Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defense Dept. Memo Explains Open Source Policy

Posted by ryuzaki0 on from the bureaucracy-miring-in-itself dept.

TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.

8 of 387 comments (clear)

  1. It's a start by BWJones · · Score: 4, Interesting

    "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.

    Well, hey. At least its a start. Previously, many DOD organizations and departments had an absolute policy on software/platform. In many places, especially sensitive installations, the policy was Solaris. In the last few years there has been an inexorable move toward Windows, despite the obvious problems. Other defense contractors have been moving in the same direction presumably to control costs by moving everything to one platform. However, most people are finding that this is not the best solution and they are allowing the installation/use/purchase of other systems including open source, Linux and OS X.

    --
    Visit Jonesblog and say hello.
  2. It's not that bad by Mahrin+Skel · · Score: 4, Interesting
    The regulations cited are basically a bunch of qualification hoops that have to be jumped through before software is considered "Mil-Spec". The first outfit inside DoD to qualify a OSS package is going to have to *really* want it to fill out all that paperwork, but once it is done it should get a lot easier. Keep in mind, that doesn't mean it will get used for Top Secret or above work right away, some of those hoops are *not* pro forma. But once DoD starts using it, even for trivial things, there will be outfits that just need to satisfy *one* more requirement than has already been filled, and will find it worthwhile to take it the next step.

    Best first bet would be it will slip in from DARPA. They've probably *already* been using it in places they're technically supposed to be using a commercial UNIX.

    --Dave

  3. Waivers by MonkeyBoyo · · Score: 3, Interesting
    How much do you want to bet that most acceptible software in the DoD is there because of waivers? In the NSTISSP link it says:
    (14) Waivers to this policy may be granted by the NSTISSC on a case-by-case basis. Requests for waivers, including a justification and explanatory details, shall be forwarded through the Director, National Security Agency (DIRNSA), ATTN: V1, who shall provide appropriate recommendations for NSTISSC consideration. Where time and circumstances may not allow for the full review and approval of the NSTISSC membership, the Chairman of the NSTISSC is authorized to approve waivers to this policy which may be necessary to support U.S. Government operations which are time-sensitive, or where U.S. lives may be at risk.
  4. Navy/Marine Corp and the desktop by Camel+Pilot · · Score: 4, Interesting

    The Navy/Marine corp are launching a large scale contract (NMCI) that restricts all Navy IT to MS and MS solutions.

    This contract locks down the network to only NMCI managed systems (MS only). If there are existing systems that cannot run under windows than you have to apply for a "legacy system" exception and pay extra for no service.

    This one size fits all approach is short sighted and foolish. The upper echelon has yet to catch on that the network is the backbone or the infrastructure that enables an ever increasing plethora of monitoring systems, data acquisition and control systems, collabration and communication mechanisms, etc.

    As more and more devices become Web enabled the Navy has effectively locked itself out in the cold and crawled in bed with built in obsolesce - not to mentioned left itself vulnerable to an attack or virus that would spead like wild fire in a homogeneous network.

    1. Re:Navy/Marine Corp and the desktop by instantkarma1 · · Score: 5, Interesting

      Oh, how I love NMCI. We (a couple of consultants) won a gig with the Navy, developing a web application on Linux, MySQL & Apache. Got the go-ahead and started developing...Then, the big bad NMCI came along. In order to be NMCI compliant, we were forced to switch from MySQL to Oracle (to be fair, we were given the choice to use SQL Server....bah!). Ok, I can deal with that. I now get paid to learn Oracle. Cool. Then, after three months of development..."uh...we need you to switch to Windows. It's a NMCI thingy". Not a happy day. Anyway...to make a long story short, in order to be NMCI compliant (and not having the requirements up front), we have this monstrosity of a web application running on Win2000 with Perl, PHP, Oracle and Apache. Needless to say, there aren't too many people in that boat (whoa...a funny...navy..boat...oh nevermind).

      There really is no point to this posting, so mod me down. I'm just ranting and wanted to share an example of your tax dollars at work.

  5. another interesting link... by pb · · Score: 4, Interesting

    Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense -- This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD).

    --
    pb Reply or e-mail; don't vaguely moderate.
  6. Re:Questions: OSS and Dod? by Minna+Kirai · · Score: 4, Interesting

    I would NOT be offended if goverment agencies decided to use undocumented closed source protocals

    I wouldn't be offended- I'd be scared. The rule of thumb is that "Security through obscurity is no security at all", but realistically, it's good enough for some situations where there aren't large numbers of dedicated, well-fianced enemy spies. That is, anyplace other than National Security can get away with it for a while.

    It is critical that, if a software developer who knows the code defects, we can simply change everyone's password and not junk the entire system until the program can be re-written from scratch. But that's what relying on closed-source for security would require.

    Hell if they want to write their propriority software in ADA, more power too them.

    The US government doesn't write proprietary software. Or anything else proprietary for that matter- all their intellectual works are public domain. Some of them are protected under security classification, like the way Air Force bases belong to the public, but they're not allowed inside without permission.

    (And, a Top-Secret classification will expire long before copyrights do...)

  7. dont forget DARPA funded openBSD for 20 months... by evil_one666 · · Score: 3, Interesting
    As covered in slashdot and elsewhere, openBSD was being funded for 20 months by DARPA (that shady branch of the US military who originally invented the internet). Funding was eventually pulled after pro-peace comments from the (canadian) project leader, Theo de Raadt, 4 months early. It also had something to do with the hackathon convention he organised... maybe, DARPA has not officially commented.

    openBSD is of course reputed to be the most secure open source operating system.

    I think that it seems a little weird that the US military is on the one hand acting very anti opensouce, while on the other- it is actively funding its development.

    Additionally, I have seen one or two "discovery channel" type documentaries in recent months that have filmed computer terminals inside US military installations. There was no doubt that the personnel were running Unix, although the exact flavour remained unclear- but could it be openBSD...?