Open Source Software Use in the Government

Proponents of open source software use in the government were elated when Assistant Secretary of Defense Networks & Information Integration (ASD(NII)) DoD CIO David Wennergren issued the “Clarifying Guidance Regarding Open Source Software (OSS)” memorandum in 2009.   In this memorandum, open source was classified as “commercial computer software”, putting it on par with commercial off the shelf software (COTS) from software vendors such as Microsoft and Oracle.

In addition, the memorandum also provided clarification on DoD Instruction 8500.2,

“Information Assurance (IA) Implementation” (reference (g)) includes an Information Assurance Control, “DCPD-1 Public Domain Software Controls,” which limits the use of “binary or machine-executable public domain software or other software products with limited or no warranty,” on the grounds that these items are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the government. This control should not be interpreted as forbidding the use of OSS, as the source code is available for review, repair and extension by the government and its contractors.

On top of that, the memorandum also states

“the use of any software without appropriate maintenance and support presents an information assurance risk. Before approving the use of software (including OSS), system/program managers, and ultimately Designated Approving Authorities (DAAs), must ensure that the plan for the software support is adequate for mission need.”

Now that open source software is considered “commercial computer software” it is also subject to the same scrutiny and federal directives as other COTS software. For example DoD Directive 8500.2 states: “If an approved U.S. Government protection profile exists for a particular technology area and there are validated products available for use that match the protection profile description, then acquisition is restricted to those products…

To provide a specific example, agencies or programs that require a database or some type of data storage would have to select a product from the following list of certified products.

 

Product

Assurance Level

EnterprisedDB Postgres Plus Advanced Server 8.4

EAL2+ / ALC_FLR.2

IBM DB2 Version 9.7 Enterprise Server

EAL4+ / ALC_FLR.1

MarkLogic Server Enterprise Edition 4.0

EAL3+ / ALC_FLR.3

Microsoft SQL Server 2008 Enterprise Edition

EAL4+ / ALC_FLR.2

Oracle Database 11g Enterprise Edition 11.1.0.7 w/ Critical Patch Updates to and including July 2009

EAL4+ / ALC_FLR.3

SenSage 4.6.2

EAL2+ / ALC_FLR.1

Teradata Database 13.0

EAL4+ / ALC_FLR.3

A complete list can be found at http://www.commoncriteriaportal.org/products/

In this example, based on the list of certified products, Postgres would be the only available open source database that an agency or program would be able to consider assuming the required protection level was not higher than EAL2+. If the agency or program wanted to leverage a NoSQL solution then MarkLogic would be the product of choice as no other NoSQL products (open source or commercial) have been certified. Selection of a product that is not on this list would be a direct violation of the DoD 8500.2 directive unless any of these products are proven to be unable to meet the mission need.