DISA Revises Software Guideline Clarifying Open Source Rules

Molly Bernhart Walker | FierceGovernmentIT | January 4, 2012

The Defense Information Systems Agency has updated the Application Security & Development Security Technical Implementation Guide, clarifying a commonly-misunderstood Defense Department policy that many saw as a hurdle to open source software use at DoD.

AppDev STIG (Version 3, Release 4), published Oct. 28, states that software only requires designated approving authority if:

  • The source code is not available to review, repair and extend; and
  • If there is a limited warranty or no warranty, but a warranty is required for mission accomplishment.

"Since OSS has source code available, this category of software can be maintained for security fixes and patched for known vulnerabilities. The Program Manager can elect to maintain OSS," states the revised AppDev STIG. Posters to a military open source software forum said the update removes a major roadblock to open source software implementation...