Commercial Off-the-Shelf Products in Defence Applications
Commercial off-the-shelf or commercially available off-the-shelf (COTS) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of custom-made, or bespoke, solutions. A related term, Mil-COTS, refers to COTS products for use by the U.S. military.
Executive Summary
Commercial Off The Shelf (COTS) software packages have been proposed for many military applications, including embedded systems, communication systems, operating systems, and in some cases critical military applications. A primary reason for proposing COTS for military applications is an assumption that software lifecycle costs would be substantially reduced. Such a mandate has major implications for the acquisition, design, production, evaluation, and testing of systems that must maintain high levels of assurance.
Verified and validated levels of software quality, safety, reliability, sustainability, and survivability can be difficult to obtain and are often expensive to achieve. However, critical military applications demand levels of software assurance that most vendors do not apply to their commercial products. Although the cost-saving benefits of COTS packages for non-critical applications are undisputed, there continues to be an ongoing debate on the cost benefits of COTS software for critical applications (military or commercial).
Various approaches have been proposed for COTS utilization for military systems. One approach is to adopt COTS software for non-critical military applications, where an organization’s operations concept is modified to be consistent with the commercial properties of a COTS software package. A second approach is to adopt COTS software for military applications, where the original source is modified to be consistent with unique operational requirements. A third approach is to modify COTS software for critical military applications, where an independent testing organization obtains the original vendor source code for assurance testing. Modified COTS software generally requires a substantial change to vendor source code. A fourth approach assumes that COTS software packages cannot be adequately evaluated or verified, and should not be used for any critical military systems.
In order to address procurement, design, evaluation, testing, verification, validation, adoption, adaptation, and modification issues associated with the acquisition and utilization of COTS software packages for military systems, NATO hosted a three-day symposium in Brussels, Belgium. The symposium consisted of two keynote speakers, and six technical sessions consisting of twenty-four presentations.
The symposium treated the subject with the rigor that is characteristic of a mature engineering discipline. This symposium and its products will be a standard by which COTS software evaluation and certification are measured for years to come. Presentations were thorough, accurate, and current. Several presentations actually anticipated results that have yet to appear in archival journals.