Commercial off-the-shelf

In the United States, Commercial Off-The-Shelf (COTS) is a Federal Acquisition Regulation (FAR) term defining a non-developmental item (NDI) of supply that is both commercial and sold in substantial quantities in the commercial marketplace, and that can be procured or utilized under government contract in the same precise form as available to the general public. For example, technology related items, such as computer software, hardware systems or free software with commercial support, and construction materials qualify, but bulk cargo, such as agricultural or petroleum products, do not.

COTS purchases are alternatives to in-house developments or one-off government-funded developments. COTS typically requires configuration that is tailored for specific uses. The use of COTS has been mandated across many government and business programs, as such products may offer significant savings in procurement, development, and maintenance.

Considerations

Motivations for using COTS components include hopes for reduction of overall system-development and costs (as components can be bought or licensed instead of being developed from scratch) and reduced long-term maintenance costs. In software development, many regarded COTS as a silver bullet (to reduce cost/time) during the 1990s, but COTS development came with many not-so-obvious tradeoffs—initial cost and development time can definitely be reduced, but often at the expense of an increase in software component-integration work and a dependency on third-party component vendors.^[1] In addition, since COTS software specifications are written externally, government agencies sometimes fear incompatibilities may result from future changes.

Besides being a silver bullet, COTS solutions raise some issues. A major issue any COTS solutions is with the stability of the vendor. Vendors can go out of business, can be purchased by other companies or completely drop support for a product. This could be devastating for a customer that has purchased a COTS solution. With a COTS solution you also receive unknown quality. The purchased COTS solution may not perform properly in a customers business environment. Another unknown with COTS is its ability to integrate with other systems. The COTS solution may integrate with a certain system but that integration could be hindered by the external systems current version for example.^{[citation needed]}

Commercial-Off-The-Shelf Software

Commercial-Off-The-Shelf Software (COTS) is pre-built software usually from a 3rd party vendor. COTS can be purchased, leased or even licensed to the general public. Better, faster and cheaper software applications are what organizations are currently looking for.

COTS provides some of the following advantages:^{[citation needed]}

• Applications are provided at a reduced cost.
• The application is more reliable when compared to custom built software because its reliability is proven through the use by other organizations.
• COTS is more maintainable because the systems documentation is provided with the application.
• The application is higher quality because competition improves the product quality.
• COTS is of higher complexity because specialists within the industry have developed the software.
• The marketplace not industry drives the development of the application.
• The delivery schedule is reduced because the basic schedule is operations.

Security implications of COTS

According to the United States Department of Homeland Security, software security is a serious risk of using COTS software. If the COTS software contains severe security vulnerabilities it can introduce significant risk into an organization’s software supply chain. The risks are compounded when COTS software is integrated or networked with other software products to create a new composite application or a system of systems. The composite application can inherits risks from its COTS components.^[2]

The US Department of Homeland Security has sponsored efforts to manage supply chain cyber security issues related to the use of COTS. However, software industry observers such as Gartner and the SANS Institute indicate that supply chain disruption poses a major threat. Gartner predicts that "enterprise IT supply chains will be targeted and compromised, forcing changes in the structure of the IT marketplace and how IT will be managed moving forward."^[3] Also, the SANS Institute published a survey of 700 IT and security professionals in December 2012 that found that only 14% of companies perform security reviews on every commercial application brought in house, and over half of other companies do not perform security assessments. Instead companies either rely on vendor reputation (25%) and legal liability agreements (14%) or they have no policies for dealing with COTS at all and therefore have limited visibility into the risks introduced into their software supply chain by COTS.^[4]

COTS issues in other industries

In the medical device industry, COTS is referred to as SOUP (Software of Unknown Pedigree or Provenance), i.e. software that has not been developed with a known software development process or methodology.^[5] In this industry, faults in software components may become system failures in the device itself. The standard IEC 62304:2006 "Medical device software – Software life cycle processes" outlines specific practices to ensure that SOUP components support the safety requirements for the device being developed. In the case where the software components are COTS, DHS best practices for COTS risk review can be applied.^[2]

Obsolescence

Main article: DMSMS

A striking example of product obsolescence is the Condor Cluster, a USAF supercomputer built out of PlayStation 3s (PS3), running the Linux operating system. Sony disabled the use of Linux on the PS3 in April 2010,^[6] leaving no means to procure functioning Linux replacement units.^[7] In general, COTS product obsolescence can require customized support or development of a replacement system. Such obsolescence problems have led to government-industry partnerships, where various businesses agree to stabilize some product versions for government use and plan some future features, in those product lines, as a joint effort. Hence, some partnerships have led to complaints of favoritism, to avoiding competitive procurement practices, and to claims of the use of sole-source agreements where not actually needed.

There is also the danger of pre-purchasing a multi-decade supply of replacement parts (and materials) which would become obsolete within 10 years. All these considerations lead to compare a simple solution (such as "paper & pencil") to avoid overly complex solutions creating a "Rube Goldberg" system of creeping featurism, where a simple solution would have sufficed instead.^{[clarification needed]} Such comparisons also consider whether a group is creating a make-work system to justify extra funding, rather than providing a low-cost system which meets the basic needs, regardless of the use of COTS products.

Applying the lessons of processor obsolescence learned during the Lockheed Martin F-22 Raptor, the Lockheed Martin F-35 Lightning II planned for processor upgrades during development, and switched to the more widely supported C++ programming language. They have also moved from ASICs to FPGAs. This moves more of the avionic design from fixed circuits to software that can be applied to future generations of hardware.^[8]

One of the successes of COTS has been an upgrade to the sonar of United States Navy submarines.^[9]

See also

• Commercial software
• Evolutionary Process for Integrating COTS-Based Systems

Notes

1. McKinney, Dorothy "Impact of Commercial Off-The-Shelf (COTS) Software and Technology on Systems Engineering", Presentation to INCOSE Chapters, August 2001. Accessed January 28, 2009.
2. Ellison, Bob; Woody, Carol (2010-03-15). "Supply-Chain Risk Management: Incorporating Security into Software Development". Department of Homeland Security: Build Security In. Retrieved 2012-12-17. 
3. MacDonald, Neil; Valdes, Ray (2012-10-05). "Maverick Research: Living in a World Without Trust". Retrieved 2012-12-17. 
4. Bird, Jim; Kim, Frank (December 2012). "SANS Survey on Application Security Programs and Practices". Retrieved 2012-12-17. 
5. Hobbs, Chris (2012-01-04). "Build and Validate Safety in Medical Device Software". Medical Electronics Design. Retrieved 2012-12-17. 
6. PlayStation System Software Update 3.21
7. US Air Force gets a migraine from Sony's latest PS3 update
8. "F-35 jet fighters to take integrated avionics to a whole new level." Military & Aerospace Electronics, 1 May 2003.
9. "U.S. Navy Selects Lockheed Martin for Submarine Sonar Upgrades."

References

• "Commercial" is not the opposite of Free-Libre / Open Source Software (FLOSS)