fbpx
Wikipedia

Commercial off-the-shelf

December 02, 2023

Commercial off-the-shelf or commercially available off-the-shelf (COTS) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of custom-made, or bespoke, solutions. A related term, Mil-COTS, refers to COTS products for use by the U.S. military.

In the context of the U.S. government, the Federal Acquisition Regulation (FAR) has defined "COTS" as a formal term for commercial items, including services, available in the commercial marketplace that can be bought and used under government contract.[1] For example, Microsoft is a COTS software provider. Goods and construction materials may qualify as COTS but bulk cargo does not. Services associated with the commercial items may also qualify as COTS, including installation services, training services, and cloud services.[2]

COTS purchases are alternatives to custom software or one-off developments – government-funded developments or otherwise.

Although COTS products can be used out of the box, in practice the COTS product must be configured to achieve the needs of the business and integrated to existing organizational systems. Extending the functionality of COTS products via custom development is also an option, however this decision should be carefully considered due to the long term support and maintenance implications. Such customized functionality is not supported by the COTS vendor, so brings its own sets of issues when upgrading the COTS product.

The use of COTS has been mandated across many government and business programs, as such products may offer significant savings in procurement, development, and maintenance.

Motivations for using COTS components include hopes for reduction system whole of life costs.

In the 1990s, many regarded COTS as extremely effective in reducing the time and cost of software development.[citation needed] COTS software came with many not-so-obvious tradeoffs— a reduction in initial cost and development time over an increase in software component-integration work, dependency on the vendor, security issues and incompatibilities from future changes.[3]

Software and services edit

Commercial off-the-shelf (COTS) software and services are built and delivered usually from a third party vendor. COTS can be purchased, leased or even licensed to the general public.

COTS can be obtained and operated at a lower cost over in-house development,[citation needed] and provide increased reliability and quality over custom-built software as these are developed by specialists within the industry and are validated by various independent organizations, often over an extended period of time.[citation needed]

Security implications edit

According to the United States Department of Homeland Security, software security is a serious risk of using COTS software. If the COTS software contains severe security vulnerabilities it can introduce significant risk into an organization's software supply chain. The risks are compounded when COTS software is integrated or networked with other software products to create a new composite application or a system of systems. The composite application can inherit risks from its COTS components.[4]

The US Department of Homeland Security has sponsored efforts to manage supply chain cyber security issues related to the use of COTS. However, software industry observers such as Gartner and the SANS Institute indicate that supply chain disruption poses a major threat. Gartner predicts that "enterprise IT supply chains will be targeted and compromised, forcing changes in the structure of the IT marketplace and how IT will be managed moving forward".[5] Also, the SANS Institute published a survey of 700 IT and security professionals in December 2012 that found that only 14% of companies perform security reviews on every commercial application brought in house, and over half of other companies do not perform security assessments. Instead companies either rely on vendor reputation (25%) and legal liability agreements (14%) or they have no policies for dealing with COTS at all and therefore have limited visibility into the risks introduced into their software supply chain by COTS.[6]

Issues in other industries edit

In the medical device industry, COTS software can sometimes be identified as SOUP (software of unknown pedigree or software of unknown provenance), i.e., software that has not been developed with a known software development process or methodology, which precludes its use in medical devices.[7] In this industry, faults in software components could become system failures in the device itself if the steps are not taken to ensure fair and safe standards are complied with. The standard IEC 62304:2006 "Medical device software – Software life cycle processes" outlines specific practices to ensure that SOUP components support the safety requirements for the device being developed. In the case where the software components are COTS, DHS best practices for COTS software risk review can be applied.[4] Simply being COTS software does not necessarily imply the lack of a fault history or transparent software development process. For well documented COTS software a distinction as clear SOUP is made, meaning that it may be used in medical devices.[8][9]

Obsolescence edit

Main article: DMSMS

A striking example of product obsolescence are PlayStation 3 clusters, which used Linux to operate. Sony disabled the use of Linux on the PS3 in April 2010,[10] leaving no means to procure functioning Linux replacement units.[11] In general, COTS product obsolescence can require customized support or development of a replacement system. Such obsolescence problems have led to government-industry partnerships, where various businesses agree to stabilize some product versions for government use and plan some future features, in those product lines, as a joint effort. Hence, some partnerships have led to complaints of favoritism, to avoiding competitive procurement practices, and to claims of the use of sole-source agreements where not actually needed.

There is also the danger of pre-purchasing a multi-decade supply of replacement parts (and materials) which would become obsolete within 10 years. All these considerations lead to compare a simple solution (such as "paper & pencil") to avoid overly complex solutions creating a "Rube Goldberg" system of creeping featurism, where a simple solution would have sufficed instead.[clarification needed] Such comparisons also consider whether a group is creating a make-work system to justify extra funding, rather than providing a low-cost system which meets the basic needs, regardless of the use of COTS products.

Applying the lessons of processor obsolescence learned during the Lockheed Martin F-22 Raptor, the Lockheed Martin F-35 Lightning II planned for processor upgrades during development, and switched to the more widely supported C++ programming language. They have also moved from ASICs to FPGAs. This moves more of the avionic design from fixed circuits to software that can be applied to future generations of hardware.[12]

COTS components are part of upgrades to the sonar of United States Navy submarines.[13]

See also edit

References edit

Citations edit

  1. ^ "2.101 Definitions", U.S. Federal Acquisition Regulations, retrieved 2022-06-22
  2. ^ . Acquisition.gov. Archived from the original on 2017-01-30. Retrieved 2018-10-02.
  3. ^ McKinney, Dorothy "Impact of Commercial Off-The-Shelf (COTS) Software and Technology on Systems Engineering", Presentation to INCOSE Chapters, August 2001, accessed January 28, 2009
  4. ^ a b Ellison, Bob; Woody, Carol (2010-03-15). "Supply-Chain Risk Management: Incorporating Security into Software Development". Department of Homeland Security: Build Security In. Retrieved 2012-12-17.
  5. ^ MacDonald, Neil; Valdes, Ray (2012-10-05). "Maverick Research: Living in a World Without Trust". Retrieved 2012-12-17.
  6. ^ Bird, Jim; Kim, Frank (December 2012). "SANS Survey on Application Security Programs and Practices" (PDF). Retrieved 2012-12-17.
  7. ^ Hobbs, Chris (2012-01-04). "Build and Validate Safety in Medical Device Software". Medical Electronics Design. Retrieved 2012-12-17.
  8. ^ "Medical Devices & Technology" (PDF). www.qnx.com. Retrieved 1 April 2018.
  9. ^ "Medical Design - Machine Design". medicaldesign.com. Retrieved 1 April 2018.
  10. ^ "PlayStation® Support". us.playstation.com. Retrieved 1 April 2018.
  11. ^ "US Air Force gets a migraine from Sony's latest PS3 update"( August 20, 2012, at the Wayback Machine)
  12. ^ "F-35 jet fighters to take integrated avionics to a whole new level." Military & Aerospace Electronics, 1 May 2003.
  13. ^ "U.S. Navy Selects Lockheed Martin for Submarine Sonar Upgrades." ( January 18, 2011, at the Wayback Machine)

Sources edit

  • "Commercial" is not the opposite of Free-Libre / Open Source Software (FLOSS)

December 02, 2023
commercial, shelf, commercially, available, shelf, cots, products, packaged, canned, ready, made, hardware, software, which, adapted, aftermarket, needs, purchasing, organization, rather, than, commissioning, custom, made, bespoke, solutions, related, term, co. Commercial off the shelf or commercially available off the shelf COTS products are packaged or canned ready made hardware or software which are adapted aftermarket to the needs of the purchasing organization rather than the commissioning of custom made or bespoke solutions A related term Mil COTS refers to COTS products for use by the U S military In the context of the U S government the Federal Acquisition Regulation FAR has defined COTS as a formal term for commercial items including services available in the commercial marketplace that can be bought and used under government contract 1 For example Microsoft is a COTS software provider Goods and construction materials may qualify as COTS but bulk cargo does not Services associated with the commercial items may also qualify as COTS including installation services training services and cloud services 2 COTS purchases are alternatives to custom software or one off developments government funded developments or otherwise Although COTS products can be used out of the box in practice the COTS product must be configured to achieve the needs of the business and integrated to existing organizational systems Extending the functionality of COTS products via custom development is also an option however this decision should be carefully considered due to the long term support and maintenance implications Such customized functionality is not supported by the COTS vendor so brings its own sets of issues when upgrading the COTS product The use of COTS has been mandated across many government and business programs as such products may offer significant savings in procurement development and maintenance Motivations for using COTS components include hopes for reduction system whole of life costs In the 1990s many regarded COTS as extremely effective in reducing the time and cost of software development citation needed COTS software came with many not so obvious tradeoffs a reduction in initial cost and development time over an increase in software component integration work dependency on the vendor security issues and incompatibilities from future changes 3 Contents 1 Software and services 1 1 Security implications 1 2 Issues in other industries 2 Obsolescence 3 See also 4 References 4 1 Citations 4 2 SourcesSoftware and services editCommercial off the shelf COTS software and services are built and delivered usually from a third party vendor COTS can be purchased leased or even licensed to the general public COTS can be obtained and operated at a lower cost over in house development citation needed and provide increased reliability and quality over custom built software as these are developed by specialists within the industry and are validated by various independent organizations often over an extended period of time citation needed Security implications edit According to the United States Department of Homeland Security software security is a serious risk of using COTS software If the COTS software contains severe security vulnerabilities it can introduce significant risk into an organization s software supply chain The risks are compounded when COTS software is integrated or networked with other software products to create a new composite application or a system of systems The composite application can inherit risks from its COTS components 4 The US Department of Homeland Security has sponsored efforts to manage supply chain cyber security issues related to the use of COTS However software industry observers such as Gartner and the SANS Institute indicate that supply chain disruption poses a major threat Gartner predicts that enterprise IT supply chains will be targeted and compromised forcing changes in the structure of the IT marketplace and how IT will be managed moving forward 5 Also the SANS Institute published a survey of 700 IT and security professionals in December 2012 that found that only 14 of companies perform security reviews on every commercial application brought in house and over half of other companies do not perform security assessments Instead companies either rely on vendor reputation 25 and legal liability agreements 14 or they have no policies for dealing with COTS at all and therefore have limited visibility into the risks introduced into their software supply chain by COTS 6 Issues in other industries edit In the medical device industry COTS software can sometimes be identified as SOUP software of unknown pedigree or software of unknown provenance i e software that has not been developed with a known software development process or methodology which precludes its use in medical devices 7 In this industry faults in software components could become system failures in the device itself if the steps are not taken to ensure fair and safe standards are complied with The standard IEC 62304 2006 Medical device software Software life cycle processes outlines specific practices to ensure that SOUP components support the safety requirements for the device being developed In the case where the software components are COTS DHS best practices for COTS software risk review can be applied 4 Simply being COTS software does not necessarily imply the lack of a fault history or transparent software development process For well documented COTS software a distinction as clear SOUP is made meaning that it may be used in medical devices 8 9 Obsolescence editMain article DMSMS A striking example of product obsolescence are PlayStation 3 clusters which used Linux to operate Sony disabled the use of Linux on the PS3 in April 2010 10 leaving no means to procure functioning Linux replacement units 11 In general COTS product obsolescence can require customized support or development of a replacement system Such obsolescence problems have led to government industry partnerships where various businesses agree to stabilize some product versions for government use and plan some future features in those product lines as a joint effort Hence some partnerships have led to complaints of favoritism to avoiding competitive procurement practices and to claims of the use of sole source agreements where not actually needed There is also the danger of pre purchasing a multi decade supply of replacement parts and materials which would become obsolete within 10 years All these considerations lead to compare a simple solution such as paper amp pencil to avoid overly complex solutions creating a Rube Goldberg system of creeping featurism where a simple solution would have sufficed instead clarification needed Such comparisons also consider whether a group is creating a make work system to justify extra funding rather than providing a low cost system which meets the basic needs regardless of the use of COTS products Applying the lessons of processor obsolescence learned during the Lockheed Martin F 22 Raptor the Lockheed Martin F 35 Lightning II planned for processor upgrades during development and switched to the more widely supported C programming language They have also moved from ASICs to FPGAs This moves more of the avionic design from fixed circuits to software that can be applied to future generations of hardware 12 COTS components are part of upgrades to the sonar of United States Navy submarines 13 See also editCommercial software Commodity off the shelf Government off the shelf Non developmental item Host Based Security System Independent software vendor Invented here Open Trusted Technology Provider Standard TurnkeyReferences editCitations edit 2 101 Definitions U S Federal Acquisition Regulations retrieved 2022 06 22 2 000 Scope of part Acquisition gov Archived from the original on 2017 01 30 Retrieved 2018 10 02 McKinney Dorothy Impact of Commercial Off The Shelf COTS Software and Technology on Systems Engineering Presentation to INCOSE Chapters August 2001 accessed January 28 2009 a b Ellison Bob Woody Carol 2010 03 15 Supply Chain Risk Management Incorporating Security into Software Development Department of Homeland Security Build Security In Retrieved 2012 12 17 MacDonald Neil Valdes Ray 2012 10 05 Maverick Research Living in a World Without Trust Retrieved 2012 12 17 Bird Jim Kim Frank December 2012 SANS Survey on Application Security Programs and Practices PDF Retrieved 2012 12 17 Hobbs Chris 2012 01 04 Build and Validate Safety in Medical Device Software Medical Electronics Design Retrieved 2012 12 17 Medical Devices amp Technology PDF www qnx com Retrieved 1 April 2018 Medical Design Machine Design medicaldesign com Retrieved 1 April 2018 PlayStation Support us playstation com Retrieved 1 April 2018 US Air Force gets a migraine from Sony s latest PS3 update Archived August 20 2012 at the Wayback Machine F 35 jet fighters to take integrated avionics to a whole new level Military amp Aerospace Electronics 1 May 2003 U S Navy Selects Lockheed Martin for Submarine Sonar Upgrades Archived January 18 2011 at the Wayback Machine Sources edit Commercial is not the opposite of Free Libre Open Source Software FLOSS Retrieved from https en wikipedia org w index php title Commercial off the shelf amp oldid 1178209745, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.