Data-at-Rest Build vs. Buy: Lead Time
When a new vehicle is being planned and designed, engineers, system architects, program managers, and acquisition personnel typically debate three procurement scenario options for the subsystems:
- BUILD: Design their own subsystem and build it themselves
- BUILD: Have a contractor build the subsystem
- BUY: Locate and buy a commercial off-the-shelf (COTS) subsystem
Each approach may get you to the same goal, but each has positive and negative aspects along the way. Those decisions can only be made internally. The white paper Data-At-Rest Build vs. Buy Considerations for Deployed Storage Devices suggests some considerations that should be introduced in any such debate or trade study.
The white paper focuses on data-at-rest (DAR) devices known as network attached storage (NAS) or network file servers. These NAS devices are Ethernet-based and allow network clients to use the device as local storage. A NAS example is shown in Figure 1.
This blog focuses on one of those considerations: Lead Time. The other considerations are flexibility, loaners, encryption, quality, reliability, export, cost, and risk. The perspective is that of a defense contractor in the United States (U.S).
BUILD: Development Process
Both scenarios 1 and 2 involve a formal development process. It does not matter whether the design is performed in-house or by a sub-contractor. A simple representation of the design process for most products, including a NAS device, is shown in Figure 2. Each stage could be expanded into smaller segments, but the graphic will suffice for this discussion.
All the steps in the development process may take a year or more to complete and resolve all the technical issues. Still, that estimate does not include the encryption certification or approval (if required). Encryption test and approval may be performed somewhat in parallel but cannot start until prototypes are made ready for testing by an independent laboratory.
Before beginning the design phase, the military vehicle developer responsible for the NAS devices must coordinate specifications with their Department of Defense (DoD) customer. The specifications will likely be iterated with their DoD customer several times before approval and sign-off.
The design can commence after the specifications are settled. For electronics, like a NAS device, the design phase will likely include hardware design, firmware design, and software design. Design meetings will be held to review the proposed design during the preliminary design review (PDR) and to review the final design during the critical design review (CDR).
Each phase may be further subdivided, but not in this blog. Test plans should be developed during this phase.
NOTE: As mentioned earlier, this brief discussion does not include approval or certification of encryption mechanisms. That process can take a significant additional time.
After the CDR is complete, the prototype parts required can be ordered. The printed circuit boards will be laid out and fabricated. Once the parts have all arrived, the prototype can be assembled.
With the prototypes built, the execution of the test plan can begin. Testing of each area must be thoroughly reviewed, and technical issues corrected. Not only should functional testing occur during this phase, but environmental testing should also occur, representing the deployed mission parameters.
Encryption Test & Approval
Two encryption programs are defined by the National Security Agency (NSA) – Type 1 encryption and Commercial Solutions for Classified (CSfC) encryption. The Type 1 certification may take 12 to 24 months to complete. The CSfC approval may take 6 to 12 months to complete. Both are estimates and depend on the maturity of the product and its design.
The example NAS in Figure 1 has two layers of CSfC encryption. Each layer had to be separately tested and approved. The first time these were approved took longer than its recent re-approval process. This shortening of the approval was due to the design maturity and the experience gained by the engineering staff during the first effort.
Parts required for production must be ordered well ahead of time. Some risks will occur if ordering parts before test completion. However, a good PDR and CDR effort should minimize parts selection issues.
Since the COVID-19 pandemic, the electronic supply chain has been severely disrupted. Lead time for electronic parts has extended to lengths not seen for decades. One delayed resistor or capacitor can hold up the entire production effort.
After production is complete, the deployment phase can begin. Field testing will occur in careful steps. Ultimately full deployment can start after all requirements are met and any corrections are made to the NAS device.
BUY: Purchase a COTS NAS Device
If you purchase an existing NAS device, the development process described above is bypassed. Essentially you can begin at the production step since the COTS manufacturer has already designed, tested, approved, and produced the COTS NAS device. It may even have been deployed repeatedly, as with the example NAS in Figure 1.
Ordering Ahead of Customer Purchase Order
COTS manufacturers invest in new NAS devices in anticipation of selling those products to many customers, not just one. So, once they have completed the design and test, the COTS manufacturer will order units in anticipation of future orders. They do not wait to get a customer purchase order (PO) and begin manufacturing the devices. The example NAS in Figure 1 is ordered by Curtiss-Wright in large batches.
As mentioned regarding the disrupted electronics supply chain, the parts can take a long time to arrive, and manufacturing can take time. However, the COTS manufacturer has ordered their devices before you even decide to order your units. They will be battling the supply chain issues before you decide to buy.
As a COTS customer, you can bypass all the steps down to production. Your delivery lead time will be dependent on when you place an order. The COTS manufacturer may already have units in stock so that delivery can take weeks.
For a very popular product, the customer orders can exceed the available units in stock or even those on order by the COTS manufacturer. A popular product with good features and good value can result in longer lead times.
In any case, the existing COTS product will have no development time. So, the many months of development have already been bypassed. This saves you lead time, not to mention risk.
BUY: Non-recurring Engineering Cost Avoidance
The COTS manufacturer has also invested its own internal research and development (IRAD) funds in its NAS device. So, you do not have to invest in that development (unless you require a special variant).
Expecting to sell many units, the COTS manufacturer will, of course, amortize their investment over many units. The development may have cost the COTS manufacturer millions or more with encryption tests and approval.
Lead Time Summary
Whether a NAS device is designed by in-house personnel, by an outside design contractor, or by a COTS vendor, always consider the lead time for the NAS device.
Whichever procurement approach you take for a new NAS device, include lead time in your analysis.
If performed in-house or by a subcontractor, the total lead time for a new NAS device will include the entire design process, encryption approval (if needed), parts ordering, and production processes.
If an existing COTS product is purchased, the lead time is greatly reduced. Six months for an existing COTS NAS would be a long lead time. Your lead time will depend on where the COTS manufacturer is in their manufacturing process. So, your delivery may be less than a month or up to six months. The COTS manufacturer is incentivized to ship products as soon as possible since they will have recurring monthly and quarterly financial goals to reach. Holding shipments is not in their best interests.
With the increasing and persistent threats to classified data, most deployed NAS devices are required to include NSA-approved encryption. Encryption certification or approval will take many additional months within the development process.
As was experienced with the NAS in Figure 1, the 3rd party test labs (or NSA itself) may discover security issues during evaluation that must be corrected. This review and approval process takes time and includes technical risks. Do not underestimate the impact of encryption when evaluating lead time. Understand that issues will occur. Be realistic, not optimistic. If ordering an existing (not future) COTS NAS, the encryption approval cycle will have been completed already. In the NAS example, that approval process has even been accomplished twice.
Remember that just buying an approved NAS device like the example does not mean you can automatically deploy it without further formal steps. For the CSfC program, you must go through the solution registration process with NSA. The example NAS can be proposed as a solution by itself since it includes two different layers of approved encryption already integrated. Curtiss-Wright can help you with the solution approval process.
Data-At-Rest Build vs. Buy Considerations for Deployed Storage Devices
This whitepaper focuses on data-at-rest (DAR) devices (subsystems) but may be applied to other deployed electronic devices. Deployed DAR devices are otherwise known as network-attached storage (NAS) or network file servers. These devices are Ethernet-based and allow network clients to use the device as local storage. This paper compares the merits of building or buying such devices in deployed vehicles.
DAR Series Part 3: NSA Type 1 Encryption
A Type 1 encryption product is a device or system certified by the NSA for use in cryptographically securing classified United States government (USG) information when appropriately keyed. The USG classified data may range from Confidential to Secret to Top Secret.
Director, Product Management
Paul Davis began his career for Curtiss-Wright as a Research Manager for the Dayton, OH facility in 1997. Paul has held positions including Director of Engineering managing a staff of 40+ engineers, managers, technicians, and co-op students; Product Manager for the switches, recorders, and various board-level products; and then Director of Product Management. Now retired, Paul worked in engineering and engineering management positions for 19 years.