Software Engineering Institute Carnegie Mellon

COTS-Based Systems
Overview
Activity Areas
Briefings, Courses, and
Workshops
Products and Services
References
CURE (COTS Usage Risk Evaluation)
EPIC
Information and Publications
COTS Lessons Learned
Integration of Software-Intensive Systems
Performance-Critical Systems

COTS Usage Risk Evaluation (CURE) Participants Overview

return to CBS main page

Version 3.2

Description

The COTS Usage Risk Evaluation A HREF="#ftn2">(CURE) assumes that an organization is at some stage of acquiring a COTS-based software system, to be created under contract by another organization. In the most familiar scenario, the former organization would be some part of the Federal Government and the latter some large industrial contractor. However, there is no assumption that the acquiring organization is necessarily a Government agency: the questionnaire is applicable to any acquiring organization. Ideally, both the acquiring and the contracting organizations will participate in separate evaluations, and a program-wide result will be obtained. However, this is not absolutely necessary.

This document is intended for those participating in the CURE. It provides an overview of the three steps of the evaluation. For each step, both the activity and the personnel expected to perform that step are discussed. Finally, it is assumed that the decision to perform CURE has already been made, so no rationale for a program's participation in the CURE is provided. If such rationale is needed, the reader should consult the CURE portion[1] of the SEI Web site. The evaluation is performed during an on-site visit by the evaluation team.

Initial Questionnaire

Four weeks before the scheduled onsite visit, the evaluation team sends the initial questionnaire to the program's point of contact (PPOC). The completed questionnaire must be returned to the evaluation team no later than one week before the onsite visit.

The questions are general in nature and should require no more than half a day to answer. The answers to the questionnaire are used to inform the evaluation team about the program.

On-site Visit

About one week before the on-site visit, the evaluation team furnishes the PPOC with the Discussion Document. This document guides the discussions during the visit and is provided in advance so that program personnel may understand better the nature of the on-site visit.

The normal model of the on-site visit is that the evaluation team meets with the program participants on Monday of the evaluation week. After an initial inbrief by the evaluation team, the discussion document is used to guide the dialog between both teams. The discussion of some topics will perforce take longer than others, but each topic is intended to be roughly at the same level of granularity. Some times it is desirable to extend the discussion into Tuesday morning, but it is unlikely that the discussion would be any longer.

The on-site interviews are with key personnel from the organization. For a contractor, the interviews are divided between the lead engineer, the project manager, and possibly the organization's contracts officer. For an Acquisition organization, the program manager is the main person to be interviewed. Any supporting persons (e.g., the program's contracts officer) may be added as deemed appropriate, but no more than five people should be interviewed.

There is no need for individual interviews, thus it is expected that all personnel will be present for the duration of the on-site visit. Indeed, the joint interview occasionally surfaces differences of opinion between team members; resolving such ambiguities is an important step.

Over the next three days, the evaluation team analyzes the data gathered during the first day(s) for COTS-based risks. The result of the analysis is the basis of the outbrief.

Outbrief

On Friday of the same week as the on-site visit, the evaluation team returns with an outbrief listing the observed COTS-based risks for the program. Each risk is presented with potential consequences and possible mitigations. The outbrief takes one to two hours, depending on the results of the evaluation team's analysis. The outbrief may generate discussions, which are encouraged by the evaluation team -- such discussions may illuminate or clarify issues raised during the evaluation.

The outbrief is intended for the personnel that participate in the initial discussions, but the participants should feel free (and are encouraged) to invite other appropriate personnel. The only caveat is that if CURE is to be applied to the both the acquirer and the contractor, and [2], that contractor personnel not be present during the acquirer's outbrief[3].

In all cases, the evaluation team considers the content of the outbrief to be confidential and never shares the information with any other party. This restriction only applies to the evaluation team, the program office may distribute the outbrief as circumstances dictate.

SM COTS Usage Risk Evaluation is a service mark of Carnegie Mellon University

SM CURE is a service mark of Carnegie Mellon University

[1] Description: COTS Usage Risk Evaluation (CURE).

[2] It is necessary that if both are to be evaluated, the acquirer evaluation is first.

[3] Such attendance leads to bias in the contractor evaluation, and reduces the value of the second evaluation.