Data at Rest Build vs. Buy: Lead Time

military fighter jet data at rest

When a new vehicle is being planned and designed, engineers, system architects, program managers, and acquisition personnel typically debate three procurement scenario options for the subsystems:

Scenario Options:

  1. BUILD: Design their own subsystem and build it themselves 
  2. BUILD: Have a contractor build the subsystem
  3. BUY: Locate and buy a commercial off-the-shelf (COTS) subsystem

Each approach may get you to the same goal, but each has positive and negative aspects along the way. Those decisions can only be made internally. The white paper Data-At-Rest Build vs. Buy Considerations for Deployed Storage Devices suggests some considerations that should be introduced in any such debate or trade study. 

The white paper focuses on data-at-rest (DAR) devices known as network attached storage (NAS) or network file servers. These NAS devices are Ethernet-based and allow network clients to use the device as local storage. A Network Attached Storage example is shown in Figure 1.

Figure 1 – Curtiss-Wright DTS1 NAS Example
Figure 1 – Curtiss-Wright DTS1 Network Attached Storage

This blog focuses on one of those considerations: Lead Time. The other considerations are flexibility, loaners, encryption, quality, reliability, export, cost, and risk. The perspective is that of a defense contractor in the United States (U.S).  

BUILD: Development Process

Both scenarios 1 and 2 involve a formal development process. It does not matter whether the design is performed in-house or by a sub-contractor. A simple representation of the design process for most products, including a Network Attached Storage device, is shown in Figure 2. Each stage could be expanded into smaller segments, but the graphic will suffice for this discussion.

Figure 2 - BUILD Development Process
Figure 2 - BUILD Development Process

All the steps in the development process may take a year or more to complete and resolve all the technical issues. Still, that estimate does not include the encryption certification or approval (if required). Encryption test and approval may be performed somewhat in parallel but cannot start until prototypes are made ready for testing by an independent laboratory. 


Before beginning the design phase, the military vehicle developer responsible for the Network Attached Storage devices must coordinate specifications with their Department of Defense (DoD) customer. The specifications will likely be iterated with their DoD customer several times before approval and sign-off.  


The design can commence after the specifications are settled. For electronics, like a Network Attached Storage device, the design phase will likely include hardware design, firmware design, and software design. Design meetings will be held to review the proposed design during the preliminary design review (PDR) and to review the final design during the critical design review (CDR). Each phase may be further subdivided, but not in this blog. Test plans should be developed during this phase.  

NOTE: As mentioned earlier, this brief discussion does not include approval or certification of encryption mechanisms. That process can take a significant additional time. 


After the CDR is complete, the prototype parts required can be ordered. The printed circuit boards will be laid out and fabricated. Once the parts have all arrived, the prototype can be assembled.

Functional Test

With the prototypes built, the execution of the test plan can begin. Testing of each area must be thoroughly reviewed, and technical issues corrected. Not only should functional testing occur during this phase, but environmental testing should also occur, representing the deployed mission parameters.  

Encryption Test & Approval 

Two encryption programs are defined by the National Security Agency (NSA)Type 1 encryption and Commercial Solutions for Classified (CSfC) encryption. The Type 1 certification may take 12 to 24 months to complete. The CSfC approval may take 6 to 12 months to complete. Both are estimates and depend on the maturity of the product and its design.  

The example NAS in Figure 1 has two layers of CSfC encryption. Each layer had to be separately tested and approved. The first time these were approved took longer than its recent re-approval process. This shortening of the approval was due to the design maturity and the experience gained by the engineering staff during the first effort.  


Parts required for production must be ordered well ahead of time. Some risks will occur if ordering parts before test completion. However, a good PDR and CDR effort should minimize parts selection issues.  

Since the COVID-19 pandemic, the electronic supply chain has been severely disrupted. Lead time for electronic parts has extended to lengths not seen for decades. One delayed resistor or capacitor can hold up the entire production effort.  


After production is complete, the deployment phase can begin. Field testing will occur in careful steps. Ultimately full deployment can start after all requirements are met and any corrections are made to the NAS device.  

BUY: Purchase a COTS NAS Device

If you purchase an existing Network Attached Storage device, the development process described above is bypassed. Essentially you can begin at the production step since the COTS manufacturer has already designed, tested, approved, and produced the COTS Network Attached Storage device. It may even have been deployed repeatedly, as with the example Network Attached Storage in Figure 1.

Figure 3 - COTS Product Lead Time
Figure 3 - COTS Product Lead Time
Ordering Ahead of Customer Purchase Order

COTS manufacturers invest in new NAS devices in anticipation of selling those products to many customers, not just one. So, once they have completed the design and test, the COTS manufacturer will order units in anticipation of future orders. They do not wait to get a customer purchase order (PO) and begin manufacturing the devices. The example Network Attached Storage in Figure 1 is ordered by Curtiss-Wright in large batches.  

As mentioned regarding the disrupted electronics supply chain, the parts can take a long time to arrive, and manufacturing can take time. However, the COTS manufacturer has ordered their devices before you even decide to order your units. They will be battling the supply chain issues before you decide to buy.  

As a COTS customer, you can bypass all the steps down to production. Your delivery lead time will be dependent on when you place an order. The COTS manufacturer may already have units in stock so that delivery can take weeks.   

For a very popular product, the customer orders can exceed the available units in stock or even those on order by the COTS manufacturer. A popular product with good features and good value can result in longer lead times. 

In any case, the existing COTS product will have no development time. So, the many months of development have already been bypassed. This saves you lead time, not to mention risk.  

BUY: Non-recurring Engineering Cost Avoidance

The COTS manufacturer has also invested its own internal research and development (IRAD) funds in its Network Attached Storage device. So, you do not have to invest in that development (unless you require a special variant).  

Expecting to sell many units, the COTS manufacturer will, of course, amortize their investment over many units. The development may have cost the COTS manufacturer millions or more with encryption tests and approval.  

Lead Time Summary

Whether a NAS device is designed by in-house personnel, by an outside design contractor, or by a COTS vendor, always consider the lead time for the NAS device.  

Whichever procurement approach you take for a new Network Attached Storage device, include lead time in your analysis.    

Figure 4 - Relative Lead Times Including Encryption Approval
Figure 4 - Relative Lead Times Including Encryption Approval

If performed in-house or by a subcontractor, the total lead time for a new Network Attached Storage device will include the entire design process, encryption approval (if needed), parts ordering, and production processes.  


If an existing COTS product is purchased, the lead time is greatly reduced. Six months for an existing COTS Network Attached Storage would be a long lead time. Your lead time will depend on where the COTS manufacturer is in their manufacturing process. So, your delivery may be less than a month or up to six months. The COTS manufacturer is incentivized to ship products as soon as possible since they will have recurring monthly and quarterly financial goals to reach. Holding shipments is not in their best interests.  


With the increasing and persistent threats to classified data, most deployed Network Attached Storage devices are required to include NSA-approved encryption. Encryption certification or approval will take many additional months within the development process.  

As was experienced with the Network Attached Storage in Figure 1, the 3rd party test labs (or NSA itself) may discover security issues during evaluation that must be corrected. This review and approval process takes time and includes technical risks. Do not underestimate the impact of encryption when evaluating lead time. Understand that issues will occur. Be realistic, not optimistic. If ordering an existing (not future) COTS Network Attached Storage, the encryption approval cycle will have been completed already. In the Network Attached Storage example, that approval process has even been accomplished twice.      

Remember that just buying an approved Network Attached Storage device like the example does not mean you can automatically deploy it without further formal steps. For the CSfC program, you must go through the solution registration process with NSA. The example Network Attached Storage can be proposed as a solution by itself since it includes two different layers of approved encryption already integrated. Curtiss-Wright can help you with the solution approval process.