Mil-OSS LANT Welcome & Open Source within SSC-LANT

1. Mil-OSS LANT Welcome & Open Source within SSC-LANT Presented by: Ms. Kathryn Murphy 54000 Computer Applications, Services, Integration & Infrastructure Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

2. We are a Navy Information Technology (IT) Command Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

3. Strategic Plan Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

4. We work for… Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

5. Open Source (OS) • Open distribution/access to design and implementation specifics • No license restrictions for access to “compiled” capability or “source” • Inclusive of derived works • Can be distributed as part of a Open/Closed source system • Distributed/Community Involvement and Governance to develop and maintain capability • Like cloud, we are returning to our “roots” • Early operating system and application development was only open source • Hardware/Electronics • Microprocessors (e.g., OpenRISC/SPARC) • Data Center/Computing Hardware design (e.g., Facebook Open Compute) • Content • Books and Reference (e.g., Wikipedia, Project Gutenberg) • Software • Operating Systems (e.g., Linux, Android) • Applications (e.g., LibreOffice, OpenOffice, Firefox, Thunderbird, GIMP, Google Earth) • Services (e.g., Apache Family, Drupal, MediaWiki, OpenStack) Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

6. Open Source in the DoD…What it takes • Culture • Address the politics of reuse • How does it become part of our day to day • Acquisition • How do we buy it • Governance, how do we mange it • How do we maintain it • Technology • Leveraging current OS technology as building blocks • Contributing back to the community Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

7. Open Source…Culture • Politics of Reuse • Getting past Not Invented Here (NIH) • Challenges of trust (Human Nature) • Embracing Open Source as part of our Culture • Look to leverage before looking to build • Open Source as a habit • Creating a community • Contributing back • Incentivize adopters Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

8. Open Source…Acquisition • How do we buy and license Open Source • Addressed at a strategic level by DoD CIO/ DoN CIO • Acquisition strategy and rules still unclear at a Tactical level • DoD CIO Memo, October 16, 2009 • Open Source Software is software for which the human-readable source code is available for use, study, reuse, modification, enhancement, and redistribution by the users of that software. • To effectively achieve its missions, the Department of Defense must develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements. • DoN CIO Memo, June 5, 2007 • DoN “…will treat OSS as COTS when it meets the definition of commercial item” • SECNAV Instruction 5230.15 referenced by this memorandum defines commercial items as having some form of vendor support Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

9. Open Source…Technology • [“Enterprise”] Open Source Software • Maintained/supported by vendor (e.g., Linux: RedHat for Fedora, Canonical for Ubuntu, Novelle for SUSE) • [Community] Open Source Software • Support can be contracted for (e.g., Apache/Linux derivatives) • Government Open Source Software (GOSS) • Government develops/retains software, retains code rights (e.g., OWF, NSA/TexeltTech) • Government Off-the-Shelf (GOTS) • Government developing and/or contracting for capability • May include an amalgamation of all types • Commercial Off-the-Shelf (COTS) • Vendor developed, controlled (e.g., MS, Oracle) • Contracted/purchased and implemented, can be further customized—but cannot be distributed without license purchase • Freeware • Software in the wild, not supported by community or vendor - use is prohibited Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

10. Open Source Software and Security Profile • Government Open Source Software (GOSS) treated much the same as OSS in general • Can also further define community boundaries for which it is fully “Open” • Open Source Security – NSA Security Enhanced (SE) Linux Project • Built on 10 years of NSA’s OS Security Research • Fine-grained control over kernel services • Transparent to application and users • OSS is Trusted: • NSA, NASA Google, Amazon, RackSpace, Facebook • NGA has recently mandated OSS only • New York and Tokyo Stock Exchange • http://www.whitehouse.gov • As long as OSS is treated as COTS, the security concerns are the same • DADMS oversight/approval, FIPS 140-2 compliance, Common Criteria, risk analysis • Breaking down barriers helps build better barriers! • Participation • Scrutiny • That being said, “barriers” still remain • Improve DADMS to also provide enterprise visibility of software risk • Sharing of information with other Government agencies (e.g., NSA) • Criteria for adequate risk assessment software products • Open Source has matured as a paradigm • In 2009, Average of 280 OSS programs had 0.25 defects per KLOC • 36 projects were released with no known defects • By 2011, Gartner predicted > 80% of all commercial software solutions would be based on OSS • Surveys show 49.7% of mission critical applications are using OSS in some manner Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

11. The Navy is already heavily invested in OSS • ONR LTE • Limited Technology Experiment • Combat System to Command and Control • NAVY P8A • Adoption of the CANES ACS Stack • JEOD DSS • DISA JCTD’s • Adaptive Planning • TRANSCOM • Building out Development Environment • NAVY NTCSS • 3rd Party Application adoption of CANES ACS • NAVY Tactical Switching • NSA METERMAID • Satellite Server for Patch management on high side • NAVY TACMOBILE • NAVY ENMS • CANES • Afloat Core Services (ACS) • US Air Force Air Operating System 10.2 • ACS – Adaptive Core Services (Reuse from CANES) • USMC MAGTF TSOA • DISA FORGE.MIL • CollabNet/SourceForge • DISA NCES • Deployable Services • NAVY ADNS • DCGS – NAVY • NAVY C2RPC • Command and Control Rapid Prototyping Capability • NAVY ERP • DISA NSLDSS • National Senior Leaders Decision Support System • NAVY CCOP • Cryptologic Carry On Program Statement C: Distribution authorized to U.S. Government Agencies and their contractors (admin/ops) (11 May 2012). Other requests for this document must be referred to SPAWARSYSCEN Atlantic.

12. Questions? • Questions?