Use of Free and Open-Source Software (FOSS) in the U.S. Department of Defense is a 2003 report by The MITRE Corporation that documented widespread use of and reliance on free software (termed "FOSS") within the United States Department of Defense (DoD). The report helped end a debate about whether FOSS should be banned from U.S. DoD systems, and helped redirect the discussion towards the current official U.S. DoD policy of treating FOSS and proprietary software as equals.

History

Version 1.0

The FOSS report began in early 2002 as a request relayed to Terry Bollinger of The MITRE Corporation to collect data on how FOSS was being used in U.S. DoD systems. The driver for the request was an ongoing debate within the U.S. DoD about whether to ban the use of FOSS in its systems, and in particular whether to ban GNU General Public License (GPL) software. The U.S. Defense Information Systems Agency (DISA) was also interested, and agreed to sponsor the report. The first draft was completed two weeks later, and version 1.0 was released a few weeks after that. It quickly gained notoriety for its documentation of widespread use of FOSS in the U.S. Department of Defense, and consequently was mentioned in an article about free software in the Washington Post. The attention resulted in a new round of reviews and edits. Microsoft Corporation requested that Ira Rubinstein, their legal counsel and liaison for DoD software policy issues, be permitted to participate. Rubinstein, who is listed in the preface as the first reviewer, produced the most detailed critique of the report. His recommendations resulted in a massive expansion of the coverage and analysis of free software licenses.

Version 1.2

The final report, version 1.2.04, was completed on January 2, 2003. It was first published on the DISA web site, and is now available on the DoD CIO web site on open source software resources.

Impact

Prior to this report, very little data had been available about how—and even whether—FOSS was used widely in U.S. DoD systems. The report changed this aspect of the discussion immediately, proving beyond any reasonable doubt that the U.S. DoD was already a major user of FOSS. More importantly, the report documented that FOSS was being used in important and even mission-critical situations. One of the more surprising findings documented in the report is that the cyber security community was the most upset of any group at the prospect of FOSS being banned. From their perspective, FOSS provides high code visibility and the ability to fix security flaws quickly and quietly. As a result of the findings, any serious consideration of banning FOSS was dropped. The effort to develop a policy on using FOSS instead moved towards a much more even-handed policy that was initiated with the Stenbit open source software policy, that requires U.S. DoD groups to treat FOSS in the same fashion as proprietary software, and subsequently made even more explicit in the 2009 Wennergren clarification of the Stenbit policy. The broader impact can be realized by recognizing that if the security-conscious U.S. DoD had banned FOSS, it is likely many other federal components, state and local governments, corporations, and international groups would have followed suit. The result would have been a world much less friendly both to FOSS and to FOSS-like efforts.

Findings

Below is the executive summary of the report. The full report was published in multiple formats, which can be found along with related open source software resources on Bollinger's personal website.