"To effectively achieve its missions, the Department of Defense must develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements. The use of Open Source Software (OSS) can provide advantages in this regard...".

That’s the preamble to the latest Department of Defense Open Source Software policy update. You can view the document here , and this link is to an excellent analysis by David Wheeler.

I won’t repeat the analysis in the above sources, but I will offer an observation that while the memo is clearly focused on complete applications, there is nothing that I see that would preclude using the same guideline for OSS components used as part of DoD software development projects.

Assuming that is the case, then the issue turns to adequate support as stated below.

"The use of any software without appropriate maintenance and support presents an information assurance risk. Before approving the use of software (including OSS), system/program managers, and ultimately Designated Approving Authorities (DAAs), must ensure that the plan for software support (e.g., commercial or Government program office support) is adequate for mission need"

The evidence has been clear for some time that the supply chain for software today is increasingly about finding and using OSS, and for the embedded OSS case this is additional justification for software composition analysis and policy management.