 (UTC). Text is out there beneath the Creative Commons Attribution-ShareAlike License 4.0; additional terms might apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.