cots meaning

6/19/2015 Commercial off-the-shelf - Wikipedia, the free encyclopedia

https://en.wikipedia.org/wiki/Commercial_off-the-shelf 1/4

Commercial off-the-shelfFrom Wikipedia, the free encyclopedia

In the United States, commercial off-the-shelf (COTS) is a Federal Acquisition Regulation (FAR) term forcommercial items, including services, available in the commercial marketplace that can be bought and used undergovernment contract. For example, consumer goods and construction materials may qualify as COTS but bulkcargo does not. Services associated with the commercial items may also qualify as COTS, including (but not limited

to) installation services, training services, and cloud services.[1]

COTS purchases are alternatives to custom developments or one-off government-funded developments. COTStypically requires configuration that is tailored for specific uses and the key characteristic that differentiates COTSfrom Custom software is that the user configurations are within the defined parameters of the commercial item andnot the result of customizations to the commercial item itself. The use of COTS has been mandated across manygovernment and business programs, as such products may offer significant savings in procurement, development,and maintenance.

Motivations for using COTS components include hopes for reduction of overall system-development and costs (ascomponents can be bought or licensed instead of being developed from scratch) and reduced long-termmaintenance costs. In the 1990s many regarded COTS as extremely effective in reducing cost and time In softwaredevelopment. COTS software came with many not-so-obvious tradeoffsinitial cost and development time can bereduced, but often with an increase in software component-integration work and also a dependency on the vendor,

security issues and incompatibilities from future changes.[2]

Contents

1 Software and services

1.1 Security implications

1.2 Issues in other industries

2 Obsolescence

3 Nuclear weapons

4 See also

5 Notes6 References

Software and services

Commercial-off-the-shelf (COTS) software and services are built and delivered usually from a third party vendor.COTS can be purchased, leased or even licensed to the general public.

COTS provides some of the following strengths:

Applications are provided at a reduced cost.

The application is more reliable when compared to custom built software because its reliability is proven
https://en.wikipedia.org/wiki/Custom_softwarehttps://en.wikipedia.org/wiki/Vendor_lock-inhttps://en.wikipedia.org/wiki/Government_off-the-shelfhttps://en.wikipedia.org/wiki/Software_developmenthttps://en.wikipedia.org/wiki/Federal_Acquisition_Regulationhttps://en.wikipedia.org/wiki/Non-recurring_engineering



through the use by other organizations.

COTS is more maintainable because the systems documentation is provided with the application.

The application is higher quality because competition improves the product quality.

COTS is of higher complexity because specialists within the industry have developed the software.

The marketplace, not industry, drives the development of the application.

The delivery schedule is reduced because the basic schedule is operations.

Security implications

According to the United States Department of Homeland Security, software security is a serious risk of usingCOTS software. If the COTS software contains severe security vulnerabilities it can introduce significant risk intoan organizations software supply chain. The risks are compounded when COTS software is integrated ornetworked with other software products to create a new composite application or a system of systems. The

composite application can inherit risks from its COTS components.[3]

The US Department of Homeland Security has sponsored efforts to manage supply chain cyber security issuesrelated to the use of COTS. However, software industry observers such as Gartner and the SANS Instituteindicate that supply chain disruption poses a major threat. Gartner predicts that "enterprise IT supply chains will betargeted and compromised, forcing changes in the structure of the IT marketplace and how IT will be managed

moving forward."[4] Also, the SANS Institute published a survey of 700 IT and security professionals in December2012 that found that only 14% of companies perform security reviews on every commercial application brought inhouse, and over half of other companies do not perform security assessments. Instead companies either rely onvendor reputation (25%) and legal liability agreements (14%) or they have no policies for dealing with COTS at all

and therefore have limited visibility into the risks introduced into their software supply chain by COTS.[5]

Issues in other industries

In the medical device industry, COTS software can sometimes be identified as SOUP (Software of UnknownPedigree or Provenance), i.e. software that has not been developed with a known software development process

or methodology, which precludes its use in medical devices.[6] In this industry, faults in software components maybecome system failures in the device itself. The standard IEC 62304:2006 "Medical device software Software lifecycle processes" outlines specific practices to ensure that SOUP components support the safety requirements forthe device being developed. In the case where the software components are COTS, DHS best practices for COTS

software risk review can be applied.[3] It should be noted, however, that simply being COTS software does notnecessarily imply the lack of a fault history or transparent software development process. For well documented

COTS software a distinction as clear SOUP is made, meaning that it may be used in medical devices.[7][8]

Obsolescence

A striking example of product obsolescence is the Condor Cluster, a USAF supercomputer built out of PlayStation

3s (PS3), running the Linux operating system. Sony disabled the use of Linux on the PS3 in April 2010,[9] leaving

no means to procure functioning Linux replacement units.[10] In general, COTS product obsolescence can requirecustomized support or development of a replacement system. Such obsolescence problems have led togovernment-industry partnerships, where various businesses agree to stabilize some product versions for
https://en.wikipedia.org/wiki/Soup_(Software_of_Unknown_Pedigree)https://en.wikipedia.org/wiki/Medical_devicehttps://en.wikipedia.org/wiki/United_States_Department_of_Homeland_Securityhttps://en.wikipedia.org/wiki/Obsolescencehttps://en.wikipedia.org/wiki/Sony_Computer_Entertainmenthttps://en.wikipedia.org/wiki/SANS_Institutehttps://en.wikipedia.org/wiki/Spare_parthttps://en.wikipedia.org/wiki/Gartnerhttps://en.wikipedia.org/wiki/IEC_62304https://en.wikipedia.org/wiki/USAFhttps://en.wikipedia.org/wiki/PlayStation_3https://en.wikipedia.org/wiki/Software_development_processhttps://en.wikipedia.org/wiki/Supercomputerhttps://en.wikipedia.org/wiki/Supply_chain_cyber_securityhttps://en.wikipedia.org/wiki/OtherOS



government use and plan some future features, in those product lines, as a joint effort. Hence, some partnershipshave led to complaints of favoritism, to avoiding competitive procurement practices, and to claims of the use ofsole-source agreements where not actually needed.

There is also the danger of pre-purchasing a multi-decade supply of replacement parts (and materials) which wouldbecome obsolete within 10 years. All these considerations lead to compare a simple solution (such as "paper &pencil") to avoid overly complex solutions creating a "Rube Goldberg" system of creeping featurism, where a simplesolution would have sufficed instead. Such comparisons also consider whether a group is creating a make-worksystem to justify extra funding, rather than providing a low-cost system which meets the basic needs, regardless ofthe use of COTS products.

Applying the lessons of processor obsolescence learned during the Lockheed Martin F-22 Raptor, the LockheedMartin F-35 Lightning II planned for processor upgrades during development, and switched to the more widelysupported C++ programming language. They have also moved from ASICs to FPGAs. This moves more of the

avionic design from fixed circuits to software that can be applied to future generations of hardware.[11]

COTS components are part of upgrades to the sonar of United States Navy submarines.[12]

Nuclear weapons

COTS parts inadvertently used in W76 nuclear warheads led to safety concerns with the weapons.[13]

See also

Commercial software

Commodity off-the-shelfTurnkey

Notes

1. http://www.acquisition.gov/far/html/Subpart%202_1.html#wp11455082. McKinney, Dorothy "Impact of Commercial Off-The-Shelf (COTS) Software and Technology on Systems

Engineering" (http://www.incose.org/northstar/2001Slides/McKinney%20Charts.pdf), Presentation to INCOSEChapters, August 2001. Accessed January 28, 2009.

3. Ellison, Bob; Woody, Carol (2010-03-15). "Supply-Chain Risk Management: Incorporating Security into SoftwareDevelopment" (https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/acquisition/1140-BSI.html).Department of Homeland Security: Build Security In. Retrieved 2012-12-17.

4. MacDonald, Neil; Valdes, Ray (2012-10-05). "Maverick Research: Living in a World Without Trust"(http://www.gartner.com/id=2188715). Retrieved 2012-12-17.

5. Bird, Jim; Kim, Frank (December 2012). "SANS Survey on Application Security Programs and Practices"(http://www.sans.org/reading_room/analysts_program/sans_survey_appsec.pdf) (PDF). Retrieved 2012-12-17.

6. Hobbs, Chris (2012-01-04). "Build and Validate Safety in Medical Device Software"(http://www.medicalelectronicsdesign.com/article/build-and-validate-safety-medical-device-software). MedicalElectronics Design. Retrieved 2012-12-17.

7. http://www.qnx.com/news/events/eu_medical/presentations/When%20is%20cots%20not%20soup_QNX.pdf8. http://medicaldesign.com/prototyping/industry-viewpoint-device-makers-can-take-cots-only-clear-soup9. PlayStation System Software Update 3.21

(http://us.playstation.com/support/systemupdates/ps3/ps3_321_update1/index.htm)
https://en.wikipedia.org/w/index.php?title=Competitive_procurement&action=edit&redlink=1https://en.wikipedia.org/wiki/Creeping_featurismhttp://us.playstation.com/support/systemupdates/ps3/ps3_321_update1/index.htmhttp://www.incose.org/northstar/2001Slides/McKinney%20Charts.pdfhttps://en.wikipedia.org/wiki/Turnkeyhttps://en.wikipedia.org/wiki/Sonarhttps://en.wikipedia.org/wiki/W76http://www.acquisition.gov/far/html/Subpart%202_1.html#wp1145508https://en.wikipedia.org/wiki/Commodity_off-the-shelfhttps://en.wikipedia.org/wiki/Spare_parthttps://en.wikipedia.org/wiki/Lockheed_Martin_F-35_Lightning_IIhttp://www.gartner.com/id=2188715https://en.wikipedia.org/wiki/Rube_Goldberg_machinehttps://buildsecurityin.us-cert.gov/bsi/articles/best-practices/acquisition/1140-BSI.htmlhttps://en.wikipedia.org/wiki/Sole_sourcehttps://en.wikipedia.org/wiki/Lockheed_Martin_F-22_Raptorhttp://medicaldesign.com/prototyping/industry-viewpoint-device-makers-can-take-cots-only-clear-souphttps://en.wikipedia.org/wiki/Commercial_softwarehttp://www.medicalelectronicsdesign.com/article/build-and-validate-safety-medical-device-softwarehttp://www.qnx.com/news/events/eu_medical/presentations/When%20is%20cots%20not%20soup_QNX.pdfhttp://www.sans.org/reading_room/analysts_program/sans_survey_appsec.pdf



10. US Air Force gets a migraine from Sony's latest PS3 update (http://dvice.com/archives/2010/05/us-air-force-ge.php)

11. "F-35 jet fighters to take integrated avionics to a whole new level."(http://www.militaryaerospace.com/articles/print/volume-14/issue-5/features/special-report/f-35-jet-fighters-to-take-integrated-avionics-to-a-whole-new-level.html) Military & Aerospace Electronics, 1 May 2003.

12. "U.S. Navy Selects Lockheed Martin for Submarine Sonar Upgrades."(http://www.lockheedmartin.com/news/press_releases/2011/011411_LM_ARCI.html) (Archived(https://web.archive.org/web/20110118005704/http://www.lockheedmartin.com/news/press_releases/2011/011411_LM_ARCI.html) January 18, 2011 at the Wayback Machine)

13. Thompson, Mark (31 March 2014). "U.S. Faces Challenges Maintaining Aging Nuclear Arsenal"(http://time.com/44648/u-s-faces-challenges-maintaining-aging-nuclear-arsenal/). time.com. Time (magazine).Retrieved 1 April 2014.

References

"Commercial" is not the opposite of Free-Libre / Open Source Software (FLOSS)

(http://www.dwheeler.com/essays/commercial-floss.html)

Retrieved from "https://en.wikipedia.org/w/index.php?title=Commercial_off-the-shelf&oldid=663514210"

Categories: Procurement practices

This page was last modified on 22 May 2015, at 08:28.Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply.

By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia is a registered trademark

of the Wikimedia Foundation, Inc., a non-profit organization.
https://en.wikipedia.org/wiki/Time_(magazine)https://en.wikipedia.org/wiki/Help:Categoryhttps://wikimediafoundation.org/wiki/Terms_of_Usehttp://www.dwheeler.com/essays/commercial-floss.htmlhttp://dvice.com/archives/2010/05/us-air-force-ge.phphttps://en.wikipedia.org/wiki/Wayback_Machinehttps://web.archive.org/web/20110118005704/http://www.lockheedmartin.com/news/press_releases/2011/011411_LM_ARCI.htmlhttp://www.militaryaerospace.com/articles/print/volume-14/issue-5/features/special-report/f-35-jet-fighters-to-take-integrated-avionics-to-a-whole-new-level.htmlhttps://www.wikimediafoundation.org/http://time.com/44648/u-s-faces-challenges-maintaining-aging-nuclear-arsenal/https://en.wikipedia.org/wiki/Category:Procurement_practiceshttps://wikimediafoundation.org/wiki/Privacy_policyhttps://en.wikipedia.org/w/index.php?title=Commercial_off-the-shelf&oldid=663514210http://www.lockheedmartin.com/news/press_releases/2011/011411_LM_ARCI.htmlhttps://en.wikipedia.org/wiki/Wikipedia:Text_of_Creative_Commons_Attribution-ShareAlike_3.0_Unported_License

cots meaning

Documents