Appendix AOperating ScenarioGPS/CDU Project for Wild Blue Yonder TechnologiesWild Blue Yonder Technologies Inc (WYBT) is a general holding company whose line of business is tailored to high-tech holdings. Wild Blue Yonder Technologies various subsidiary companies are maintained as one coordinated business from offices in New York City. The centralization of policy and planning direction at one location has historically produced higher revenues, profit margins, and customer satisfaction. The necessary degree of coordination is enabled by a global, enterprise network that is managed from the New York location. That network provides secure telecommunications capability with embedded firewall protection, multi-carrier cellular access options and automatic access point database updates for all connection types. It enables access to the enterprise’s applications from any location onan as-needed basis. The network also providesintegrated, any distance, seamless connectivity to WBYT’s centralized information resources. WBYT’s holdings are concentrated in advanced technology products and services. Two closely held subsidiaries deal exclusively with the Federal government. The line of business of one, which is based in Gaithersburg, Maryland, is R&D and manufacture for advanced capability components for the F 16 Fighting Falcon and F 18 Super Hornet. Theother, based in Jacksonville deals in R&D in target acquisition and fire control systems for Army helicopters. There is also a manufacturing facility in Detroit. That facility builds Leopard tanks for the Canadian Army under license from the German government. Other close holdings in WBYT’s empire include a commercial electronics R&D facility in Corvallis. The Corvallis facility also does contract work for the Idaho National Laboratory.In addition to the closely held corporations, there are loosely held electronics manufacturing, or service holdings in Pittsburgh, Houston, Des Moines, Sioux Falls, Denver and Bozeman. These facilities serve the consumer high-tech industry.
Finally, there are a number of loosely held international corporations in India, Australia and across the Pacific Rim, all concentrated in advanced technology. All computer services for that region are provided over a public/private VPN, which is maintained for that area in Singapore. The Singapore data center is actually owned and operated by WBYT, as part of the company’s global VPN. The VPN itself is maintained out of the New York office. According to WBYT’s charter, the primary business goal of the Company is to utilize the global marketplace to provide high quality technology components at the lowest price possible price. Wild Blue Yonder Technologies entered the market knowing that the ability to closely monitor its operation and deliver competitive business information quickly was going to be a prerequisite to its success, particularly in the integration and reuse of COTS products. In essence, its entire business model was based on the presumed ability to do that. In fact, since information was the key to company survival, that mission was laid out even before the technical capability for achieving it was in place. Wild Blue Yonder Technologies information processing operation delivers information and services to its various subsidiaries in two ways: hosted and embedded. The hosted model removes the burden of maintaining on-site data acquisition and management functions from the facility’s operations managers, while ensuring a secure and scalable worldwide environment. The embedded model allows each local facility to operate and maintain its own IT infrastructure, which is tailored around WBYT’s enterprise systems to support that subsidiary’s specific line of business and business operation.Company Organization Overview Because it is focused on the development of very advanced software products WBYT gets most of its business from the Pentagon. It utilizes a well-defined, flexible process for planning for and developing this software. It is also known as an innovative place to work. WBYT is operating under a pressing NIST 800-53 mandate and the only process
holding up the assessment is the Risk Management area. As such, the WBYT management would like you to implement a robust and persistent risk management process for its supply chain.Early software project planning is stressed at WBYT, and project plans are developed to integrate effectively with the other engineering plans within each project. There is strong informal communication among all the engineering disciplines, and a single program manager manages each new project from an integrated system view. Software estimates are derived through expert analysis and documented for use throughout the project's life. These estimates are backed up with outputs from estimation tools that areused to provide a “reality check” to the experts’ initial idea. Actual project data is retained to support a cost estimation improvement effort under way at WBYT but it is not used in a formal feedback sense.Software project management metrics are used to provide visibility into project performance at the project level. When performance deviates from the initial plans, the project manager is responsible for either making changes to the way the project is beinghandled (in order to bring the project back into conformance with the plan), or re-planning. Software subcontracts are managed using a set of defined policies and procedures. Software requirements, design, and code inspections are used to support development. Defect metrics from the inspections are maintained. Other product related metrics are identified and maintained for each development effort to help keep reasonable visibility into the development effort. These metrics also are used to supportsoftware project management and risk assessment. The only problem is that all of this takes place at the project rather than the organizational level. The Program Manager and upper management never see the results of this extensive measurement process.The review culture at WBYT is not well developed. However, assurance is primarily defined as testing the code. There is no software configuration management at any levelin the supply chain. A SEPG team of engineers and managers from the software engineering organization are responsible for keeping the approved software engineering
processes up to date, and identifying new opportunities for improvement. This team reports to the manager of software engineering and to the corporate vice president of engineering. The vice president of engineering maintains a keen interest in the software engineering processes for the corporation. The manager of software engineering and the vice president of engineering are responsible for providing quarterly reports to the company president on the state of software engineering and software assurance process improvement. The problem is that most of this reporting up and down the chainof command is in the form of rumor rather than objective data.COTS and GOTSWBYT uses COTS and GOTS software when possible, but it does not hesitate to build its own components when necessary or to mitigate risk. Humongous Holdings chief architect and the CIO are both former employees of a major Web search engine site/content provider. In four years back in the late 1990s, they watched that provider’s usage go from 45,000 to 45,000,000 page views per day. With millions of people using the system, they learned very quickly to take whatever security precautions needed to avoid being awakened in the middle of the night with a business-threatening problem.WBYT’s management’s major concern about COTS products centers on the ability to ensure its security. That was particularly true when targeted bench-checks found Trojancode embedded in products that were acquired from an overseas source. Thus, when security is essential and the source of the code is in doubt, WBYT will not hesitate to build the necessary components in-house. WBYT’s rule of thumb is that if the function isunimportant, COTS will do. If there’s an actual or de facto security requirement for someaspect of the system, the COTS product will have to be proven secure. Otherwise, that component is a strong candidate for in-house implementation.