DoD CIO Memo for Senior Pentagon Leadership

DEPARTMENT

DEFENSE

6000

DEFENSE

PENTAGON

WASHINGTON, D.C. 20301-6000

JAN

2 4

2022

CHIEF

INFORMATION

OFFICER

MEMORANDUM

FOR

SENIOR PENTAGON LEADERSHIP

COMMANDANT OF THE COAST GUARD

COMMANDERS OF THE COMBATANT COMMANDS

DEFENSE AGENCY AND DOD FIELD ACTIVITY DIRECTORS

SUBJECT: Software Development and Open Source Software

Over the last two decades, open source software (OSS) has dramatically impacted how

software

designed, developed, deployed, and operated. OSS is software for which the human-

readable source code

available for use, study, re-use, modification, enhancement, and re-

distribution by the users

such software. There are millions

publicly-available OSS

components, libraries, and applications capable of accelerat;ng software modernization activities.

The Department's 2018 Cyber Strategy ( attached) directed the Department to increase the

use

secure OSS and to use commercial

off

-the-shelf tools when possible. The Department's

forthcoming Software Modernization Strategy centers on the delivery

resilient software

capability at the speed

relevance. OSS forms the bedrock

the software-defined world and

critical in delivering software faster. The Department must clearly articulate how, where, and

when it participates, contributes, and interacts with the broader OSS community.

There are two fundamental concerns for the Department that are specific to OSS. First,

using externally maintained code in critical systems potentially creates a path for adversaries to

introduce malicious code into DoD systems. This concern requires a careful supply chain risk

management (SCRM) approach for OSS, which must meet the same rigorous standards for

SCRM and cyber threat testing as any other product. Second, imprudent sharing

code

developed for DoD systems potentially benefits adversaries by disclosing key innovations. This

risk is managed through a Modular, Open-Systems Approach (MOSA), which allows systems to

benefit from OSS while protecting critical, innovative components as separate modules.

Pursuant to Federal Source Code Policy (reference (b)) and Public Law 115-91, Section

875 (reference (c)), Attachment 2 provides detailed guidance on the Department's participation,

contribution, and interaction with the broader OSS community. Additional guidance concerning

OSS is available at https://dodcio.defense.gov/Open-Source-Software-FAQ/. The point

contact for this effort is Dan Risacher, daniel.r.risacher.c~

Sherman

Attachments:

As stated

CLEARED

For Open Publication

Department of Defense

OFFICE OF PREPUBLICATION AND SECURITY REVIEW

Jan 26, 2022

ATTACHMENT 1

REFERENCES

(a) Department

Defense Cyber Strategy, July 13, 2018

(b) Office

Management and Budget M-16-21, "Federal Source Code Policy: Achieving

Efficiency, Transparency, and Innovation through Reusable and Open Source Software," August 8,

2016

"Pilot Program for Open Source Software," December 12, 2017

( d) DoD

Chief

Information Officer Memorandum, "Clarifying Guidance Regarding Open Source

Software (OSS)," October 16, 2009 (hereby superseded)

(e) United States Code, Title 10, Section 2377, "Preference for commercial products and

commercial services"

(f) Federal Acquisition Regulation (FAR), Sections 2.101, 12.000, 12.101

(g) Defense

FAR

Supplement, Section 227.7202, "Commercial computer software and commercial

computer software documentation" and Section 252.227-7014, "Rights in Noncommercial

Computer Software and Noncommercial Computer Software Documentation"

(h) Federal Acquisition Regulation, Section 13.104, "Promoting competition"

(i) United States Code, Title 41, Section 3306, "Planning and solicitation requirements"

Federal Acquisition Regulation, Section 10.001, "Policy"

(k) National Institute

Standards and Technology White Paper, "Mitigating the Risk

Software

Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)," April 23, 2020

(l) National Defense Authorization Act for Fiscal Year 2019, Public Law 115-232, Section 1655,

"Mitigation

risks to national security posed by providers

information technology products and

services who have obligations to foreign governments"

(m) DoD Instruction 5000.87, "Operation

the Software Acquisition Pathway," October 2, 2020

(n) United States Code, Title 10, Section 2322a, "Requirement for consideration

certain matters

during acquisition

noncommercial computer software"

(o) DoD Instruction 5230.24, "Distribution Statements on Technical Documents," October 15,

2018

(p) United States Code, Title 10, Section 2446a, "Requirement for modular open systems approach

in major defense acquisition programs; definitions"

(q) Executive Order 13526, "Classified National Security Information," December 29, 2009

(r) DoD Instruction 5200.48, "Controlled Unclassified Information," March 6, 2020

(s) DoD Cloud Computing Security Requirements Guide, Version

Release 3, March 6, 2017

(t) DoD Instruction 8531.01, "Vulnerability Management," September 15, 2020

ATTACHMENT 2

GUIDANCE ON SOFTWARE DEVELOPMENT

AND OPEN SOURCE SOFTWARE

GENERAL. This attachment provides guidance on OSS and the implications for DoD

software development. Generally, custom software

constructed from pre-existing

components. Since there are millions

off-the-shelf OSS components available, how the

Department uses OSS has a significant impact on overall DoD software development.

2. USE OF OPEN SOURCE SOFTWARE

A. The Department must follow an "Adopt, Buy, Create" approach to software,

preferentially adopting existing government or OSS solutions before buying proprietary

offerings, and only creating new non-commercial software when no off-the-shelf

solutions are adequate.

(1) OSS meets the definition of"commercial computer software" and therefore, shall be

given equal consideration with proprietary commercial offerings, in accordance with

Section 2377

Title 10, U.S.C. (reference (e)) (see also FAR

2.l0l(b),

12.000,

12.101 (reference (f)); and DFARS 212.212, DFARS 208.74, DFARS 227.7202, and

252.227-7014(a)(l) (reference (g))).

(2) In accordance with

FAR

13.104, (reference (h)) refusal to consider all OSS based

solely on software being open source may be contrary to statutory and regulatory

preferences for commercial products, and would unnecessarily restrict competition.

OSS should be considered to the maximum extent practical.

B. Program managers are ultimately responsible for the suitability

off-the-shelf

components used in their programs. This responsibility includes managing risks that the

use

these components may introduce to an acceptable level. To the extent that the

selection

components and assessment

suitability

delegated to a system integrator,

program managers should establish accountability for these functions through contractual

language, MOA / MOU, or other directive guidance for government integrators.

(1) Agencies are required to conduct market research when assessing and selecting

software components per Section 3306

Title 41, U.S.C. (reference (i)) and Federal

Acquisition Regulation 10.001 (reference

U)).

When conducting research and

determining suitability, factors specific to OSS that require consideration include the

following:

a. The continuous and broad peer-review enabled by publicly available source code

supports software reliability and security efforts through the identification and

elimination

defects that might otherwise go unrecognized by a more limited

core development team.

The unrestricted ability to modify software source code enables the Department to

respond more rapidly to changing situations, missions, and future threats.

c. Reliance on a particular software developer or vendor ("vendor lock-in") due to

proprietary restrictions may be reduced by the use

OSS, which can be operated

and maintained by multiple vendors, thus making it easier to replace and upgrade

components as technology and mission needs change.

some level, lock-in may

likely, based on product, architecture,

platform constraints, in spite

using

oss.

d. Since OSS typically does not have a per-seat licensing cost, it can provide a cost

advantage in situations where many copies

the software may be required and

can mitigate risk

cost growth in licensing for situations where the total number

users may not be known in advance.

sharing the responsibility for maintenance

OSS with other users, the

Department can benefit by reducing the total cost

ownership for software,

particularly compared with software for which the Department has sole

responsibility for maintenance (e.g., Government

Off

the

Shelf

(GOTS)). In order

to achieve this benefit, the Department must avoid creating a unique version

the software and should participate with the OSS community that supports that

software as a user and/or as a contributor.

OSS is particularly suitable for rapid prototyping and experimentation, where the

ability to "test drive" the software with minimal costs and administrative delays

can be important.

C. Because

the collaborative nature

OSS development, supply chain risk management

has unique challenges for OSS components. Program managers, in consultation with

support engineers, Authorizing Officials, and agency

Chieflnformation

Officers (CIOs)

must consider these challenges when determining suitability

OSS:

(1) Long-Term Support: Because

the wide array

business models for creating and

maintaining OSS compared to proprietary software, a suitability analysis for OSS

must consider risk factors that indicate whether a software module will be adequately

supported over the life

the program and

how

those risks could be mitigated.

analysis

risk factors is essentially an assessment

the "health"

the open source

project that maintains that component. For example, "is the OSS project active and/or

stable," "when was the last time this OSS project was updated," and "who is

contributing to this OSS." Risk mitigations might include consideration

commercial

in-house support for the OSS component,

availability

feasible

alternatives (MOSA)

the component should need replacement in the future.

(2) Trusted Sources: The collaborative development model

OSS often results in many

versions

the same software being available from disparate sources. Before using

OSS, careful consideration must be made regarding the source from which that

software is obtained, and a determination

the trustworthiness

that source. For

example, software that is actively maintained and distributed by an established

consortium

commercial entity is generally lower risk than a version

that

component distributed by an untrusted individual. Adopting a never trust, always

verify using a rigorous software assurance approach reduces risk as well. For even

trusted sources, program managers should maintain continuous awareness

source

compromises and be prepared to respond to sudden loss

trust in a repository.

Testing should include dynamic code analysis and penetration testing after integration

the updated versions to ensure that updates do not expose DoD systems to new

vulnerabilities.

(3) Dependencies: Because

its modular nature, software

often dependent on sub-

components, (e.g., libraries, plug-ins, extensions, and other package modules) that

may introduce additional risks. This

particularly true for OSS, which often reuses

existing components. Software

higher risk, for example,

it relies on versions

sub-components that are out

date or have publicly known vulnerabilities.

Assessment

a software component should also consider security risks

the sub-

component dependencies, as well as any legal issues regarding the licenses

sub-

components. A related concern

the availability

information related to component

libraries, dependencies, and sub-components (such as a software bill-of-materials)

that can be used to evaluate such risks.

(4) Component Security: Any software project that actively works to reduce security

vulnerabilities

less risky. Because

the open development process used to develop

OSS, it can be easier to assess evidence

this activity ( or the lack

it) compared to

closed development processes. Positive indicators include the use

tools, both out-

of-band and in the OSS project's integration pipeline that look for security

vulnerabilities (to detect and fix issues before deployment), transparent reporting

security vulnerabilities, history

security reviews, cyber testing ( especially third-

party audits, tests, or assessments), problems-addressed, and a history

timely

vulnerability remediation. The NIST SSDF (reference

(k)) includes additional

guidance on component security.

(5) Component Integrity: Any software project that actively maintains cryptographically

protected integrity verification for released code, scripts, configuration files, and

associated documentation to reduce security risks ( e.g., digitally signed hashes

code) is less risky. Software integrity is particularly critical for OSS programs, which

because

the availability

source code, are more subject to the creation and

distribution

modified, possibly-untrusted versions.

(6) Influence

Foreign Governments: Public Law 115-232, Section 1655 (reference (I))

requires certain actions to mitigate risks posed by suppliers

information technology

and services who have obligations to foreign governments. OSS

specifically

exempt from these requirements, but program managers must be cognizant

the

potential for influence on OSS projects by foreign governments, and consider what

internal reviews

code contributions are conducted by the OSS project, and what

external reviews or audits may be necessary to counteract the potential for malicious

interference with the project.

Despite widespread misperceptions that OSS

"free to use", most OSS is protected by

limited by the terms

the software license. Government use or distribution

OSS must conform to the

terms

the OSS license, including maintaining authorship, copyright markings, and

licensing information as specified in the license terms.

E. Given the value

ofOSS

as a source

potential components to software development

activities, operators

network enclaves that support software development and

maintenance activities should ensure that access to software repositories and software

development resources are not unduly restricted. This access is particularly critical for

software developers, testers, and analysts to be effective.

F. OSS components

ofDoD

systems require product support and sustainment planning

much as proprietary components. OSS components should be included in the Life Cycle

Product Support Strategy (PSS), as described in DoDI 5000.87 (reference (m)), or in a

comparable PSS used in other Adaptive Acquisition Framework pathways. For OSS, this

strategy should address the ongoing balance between development contractor support,

organic contractor logistics support, and support

the OSS community. Many OSS

components are updated much more frequently than other COTS or GOTS software,

which may impact update schedules for government systems in which they are used. The

PSS should consider supportability risks for OSS components over the expected life cycle

the program.

USE OF OPEN SOURCE DEVELOPMENT APPROACH

A. In order to release custom-developed (i.e., non-commercial) software as OSS, the DoD

must first take delivery

the source code for that software. The Federal Source Code

Policy (reference (b)) and Public Law 115-91, Section 875 (reference (c)) require the

DoD to release some custom-developed software as OSS. Likewise, in accordance with

Section 2322a

Title 10, U.S.C. (reference (n)), programs acquiring non-commercial

computer software should plan to acquire and take delivery

the software source code

and related materials to the maximum extent practicable.

(1) Program managers should plan to acquire source code

non-commercial software,

related data, and associated license rights that are necessary across the life-cycle

that software for the development, testing, operations, and maintenance

that

software. This includes all artifacts necessary to reproduce, build, or recompile the

software from its source code and required software libraries; to conduct required

functional and vulnerability software testing; and to deploy computer programs on

relevant system hardware.

(2) Contracting officers are responsible for ensuring that, wherever practicable,

solicitations and contracts require delivery in a digital format compatible with

applicable computer programs on relevant system hardware and do not rely on

external

additional non-commercial or commercial computer software or data that

is not also included in the items to be delivered.

(3) Updates to the Defense Federal Acquisition Regulation Supplement with specific

guidance are pending as DFARS Case 2018-D018.

B. Managers

government software development projects should separate the development

software that implements critical technology from routine automation

business

processes or similar functionality. Critical technology is defined in DoD Directive

5230.24 (reference (o)) as information and technical data that advance current technology

or describe new technology in an area

significant or potentially significant military

application or that relate to a specific military deficiency

a potential adversary.

(1) The separation

software implementations

critical technology from routine

automation should be reflected in a modular open systems approach as defined by

Section 2446a

Title 10, U.S.C. (reference (p)). Entire programs generally should

not be protected as critical technology, but rather only the components that are

actually novel advances.

(2) Software development that implements critical technology (as defined by reference

( o )) is generally not appropriate for distribution

OSS.

shared at all, it must be

closely protected and shared only with mission partners under a non-disclosure

agreement with terms to protect its strategic value. OSS may be used as a component

a critical technology unless the license terms

the OSS component will create an

obligation to disclose the critical technology. Software code whose revelation could

damage national security must be classified per Executive Order 13526 (reference

(q)).

(3) All other software development that

not a critical technology should consider an

open source, collaborative approach that maximizes value through reuse and

minimizes maintenance and integration costs. This collaborative approach includes

releasing code as OSS whenever practicable on either code.gov or code.mil.

Software, including code fixes and enhancements, developed for systems other than

National Security Systems (NSS), should be open-by-default and released (under an open

source software license) and shall be advertised at either code.gov or code.mil unless any

the following conditions apply:

(1) The project manager, program manager, or other comparable official has determined

in writing that the software constitutes a critical technology that must be protected.

(2) The Government lacks the rights to reproduce and release the item, or to authorize

others to do so.

(3) The public release

the item is restricted by other laws or regulations, such as the

Export Administration Regulations or the International Traffic in Arms Regulation,

and the item cannot qualify for Distribution Statement A per DoD Instruction 5230.24

(reference (o)).

D. Software that meets the criteria for Distribution Statements B through F, as defined by

DoD Instruction 5230.24 (reference (o)),

considered Controlled Technical Information

(CTI) and may not be released as OSS. Program managers should mark such software as

Controlled Unclassified Information (CUI), per DoD Instruction 5200.48 (reference (r)).

Software that does not meet the criteria for Distribution Statements B through F is not

CTI, and should not be treated as such nor marked as CUI.

E. Components

ofNSS

that are not critical technology, as defined by reference (o), may be

released as OSS at the discretion

the program manager or the direction

the relevant

Principal Staff Assistant or Component CIO.

F. Vulnerability information about OSS (including projects maintained by DoD)

unclassified information that shall be handled as Impact Level 2 information in

accordance with the DoD Cloud Computing Security Requirements Guide (reference (s)).

For DoD-led projects, this information shall be withheld from public release until the

vulnerability is analyzed and fixed. Vulnerability information for OSS should be

reviewed by the Vulnerabilities Equities Process described in reference (t) before being

disclosed to the broader OSS community.

DoD programs releasing code as OSS may use any

the following licenses, which have

been shown to be acceptable for DoD use: Apache-2.0, BSD, GPL, LGPL, and MIT

licenses. Component CI Os may grant permission to use other licenses

required.

Programs should not develop their own unique license, which creates unnecessary legal

complexity. Programs should also consult with a cognizant attorney-advisor about which

OSS licenses best meet the Government's needs and do not conflict with applicable

statutes, regulations, and policies.

H. Projects releasing code as open source software to the public or mission partners should

publish their intention and ability to accept submissions

proposed enhancements

(patches).

the project team accepts submissions from the general public, they must also

publish how they will assess, test, and evaluate those submissions for possible

incorporation into the managed software baseline.

Whenever a DoD Component first releases a software codebase as OSS or for

government-wide re-use (with the exception

basic research funded

part

Budget

Activity

1),

it must report that to its respective CIO. That CIO must in-turn report it to

code.gov. This process enables sharing

such code in compliance with reference (b).

In cases where the management

an existing software codebase is unclear, DoD

Components and Component CIOs are authorized and encouraged to make any necessary

determinations to resolve ambiguity and release legacy code as OSS where warranted.

For example, a CIO may choose to release "orphaned" software that was developed by a

program that has since been terminated, but may be useful to other agencies.

4. CONTRIBUTION TO OPEN SOURCE SOFTWARE PROJECTS

A. Employee participation in OSS projects used by DoD

often in the Government's

interest, and

typically a legitimate use

government resources when the Government

uses the software in question, either directly, as a component

a larger government

system, or as a component

underlying government infrastructure.

(1) Government employees may contribute to existing OSS projects (including being the

primary maintainer) as part

their official duties, so long as they consult with their

supervisor first to ensure a common-sense approach for contributions that preserve

Operations Security (OPSEC) and further the Government's interests.

(2) Contractors may contribute to OSS projects at government expense when the

government task monitor authorizes such activity as being in the Government's

interest, subject to the scope and provisions

the contract.

Creating a separate, DoD-specific version

any OSS project, for any reason, increases

support risk and should be avoided whenever possible. Creating such a DoD-specific fork

creates risk by requiring separate maintenance, reducing access to software capabilities

from the OSS community, and may require the Department to assume full management

responsibility

the software's source code, thereby increasing costs.

Any improvements or new capabilities added to an OSS project should be contributed

back to the upstream open source project via pull/merge request, in accordance with the

processes used by that project.