search menu icon-carat-right cmu-wordmark

COTS in the Real World: A Case Study in Risk Discovery and Repair

April 1999 Technical Note
Scott Hissam, Daniel Plakosh

This report describes the investigations that were performed to determine how well selected commercial components met the mission needs of a DoD project.


Software Engineering Institute

CMU/SEI Report Number



Like many organizations in both the public and private sectors, the U.S. Department of Defense (DoD) is committed to a policy of using commercial off-the-shelf (COTS) components in new systems, particularly information systems. However, the DoD also has a long-standing set of security needs for its systems, and the pressure to adopt COTS components can come into conflict with those security constraints. The major elements of this conflict are the DoD's overall approach to system security on one hand and the economic forces that drive the component industry on the other. As DoD managers and system integrators look to the COTS marketplace for components to satisfy more security requirements, this conflict becomes more prominent. In this report, we describe an actual product evaluation where just such a conflict occurred, examine why that conflict exists, and outline the corrective steps that were taken.