Page 1 of 1

OOo in DoD

Posted: Wed Apr 30, 2008 7:54 pm
by sixsigma
A few months ago I began working with DoD to get OOo approved (networthiness cert) for use. It could have been a windfall for many in DoD who could have used it features, alas it's not to be. Despite all DoD's talk of wanting to integrate Open Source Software there is just too much red-tape in the way. Here is the reason I got from NETCOM:

"
Sorry but the risk associated with the OpenOffice products can not be accepted. It has no warranty and would create an unacceptable risk to the network. See information below for more detail.

2.4 Open Source / Freeware DoD has clarified policy on the use of open source software to take advantage of the capabilities available in the Open Source community as long as certain prerequisites are met. DoD no longer requires that operating system software be obtained through a valid vendor channel and have a formal support path, if the source code for the operating system is publicly available for review.

DoD CIO Memo, “Open Source Software (OSS) in Department of Defense (DoD), 28 May 2003”:

“DOD Components acquiring, using or developing OSS must ensure that the OSS complies with the same DOD policies that govern Commercial off the Shelf (COTS) and Government off the Shelf (GOTS) software. This includes, but is not limited to, the requirements that all information assurance (IA) or IA-enabled IT hardware, firmware and software components or products incorporated into DOD information systems whether acquired of originated within DOD:

Comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy Number 11 and be configured in accordance with DOD-approved security and configuration guidelines at http://iase.disa.mil/ and http://www.nas.gov/.”

Open source software takes several forms:

1. A utility that has publicly available source code is acceptable.

2. A commercial product that incorporates open source software is acceptable because the commercial vendor provides a warranty.

3. Vendor supported open source software is acceptable.

4. A utility that comes compiled and has no warranty is not acceptable.

The DoDD 8500.1 says “Public domain software products, and other software products with limited or no warranty, such as those commonly known as freeware or shareware, shall only be used in DoD information systems to meet compelling operational requirements. Such products shall be thoroughly assessed for risk and accepted for use by the responsible DAA

Further research on the openoffice Web site shows the following lack of warranty-

If you go to the open office site http://why.openoffice.org/

Look at the bottom of the page. It says bound by these Policies and Terms of Use. If you click on it you are brought to the following web site:

http://www.sunsource.net/TUPPCP.html
Terms of Use.

3. ACCESS TO THE SITE AND THINGS YOU FIND HERE. This section refers to the Materials found on the Site, as defined above.


b. Use at Your Own Risk. You understand that the Hosts do not pre-screen Materials, and You agree to assume all risks in Using them. These risks include, but are not limited to, errors, viruses, worms, time-limited software that expires without notice , and the possibility that the Materials infringe or misappropriate the intellectual property rights of others. You agree to assume all such risks.

5. MISCELLANEOUS.

a. Disclaimer of Warranties. YOUR USE OF THE SITE IS AT YOUR SOLE RISK. THE SITE, INCLUDING ALL MATERIALS FOUND ON IT, IS PROVIDED ON AN "AS IS," "AS AVAILABLE" AND "WITH ALL FAULTS" BASIS. THE HOSTS DISCLAIM ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND WARRANTIES OF ANY KIND, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. THE HOSTS MAKE NO REPRESENTATIONS, WARRANTIES, CONDITIONS OR GUARANTEES AS TO THE USEFULNESS QUALITY, SUITABILITY, TRUTH, ACCURACY OR COMPLETENESS OF THE SITE. YOU AGREE TO ASSUME ALL RISK OF LOSS OR LIABILITY FOR THE USE OF THIS SITE OR ANY MATERIALS ON IT.

b. Limitation of Liability. TO THE FULLEST EXTENT PERMITTED BY LAW, THE HOSTS ARE NOT LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS, REVENUE, PROFITS, GOODWILL, USE, DATA, ELECTRONICALLY TRANSMITTED ORDERS, OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF OR IN CONNECTION WITH THE SITE OR MATERIALS, EVEN IF THE HOSTS HAVE PREVIOUSLY BEEN ADVISED OF, OR REASONABLY COULD HAVE FORESEEN, THE POSSIBILITY OF SUCH DAMAGES, HOWEVER THEY ARISE, WHETHER IN BREACH OF CONTRACT OR IN TORT (INCLUDING NEGLIGENCE). TO THE EXTENT THAT ANY JURISDICTION DOES NOT ALLOW THE EXCLUSION OR LIMITATION OF DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, PORTIONS OF THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY.
"

Re: OOo in DoD

Posted: Wed Apr 30, 2008 8:55 pm
by DrewJensen
Hi,

Actually the DOD stance makes perfect sense..."me ducking under the table"....

It is not the software that is in question, it is the organization that would be responsible for delivery to DOD.

Could SUN get StarOffice through the door, sure. Could Novell, of course they could.

Could you and I start a company for the purpose of meeting the IA certification process for a version of OO.o, setup the support infrastructure necessary and get onto the approved vendor list. Probably so, assuming we could round up the needed seed money, which would fist mean finding a good management staff willing to come on board.

Should DOD allow users to go to a website and download any software they want onto the machines...of course not.

Re: OOo in DoD

Posted: Wed Apr 30, 2008 8:56 pm
by AndrewZ
sixsigma wrote:A few months ago I began working with DoD to get OOo approved (networthiness cert) for use. It could have been a windfall for many in DoD who could have used it features, alas it's not to be. Despite all DoD's talk of wanting to integrate Open Source Software there is just too much red-tape in the way. Here is the reason I got from NETCOM:
You might bring this up on the marketing (?) mailing list here

http://www.openoffice.org/mail_list.html

The DoDD 8500.1 says “Public domain software products, and other software products with limited or no warranty, such as those commonly known as freeware or shareware, shall only be used in DoD information systems to meet compelling operational requirements. Such products shall be thoroughly assessed for risk and accepted for use by the responsible DAA
The key argument seems to be here: "compelling operational requirements"
Further research on the openoffice Web site shows the following lack of warranty-

If you go to the open office site http://why.openoffice.org/

Look at the bottom of the page. It says bound by these Policies and Terms of Use. If you click on it you are brought to the following web site:

http://www.sunsource.net/TUPPCP.html
This lack of warranty is just for the web site, not so much the product, because you can get the same product from other sites. IANAL, but it could be a violation of the LGPL if it were assumed this sunsource license superseded the LGPL.

Also, have you checked into support for OpenOffice.org from Sun Microsystems? What about StarOffice?

Re: OOo in DoD

Posted: Thu May 01, 2008 2:56 pm
by TerryE
6Σ, are you a black-belt or a greenbelt? :-P

But on a more serious note, the DoD is no different from manyy Enterprises and Government departments. There is nothing to worry about. This is nothing to do with quality concerns, but more to do with laying off commercial and support risk onto your suppliers. Most FLOSS suppliers offer an OSS variant and a supported variant of their S/W. The two share the same code base, with the main differences being that
  • You pay a fee for the Enterprise version.
  • The Vendor offers a support commitment and licence in return for this fee.
  • The Enterprise version is usually 3-6 behind the free version in release dates. Basically the vendors use the OSS user community to thoroughly shake down the product version, before releasing it into business. (As opposed to the MS strategy where many enterprise avoid production use of any new version until SP1 has been issued.)
  • The Enterprise version can often contain little proprietary goodies, that cannot be made available in the OSS bundle because of these components' licence terms.
StarOffice is the current name for "OpenOffice.org Enterprise" for historic leaders, though when I was talking to one of the Sun Product Managers at the last OOoCon, he did mention that Sun were seriously considering rebranding StarOffice as OpenOffice.org Enterprise Edition, w.e.f. Version 3.0. (Please take this as hearsay).

Examples of products where essentially 1st party support agreements are offered include Sun Solaris, many Linux flavour (Redhat, SuSE, Ubuntu, ...), many D/B products (MySQL, PostgreSQL), php / Zend.

However, there are many FLOSS products where the developing org do not offer commercial support terms: X system, Apache, Perl, many Unix / Linux components, ... and here Enterprises get their commercial risk mitigation but buying a support agreement through a 3rd party service provider such as Sun, HP or IBM who offer a support agreement on and integrated stack.

For example, remember that over half the web servers on this planet use Apache including many within the US Govt, consider clause 7 of the Apache License:
  • "7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License
So my recommendation is to suggest StarOffice and talk to Sun. This will still work out significantly cheaper than an MS Enterprise Agreement.

Re: OOo in DoD

Posted: Thu Jun 26, 2008 3:31 pm
by chankin
Just noticed this. A clarification -- Sun offers support for a fee for both StarOffice AND OpenOffice. Sun has actually offered enterprise support for OOo since 2003 and just recently we added back line support for OOo for customers that resolve frontline (1'st and 2'nd level) support themselves and need back line (escalations, 3'rd, 4'th level) from Sun.

Re: OOo in DoD

Posted: Tue Jun 23, 2009 10:57 pm
by dwheeler
This is nonsense; DoD policies specifically PERMIT the use of open source software,
including OpenOffice.org. This stuff forbidding "freeware" does NOT apply
to open source software. Let me help you walk through the policies; what you
were told is a gross misunderstanding of the policy. It's a widespread misunderstanding,
and it's understandable why people misunderstand it.. but it's useful to STOP it, too.

Department of Defense (DoD) Directive (DoDD) 8500.1 is further explained
by DoD Instruction (DoDI) 8500.2. If you go see
DoDI 8500.2 (February 6, 2003), here:
http://www.dtic.mil/whs/directives/corr ... 50002p.pdf
you see the full text of control DCPD-1, which does NOT mean what they
think it means.

Here is the ENTIRE text of control DCPD-1 (Public Domain Software Controls), as stated in 8500.2:
"Binary or machine executable public domain software products and other software
products with limited or no warranty such as those commonly known as freeware or
shareware are not used in DoD information systems unless they are necessary for
mission accomplishment and there are no alternative IT solutions available. Such
products are assessed for information assurance impacts, and approved for use by the
DAA. The assessment addresses the fact that such software products are difficult or
impossible to review, repair, or extend, given that the Government does not have access to
the original source code and there is no owner who could make such repairs on behalf of
the Government."

Notice the last sentence; this control states that certain software must not be
used unless necessary because that software is
"difficult or impossible to review, repair, or extend, given that
the Government does not have access to the original source code and
there is no owner who could make such repairs on behalf of the Government."
But with open source software, the government DOES HAVE access to the
original software, and it CAN review/repair/extend.
Therefore, DCPD-1 DOES NOT APPLY TO OPEN SOURCE SOFTWARE.

Let me repeat: THE TEXT THEY'RE QUOTING DOES NOT APPLY.
Later text SPECIFICALLY excludes this misunderstanding.

This isn't just my guess; the supporting documents for DoD 8500.1 and 8500.2
say this. DoDI Instruction (DoDI) 5200.2 section E3.2.6 specifically
references the DISA/NSA guides to get more information. Go there, and you'll find
the "General Desktop Application STIG". This STIG,
Version 3, Release 1 (09 March 2007), section 2.4, specifically says that
DCPD-1 does NOT apply to open source software, for this very reason.

So like every other DoD policy, if you're not sure what it means, trace down to the more
detailed official instructions and guidebooks to help you understand it. In this case,
there's a clear statement explaining the scope of the control, and
open source software simply is not within its scope.

For more on this, see:
http://www.dwheeler.com/oss-dod-webinar2008.html

Re: OOo in DoD

Posted: Tue Jun 23, 2009 11:09 pm
by dwheeler
If you go here:
http://iase.disa.mil/stigs/stig/Desktop ... G-V3R1.pdf
The now-renamed "WINDOWS DESKTOP APPLICATION
SECURITY TECHNICAL IMPLEMENTATION GUIDE",
Version 3, Release 1, 09 March.


Section 2.4 notes that:
"DoD has clarified policy on the use of open source software to take advantage of the capabilities
available in the Open Source community as long as certain prerequisites are met. DoD no longer
requires that operating system software be obtained through a valid vendor channel and have a
formal support path, if the source code for the operating system is publicly available for review."

In short, having source code publicly available review reduces risk.

Later, it says:
"Open source software takes several forms:
1. A utility that has publicly available source code is acceptable.
2. A commercial product that incorporates open source software is acceptable because the
commercial vendor provides a warranty.
3. Vendor supported open source software is acceptable.
4. A utility that comes compiled and has no warranty is not acceptable."

So if #1 applies (the source code is publicly available), it is ACCEPTABLE. Full stop.
If #2 applies, it is ACCEPTABLE. Full stop.
If #3 applies, it is ACCEPTABLE. Full stop.
It's only when it ONLY comes in compiled form, and there's no warranty, that you hit trouble (#4).

It can't POSSIBLY mean that "you must meet all possible conditions";
many proprietary products incorporate open source software (#2) and they do
NOT make their source code publicly available (#1). Since it can't mean that,
it must have the "obvious" meaning and ordinary meaning of the
text. Namely, this is a sequence of "try #1, if that doesn't apply try #2, if that doesn't
apply try #3, else try #4".

Re: OOo in DoD

Posted: Sat Jan 22, 2011 3:25 am
by DrewJensen
Just thought I'd give you guys an update on this subject.

As part of the US DOD software security initiative, and through the US Air Force office at Wright Patterson AFB has begun issuing a hardened version of Linux (name LSI), available as a DOD personnel version and a public version (minus some extra encryption tools found in the DOD internal verson).

This is not a general purpose disto, so don't run over and grab one..(I know you wanted to). The intent is for a Lightweight Secure Computing Node, in cases where you can't get to a true secure station and really geared to secure email/web access....so kind of limited...but includes a few DOD cleared versions of applications including Firefox and OO.o 3.1.1.

tootles - drew