Open Source Q&A: David Wheeler Q&A session held during the “Open Source Software and DoD” webinar
To use OSS, does it need to be on the Department of Defense Intelligence Information System (DODIIS) approved list?
The DoD has different rules for different kinds of systems and different uses, but in practically every case the rules have nothing to do with whether or not the program is OSS. So the question is really, “to use some program, does it need to be on approved list X?” The answer is “it depends on the circumstance”. So find out the rule for installing a proprietary COTS program for your circumstance, and follow the same rules when you wish to install an OSS COTS product. In some cases there’s secure installation guidance; see DISA’s Security Technical Implementation Guides (STIGs) and NSA’s Security Configuration Guides. Many OSS programs are already on these lists. In some cases you may need to add the program to the approved list for your circumstance, so you’ll need to follow the process for getting the program on that list. In some cases it’s there but not obvious (e.g., the Linux kernel and many other OSS components are covered by the Unix STIG).
Remember that OSS always (by definition) permits use for any purpose, as well as redistribution of the program without additional payment. That means that, by definition, the DoD always has an enterprise-wide license for the use of any OSS program. (Support is a different tale – if you want 24×7 phone support, you’ll need to pay for it. But I covered that in the talk.)
[tags] DavidWheeler, DoD, open source, webinar[tags]
Reply