Defense Dept. Memo Explains Open Source Policy

TonyStanco writes "Big news. DoD issued a policy statement leveling the playing field for Open Source. We have the memo on the Center of Open Source & Government site." The requirements listed in this memo make me think of a company policy along the lines of "You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider." See this PDF for more information about National Security Telecommunications and Information Systems Security Policy (NSTISSP) number 11.

It's a start

[BWJones]

"You can bring your baby or toddler to work, so long as it can talk, feed itself and stick effortlessly to the ceiling like a spider.

Well, hey. At least its a start. Previously, many DOD organizations and departments had an absolute policy on software/platform. In many places, especially sensitive installations, the policy was Solaris. In the last few years there has been an inexorable move toward Windows, despite the obvious problems. Other defense contractors have been moving in the same direction presumably to control costs by moving everything to one platform. However, most people are finding that this is not the best solution and they are allowing the installation/use/purchase of other systems including open source, Linux and OS X.

It's not that bad

[Mahrin+Skel]

The regulations cited are basically a bunch of qualification hoops that have to be jumped through before software is considered "Mil-Spec". The first outfit inside DoD to qualify a OSS package is going to have to *really* want it to fill out all that paperwork, but once it is done it should get a lot easier. Keep in mind, that doesn't mean it will get used for Top Secret or above work right away, some of those hoops are *not* pro forma. But once DoD starts using it, even for trivial things, there will be outfits that just need to satisfy *one* more requirement than has already been filled, and will find it worthwhile to take it the next step.

Best first bet would be it will slip in from DARPA. They've probably *already* been using it in places they're technically supposed to be using a commercial UNIX.

--Dave

Navy/Marine Corp and the desktop

[Camel+Pilot]

The Navy/Marine corp are launching a large scale contract (NMCI) that restricts all Navy IT to MS and MS solutions.

This contract locks down the network to only NMCI managed systems (MS only). If there are existing systems that cannot run under windows than you have to apply for a "legacy system" exception and pay extra for no service.

This one size fits all approach is short sighted and foolish. The upper echelon has yet to catch on that the network is the backbone or the infrastructure that enables an ever increasing plethora of monitoring systems, data acquisition and control systems, collabration and communication mechanisms, etc.

As more and more devices become Web enabled the Navy has effectively locked itself out in the cold and crawled in bed with built in obsolesce - not to mentioned left itself vulnerable to an attack or virus that would spead like wild fire in a homogeneous network.

Re:Navy/Marine Corp and the desktop

[instantkarma1]

Oh, how I love NMCI. We (a couple of consultants) won a gig with the Navy, developing a web application on Linux, MySQL & Apache. Got the go-ahead and started developing...Then, the big bad NMCI came along. In order to be NMCI compliant, we were forced to switch from MySQL to Oracle (to be fair, we were given the choice to use SQL Server....bah!). Ok, I can deal with that. I now get paid to learn Oracle. Cool. Then, after three months of development..."uh...we need you to switch to Windows. It's a NMCI thingy". Not a happy day. Anyway...to make a long story short, in order to be NMCI compliant (and not having the requirements up front), we have this monstrosity of a web application running on Win2000 with Perl, PHP, Oracle and Apache. Needless to say, there aren't too many people in that boat (whoa...a funny...navy..boat...oh nevermind).

There really is no point to this posting, so mod me down. I'm just ranting and wanted to share an example of your tax dollars at work.

another interesting link...

[pb]

Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense -- This report documents the results of a short email-mediated study by The MITRE Corporation on the use of free and open-source software (FOSS) in the U.S. Department of Defense (DoD).

Re:Questions: OSS and Dod?

[Minna+Kirai]

I would NOT be offended if goverment agencies decided to use undocumented closed source protocals

I wouldn't be offended- I'd be scared. The rule of thumb is that "Security through obscurity is no security at all", but realistically, it's good enough for some situations where there aren't large numbers of dedicated, well-fianced enemy spies. That is, anyplace other than National Security can get away with it for a while.

It is critical that, if a software developer who knows the code defects, we can simply change everyone's password and not junk the entire system until the program can be re-written from scratch. But that's what relying on closed-source for security would require.

Hell if they want to write their propriority software in ADA, more power too them.

The US government doesn't write proprietary software. Or anything else proprietary for that matter- all their intellectual works are public domain. Some of them are protected under security classification, like the way Air Force bases belong to the public, but they're not allowed inside without permission.

(And, a Top-Secret classification will expire long before copyrights do...)