Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Such products are assessed for information assurance impacts, and approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government.
MAC / CONF | Impact | Subject Area |
---|---|---|
MACI MACII MACIII | Medium | Security Design and Configuration |
Threat |
---|
Public domain software products introduce an element of uncertainty to DoD information systems due to their public and unsupported nature. Â Organizations should not use public domain software products unless required for a mission critical purpose and as approved by the DAA. |
Guidance |
---|
1. Components shall establish local policy governing freeware or shareware. 2. The CCB shall ensure freeware or shareware applications are distributed and used as directed. 3. Such products shall be assessed for information assurance impacts, and approved for use by the DAA. 4. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend. 5. If such software products are determined to be warranted, the organization shall limit the distribution of software to those that have a legitimate business need. 6. Periodic audits shall be conducted to ensure such software is being used for its intended business purpose. |