DEPARTMENT
OF
DEFENSE
6000
DEFENSE
PENTAGON
WASHINGTON, D.C. 20301-6000
JAN
2 4
2022
CHIEF
INFORMATION
OFFICER
MEMORANDUM
FOR
SENIOR PENTAGON LEADERSHIP
COMMANDANT OF THE COAST GUARD
COMMANDERS OF THE COMBATANT COMMANDS
DEFENSE AGENCY AND DOD FIELD ACTIVITY DIRECTORS
SUBJECT: Software Development and Open Source Software
Over the last two decades, open source software (OSS) has dramatically impacted how
software
is
designed, developed, deployed, and operated. OSS is software for which the human-
readable source code
is
available for use, study, re-use, modification, enhancement, and re-
distribution by the users
of
such software. There are millions
of
publicly-available OSS
components, libraries, and applications capable of accelerat;ng software modernization activities.
The Department's 2018 Cyber Strategy ( attached) directed the Department to increase the
use
of
secure OSS and to use commercial
off
-the-shelf tools when possible. The Department's
forthcoming Software Modernization Strategy centers on the delivery
of
resilient software
capability at the speed
of
relevance. OSS forms the bedrock
of
the software-defined world and
is
critical in delivering software faster. The Department must clearly articulate how, where, and
when it participates, contributes, and interacts with the broader OSS community.
There are two fundamental concerns for the Department that are specific to OSS. First,
using externally maintained code in critical systems potentially creates a path for adversaries to
introduce malicious code into DoD systems. This concern requires a careful supply chain risk
management (SCRM) approach for OSS, which must meet the same rigorous standards for
SCRM and cyber threat testing as any other product. Second, imprudent sharing
of
code
developed for DoD systems potentially benefits adversaries by disclosing key innovations. This
risk is managed through a Modular, Open-Systems Approach (MOSA), which allows systems to
benefit from OSS while protecting critical, innovative components as separate modules.
Pursuant to Federal Source Code Policy (reference (b)) and Public Law 115-91, Section
875 (reference (c)), Attachment 2 provides detailed guidance on the Department's participation,
contribution, and interaction with the broader OSS community. Additional guidance concerning
OSS is available at https://dodcio.defense.gov/Open-Source-Software-FAQ/. The point
of
contact for this effort is Dan Risacher, daniel.r.risacher.c~
ct
Sherman
Attachments:
As stated
CLEARED
For Open Publication
Department of Defense
OFFICE OF PREPUBLICATION AND SECURITY REVIEW
