UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

DCPD-1 Public Domain Software Controls


Overview

Binary or machine executable public domain software products and other software products with limited or no warranty such as those commonly known as freeware or shareware are not used in DoD information systems unless they are necessary for mission accomplishment and there are no alternative IT solutions available. Such products are assessed for information assurance impacts, and approved for use by the DAA. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend, given that the Government does not have access to the original source code and there is no owner who could make such repairs on behalf of the Government.

MAC / CONF Impact Subject Area
MACI
MACII
MACIII
Medium Security Design and Configuration

Details

Threat
Public domain software products introduce an element of uncertainty to DoD information systems due to their public and unsupported nature.  Organizations should not use public domain software products unless required for a mission critical purpose and as approved by the DAA.

Guidance
1. Components shall establish local policy governing freeware or shareware.
2. The CCB shall ensure freeware or shareware applications are distributed and used as directed.
3. Such products shall be assessed for information assurance impacts, and approved for use by the DAA.
4. The assessment addresses the fact that such software products are difficult or impossible to review, repair, or extend.
5. If such software products are determined to be warranted, the organization shall limit the distribution of software to those that have a legitimate business need.
6. Periodic audits shall be conducted to ensure such software is being used for its intended business purpose.

References

  • Open Source Software (OSS) in the Department of Defense (DoD) Memorandum., 28 May 2003
  • CJCSI - Information Assurance (IA) and Computer Network Defense (CND)