Commercial off-the-shelf

Last updated

Commercial-Off-The-Shelf or commercially available off-the-shelf (COTS) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of custom-made, or bespoke, solutions. A related term, Mil-COTS, refers to COTS products for use by the U.S. military.

Contents

In the context of the U.S. government, the Federal Acquisition Regulation (FAR) has defined "COTS" as a formal term for commercial items, including services, available in the commercial marketplace that can be bought and used under government contract. [1] For example, Microsoft is a COTS software provider. Goods and construction materials may qualify as COTS but bulk cargo does not. Services associated with the commercial items may also qualify as COTS, including installation services, training services, and cloud services. [2]

COTS purchases are alternatives to custom software or one-off developments – government-funded developments or otherwise.

Although COTS products can be used out of the box, in practice the COTS product must be configured to achieve the needs of the business and integrated to existing organizational systems. Extending the functionality of COTS products via custom development is also an option, however this decision should be carefully considered due to the long term support and maintenance implications. Such customized functionality is not supported by the COTS vendor, so brings its own sets of issues when upgrading the COTS product.

The use of COTS has been mandated across many government and business programs, as such products may offer significant savings in procurement, development, and maintenance.

Motivations for using COTS components include hopes for reduction system whole of life costs.

In the 1990s, many regarded COTS as extremely effective in reducing the time and cost of software development.[ citation needed ] COTS software came with many not-so-obvious tradeoffs – a reduction in initial cost and development time over an increase in software component-integration work, dependency on the vendor, security issues and incompatibilities from future changes. [3]

Software and services

Commercial-Off-The-Shelf (COTS) software and services are built and delivered usually from a third party vendor. COTS can be purchased, leased or even licensed to the general public.

COTS can be obtained and operated at a lower cost over in-house development,[ citation needed ] and provide increased reliability and quality over custom-built software as these are developed by specialists within the industry and are validated by various independent organizations, often over an extended period of time.[ citation needed ]

Security implications

According to the United States Department of Homeland Security, software security is a serious risk of using COTS software. If the COTS software contains severe security vulnerabilities it can introduce significant risk into an organization's software supply chain. The risks are compounded when COTS software is integrated or networked with other software products to create a new composite application or a system of systems. The composite application can inherit risks from its COTS components. [4]

The US Department of Homeland Security has sponsored efforts to manage supply chain cyber security issues related to the use of COTS. However, software industry observers such as Gartner and the SANS Institute indicate that supply chain disruption poses a major threat. Gartner predicts that "enterprise IT supply chains will be targeted and compromised, forcing changes in the structure of the IT marketplace and how IT will be managed moving forward". [5] Also, the SANS Institute published a survey of 700 IT and security professionals in December 2012 that found that only 14% of companies perform security reviews on every commercial application brought in house, and over half of other companies do not perform security assessments. Instead companies either rely on vendor reputation (25%) and legal liability agreements (14%) or they have no policies for dealing with COTS at all and therefore have limited visibility into the risks introduced into their software supply chain by COTS. [6]

Issues in other industries

In the medical device industry, COTS software can sometimes be identified as SOUP (software of unknown pedigree or software of unknown provenance), i.e., software that has not been developed with a known software development process or methodology, which precludes its use in medical devices. [7] In this industry, faults in software components could become system failures in the device itself if the steps are not taken to ensure fair and safe standards are complied with. The standard IEC 62304:2006 "Medical device software – Software life cycle processes" outlines specific practices to ensure that SOUP components support the safety requirements for the device being developed. In the case where the software components are COTS, DHS best practices for COTS software risk review can be applied. [4] Simply being COTS software does not necessarily imply the lack of a fault history or transparent software development process. For well documented COTS software a distinction as clear SOUP is made, meaning that it may be used in medical devices. [8] [9]

Obsolescence

A striking example of product obsolescence are PlayStation 3 clusters, which used Linux to operate. Sony disabled the use of Linux on the PS3 in April 2010, [10] leaving no means to procure functioning Linux replacement units. [11] In general, COTS product obsolescence can require customized support or development of a replacement system. Such obsolescence problems have led to government-industry partnerships, where various businesses agree to stabilize some product versions for government use and plan some future features, in those product lines, as a joint effort. Hence, some partnerships have led to complaints of favoritism, to avoiding competitive procurement practices, and to claims of the use of sole-source agreements where not actually needed.

There is also the danger of pre-purchasing a multi-decade supply of replacement parts (and materials) which would become obsolete within 10 years. All these considerations lead to compare a simple solution (such as "paper & pencil") to avoid overly complex solutions creating a "Rube Goldberg" system of creeping featurism, where a simple solution would have sufficed instead.[ clarification needed ] Such comparisons also consider whether a group is creating a make-work system to justify extra funding, rather than providing a low-cost system which meets the basic needs, regardless of the use of COTS products.

Applying the lessons of processor obsolescence learned during the Lockheed Martin F-22 Raptor, the Lockheed Martin F-35 Lightning II planned for processor upgrades during development, and switched to the more widely supported C++ programming language. They have also moved from ASICs to FPGAs. This moves more of the avionic design from fixed circuits to software that can be applied to future generations of hardware. [12]

COTS components are part of upgrades to the sonar of United States Navy submarines. [13]

See also

Related Research Articles

In economics and industrial design, planned obsolescence is the concept of policies planning or designing a product with an artificially limited useful life or a purposely frail design, so that it becomes obsolete after a certain pre-determined period of time upon which it decrementally functions or suddenly ceases to function, or might be perceived as unfashionable. The rationale behind this strategy is to generate long-term sales volume by reducing the time between repeat purchases. It is the deliberate shortening of the lifespan of a product to force people to purchase functional replacements.

<span class="mw-page-title-main">Laboratory information management system</span> Software infrastructure for improving research and storing data

A Laboratory management system (LIMS), sometimes referred to as a laboratory information system (LIS) or laboratory management system (LMS), is a software-based solution with features that support a modern laboratory's operations. Key features include—but are not limited to—workflow and data tracking support, flexible architecture, and data exchange interfaces, which fully "support its use in regulated environments". The features and uses of a LIMS have evolved over the years from simple sample tracking to an enterprise resource planning tool that manages multiple aspects of laboratory informatics.

<span class="mw-page-title-main">MontaVista</span> Software company

MontaVista Software is a company that develops embedded Linux system software, development tools, and related software. Its products are made for other corporations developing embedded systems and end products using Linux, such as automotive electronics, telecommunications and communications equipment, mobile phones, and other electronic devices and infrastructure. MontaVista also supplies Linux-based solutions and software to products that are software-only, such as enterprise networking, virtual network functions in Network Functions Virtualization, and appliance software that is hosted on a cloud hosting environment.

Customised software is software that is developed specifically for some specific organization or other user. As such, it can be contrasted with the use of out-of-the-box software packages developed for the mass market, such as commercial off-the-shelf software, or existing free software.

<span class="mw-page-title-main">Terminal server</span> Device that interfaces serial hosts to a network

A terminal server connects devices with a serial port to a local area network (LAN). Products marketed as terminal servers can be very simple devices that do not offer any security functionality, such as data encryption and user authentication. The primary application scenario is to enable serial devices to access network server applications, or vice versa, where security of the data on the LAN is not generally an issue. There are also many terminal servers on the market that have highly advanced security functionality to ensure that only qualified personnel can access various servers and that any data that is transmitted across the LAN, or over the Internet, is encrypted. Usually, companies that need a terminal server with these advanced functions want to remotely control, monitor, diagnose and troubleshoot equipment over a telecommunications network.

<span class="mw-page-title-main">Computer-aided production engineering</span>

Computer-aided production engineering (CAPE) is a relatively new and significant branch of engineering. Global manufacturing has changed the environment in which goods are produced. Meanwhile, the rapid development of electronics and communication technologies has required design and manufacturing to keep pace.

In the context of free and open-source software, proprietary software only available as a binary executable is referred to as a blob or binary blob. The term usually refers to a device driver module loaded into the kernel of an open-source operating system, and is sometimes also applied to code running outside the kernel, such as system firmware images, microcode updates, or userland programs. The term blob was first used in database management systems to describe a collection of binary data stored as a single entity.

Government off-the-shelf (GOTS) is a term for software and hardware government products that are ready to use and which were created and are owned by a government agency.

<span class="mw-page-title-main">PikeOS</span> Real-time operating system

PikeOS is a commercial hard real-time operating system (RTOS) which features a separation kernel-based hypervisor. This hypervisor supports multiple logical partition types for various operating systems (OS) and applications, each referred to as a GuestOS. PikeOS is designed to facilitate the development of certifiable smart devices for the Internet of Things (IoT) by adhering to standards of quality, safety, and security across different industries. In instances where memory management units (MMU) are not present but memory protection units (MPU) are available on controller-based systems, PikeOS for MPU is designed for critical real-time applications and provides up-to-standard safety and security.

Diminishing manufacturing sources and material shortages (DMSMS) or diminishing manufacturing sources (DMS) is defined as: "The loss or impending loss of manufacturers of items or suppliers of items or raw materials." DMSMS and obsolescence are terms that are often used interchangeably. However, obsolescence refers to a lack of availability due to statutory or process changes and new designs, whereas DMSMS is a lack of sources or materials.

<span class="mw-page-title-main">Computer appliance</span> Dedicated computer system

A computer appliance is a computer system with a combination of hardware, software, or firmware that is specifically designed to provide a particular computing resource. Such devices became known as appliances because of the similarity in role or management to a home appliance, which are generally closed and sealed, and are not serviceable by the user or owner. The hardware and software are delivered as an integrated product and may even be pre-configured before delivery to a customer, to provide a turn-key solution for a particular application. Unlike general purpose computers, appliances are generally not designed to allow the customers to change the software and the underlying operating system, or to flexibly reconfigure the hardware.

Lynx Software Technologies, Inc. is a San Jose, California software company founded in 1988. Lynx specializes in secure virtualization and open, reliable, certifiable real-time operating systems (RTOSes). Originally known as Lynx Real-Time Systems, the company changed its name to LynuxWorks in 2000 after acquiring, and merging with, ISDCorp, an embedded systems company with a strong Linux background. In May 2014, the company changed its name to Lynx Software Technologies.

Timesys Corporation is a company selling Linux open source software security, engineering services, and development tools, for the embedded software market. The firm also helps software development teams build and maintain a custom Linux platform for embedded processors from integrated circuit manufacturers such as Atmel, Freescale, Intel, Texas Instruments, and Xilinx.

Proprietary software is software that grants its creator, publisher, or other rightsholder or rightsholder partner a legal monopoly by modern copyright and intellectual property law to exclude the recipient from freely sharing the software or modifying it, and—in some cases, as is the case with some patent-encumbered and EULA-bound software—from making use of the software on their own, thereby restricting their freedoms.

SOUP stands for software of unknownpedigree, and is a term often used in the context of safety-critical and safety-involved systems such as medical software. SOUP is software that has not been developed with a known software development process or methodology, or which has unknown or no safety-related properties.

An enterprise appliance transaction module (EATM) is a device, typically used in the manufacturing automation marketplace, for the transfer of plant floor equipment and product status to manufacturing execution systems (MES), enterprise resource planning (ERP) systems and the like.

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

Host Based Security System (HBSS) is the official name given to the United States Department of Defense (DOD) commercial off-the-shelf (COTS) suite of software applications used within the DOD to monitor, detect, and defend the DOD computer networks and systems. The Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group (ESSG) sponsored the acquisition of the HBSS System for use within the DOD Enterprise Network. HBSS is deployed on both the Non-Classified Internet Protocol Routed Network (NIPRNet) and Secret Internet Protocol Routed Network (SIPRNet) networks, with priority given to installing it on the NIPRNet. HBSS is based on McAfee, Inc's ePolicy Orchestrator (ePO) and other McAfee point product security applications such as Host Intrusion Prevention System (HIPS).

Medical device connectivity is the establishment and maintenance of a connection through which data is transferred between a medical device, such as a patient monitor, and an information system. The term is used interchangeably with biomedical device connectivity or biomedical device integration. By eliminating the need for manual data entry, potential benefits include faster and more frequent data updates, diminished human error, and improved workflow efficiency.

The Open Trusted Technology Provider Standard (O-TTPS) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

References

Citations

  1. "2.101 Definitions", U.S. Federal Acquisition Regulations , retrieved 2022-06-22
  2. "2.000 Scope of part". Acquisition.gov. Archived from the original on 2017-01-30. Retrieved 2018-10-02.
  3. McKinney, Dorothy "Impact of Commercial-Off-The-Shelf (COTS) Software and Technology on Systems Engineering" Archived 2020-07-31 at the Wayback Machine , Presentation to INCOSE Chapters, August 2001, accessed January 28, 2009
  4. 1 2 Ellison, Bob; Woody, Carol (2010-03-15). "Supply-Chain Risk Management: Incorporating Security into Software Development". Department of Homeland Security: Build Security In. Archived from the original on 2013-02-18. Retrieved 2012-12-17.
  5. MacDonald, Neil; Valdes, Ray (2012-10-05). "Maverick Research: Living in a World Without Trust" . Retrieved 2012-12-17.
  6. Bird, Jim; Kim, Frank (December 2012). "SANS Survey on Application Security Programs and Practices" (PDF). Retrieved 2012-12-17.
  7. Hobbs, Chris (2012-01-04). "Build and Validate Safety in Medical Device Software". Medical Electronics Design. Retrieved 2012-12-17.
  8. "Medical Devices & Technology" (PDF). www.qnx.com. Retrieved 1 April 2018.
  9. "Medical Design - Machine Design". medicaldesign.com. Retrieved 1 April 2018.
  10. "PlayStation Support". us.playstation.com. Retrieved 1 April 2018.
  11. "US Air Force gets a migraine from Sony's latest PS3 update"( Archived August 20, 2012, at the Wayback Machine )
  12. "F-35 jet fighters to take integrated avionics to a whole new level." Military & Aerospace Electronics, 1 May 2003.
  13. "U.S. Navy Selects Lockheed Martin for Submarine Sonar Upgrades." (Archived January 18, 2011, at the Wayback Machine )

Sources