Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

COTS Usage Risk Evaluation

Are you preparing for a project that makes heavy use of commercial software? 

Do you need to better understand the potential risks associated with such a program? 

The COTS Usage Risk Evaluation (CURE) has been developed to assist organizations in avoiding common mistakes in COTS-based acquisitions. CURE is ideally given during the early stages of a program, when the major key decisions relating to use of COTS products have not yet been made. CURE is a useful technology for any organization that is preparing for a project that is critically dependent on commercial software; it provides insight and understanding into the potential risks associated with such a program.

CURE involves site visits by SEI personnel to the program office and contractor for COTS-based acquisitions. Structured question-and-answer sessions are used to uncover potential risks in the acquisition. Risks are identified, and strategies for mitigating these risks are provided in a final report.

We've made CURE tools and materials available online. Detailed information about CURE can be found in the SEI technical report Identifying COTS Product Risks: The COTS Usage Risk Evaluation.

There is also an overview describing the CURE process for participants. Finally, the components of CURE are available for download. Feel free to use these materials to help evaluate your organization's risk regarding the use of COTS products.

Who will benefit?

•    program managers preparing to start COTS-intensive projects
•    contractors preparing to bid on COTS-intensive government contracts
•    anyone interested in gaining greater awareness of the risks inherent in COTS-based acquisition

CURE is a focused examination of the COTS-related aspects of a system development project. It is ideally administered during the early stages of a program, even before a specific contractor has been chosen.

CURE is aimed at both the government and the contractor side of a project. It is intended to assist key personnel on both sides in the decision-making and skills that will be required when an acquisition is heavily oriented toward using commercial software.

While the evaluation is aimed at both the government and the contractor, it can be applied individually to any organization that might participate in a COTS-related acquisition. It can also be used by contractors planning to bid on a forthcoming proposal.


The evaluation is performed through a questionnaire and an on-site visit by an assessment team. The project's personnel complete the questionnaire and return it to the evaluation team in advance. This permits the team to identify key topics, and to focus the on-site visit toward the individual needs of the program.

The CURE process produces a detailed outbrief on the COTS-related risks to the project. In the outbrief, identified risks are explained and prioritized, and mitigation strategies suggested for each. The outbrief is delivered within two weeks of the on-site visit.


CURE is offered on demand at customer sites. CURE is separately administered to the acquirer and the contractor. Each individual administration requires no more than two days on site.


The participants in CURE should be the senior organization members who will be assigned to the forthcoming (or ongoing) project. This includes the acquirer's program manager, the contractor's project manager, and the contractor's lead engineer/chief technical architect.

For More Information

Tricia Oberndorf
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-2612