Effective CISSP Questions

An in-house development team in your organization is tasked to develop a new information system deployed to a public PaaS to support a new mission. A well-known consulting firm, enlisted in your organizational approved providers and offerings, is contracted to advise cloud services. Some of the tools used by developers are freeware downloaded from the internet. Which of the following acquisition sources is not used in this project?
A. Commercial-off-the-shelf (COTS)
B. Open Source
C. Managed services
D. Third-party

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Open Source.

The tools used by developers as freeware are not an offering of “open source.” Open-source means the source code of the tools is used. According to Wikipedia, “unlike with free and open-source software, which are also often distributed free of charge, the source code for freeware is typically not made available.”


Freeware is software, most often proprietary, that is distributed at no monetary cost to the end user. There is no agreed-upon set of rights, license, or EULA that defines freeware unambiguously; every publisher defines its own rules for the freeware it offers.

Source: Wikipedia

Open Source

Open source products include permission to use the source code, design documents, or content of the product. It most commonly refers to the open-source model, in which open-source software or other products are released under an open-source license as part of the open-source-software movement.

Source: Wikipedia

Managed services

“Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions in order to improve operations and cut expenses.” (Wikipedia)

For example, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS)


Third-party may refer to Third-party Providers or Third-Party Relationships.

  • Third-party Providers: service providers, integrators, vendors, telecommunications, and infrastructure support that are external to the organization that operates the manufacturing system.
  • Third-Party Relationships: relationships with external entities. External entities may include, for example, service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums, and investors, and may include both contractual and non-contractual parties.


COTS is the acronym for Commercial off-the-shelf or commercially available off-the-shelf. COTS offerings can be products or services that can be bought on the store shelf or from a catalog and contrast with in-house or custom-made solutions. COTS software or COTS servers are well-known examples for IT people. However, “services associated with the commercial items may also qualify as COTS, including installation services, training services, and cloud services.” (Wikipedia)

The Federal Acquisition Regulation (FAR)

Commercial component means any component that is a commercial item.

Commercial computer software means any computer software that is a commercial item.

Commercial item means

  • (1) Any item, other than real property, that is of a type customarily used by the general public or by non-governmental entities for purposes other than governmental purposes, and-
    • (i) Has been sold, leased, or licensed to the general public; or
    • (ii) Has been offered for sale, lease, or license to the general public;
  • (2) Any item that evolved from an item described in paragraph (1) of this definition through advances in technology or performance and that is not yet available in the commercial marketplace, but will be available in the commercial marketplace in time to satisfy the delivery requirements under a Government solicitation;
  • (3) Any item that would satisfy a criterion expressed in paragraphs(1) or (2) of this definition, but for-
    • (i) Modifications of a type customarily available in the commercial marketplace; or
    • (ii) Minor modifications of a type not customarily available in the commercial marketplace made to meet Federal Government requirements. Minor modifications means modifications that do not significantly alter the nongovernmental function or essential physical characteristics of an item or component, or change the purpose of a process. Factors to be considered in determining whether a modification is minor include the value and size of the modification and the comparative value and size of the final product. Dollar values and percentages may be used as guideposts, but are not conclusive evidence that a modification is minor;
  • (4) Any combination of items meeting the requirements of paragraphs(1), (2), (3), or (5) of this definition that are of a type customarily combined and sold in combination to the general public;
  • (5) Installation services, maintenance services, repair services, training services, and other services if-
    • (i) Such services are procured for support of an item referred to in paragraph (1), (2), (3), or (4) of this definition, regardless of whether such services are provided by the same source or at the same time as the item; and
    • (ii) The source of such services provides similar services contemporaneously to the general public under terms and conditions similar to those offered to the Federal Government;
  • (6) Servicesof a type offered and sold competitively in substantial quantities in the commercial marketplace based on established catalog or market prices for specific tasks performed or specific outcomes to be achieved and under standard commercial terms and conditions. For purposes of these services-
    • (i) “Catalog price” means a price included in a catalog, price list, schedule, or other form that is regularly maintained by the manufacturer or vendor, is either published or otherwise available for inspection by customers, and states prices at which sales are currently, or were last, made to a significant number of buyers constituting the general public; and
    • (ii) “Market prices” means current prices that are established in the course of ordinary trade between buyers and sellers free to bargain and that can be substantiated through competition or from sources independent of the offerors.
  • (7) Any item, combination of items, or service referred to in paragraphs(1) through (6) of this definition, notwithstanding the fact that the item, combination of items, or service is transferred between or among separate divisions, subsidiaries, or affiliates of a contractor; or
  • (8) A nondevelopmental item, if the procuring agency determines the item was developed exclusively at private expense and sold in substantial quantities, on a competitive basis, to multiple State and local governments or to multiple foreign governments.

Commercially available off-the-shelf (COTS) item—

  • (1) Means any item of supply (including construction material) that is–
    • (i) A commercial item (as defined in paragraph (1) of the definition in this section);
    • (ii) Sold in substantial quantities in the commercial marketplace; and
    • (iii) Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and
  • (2) Does not include bulk cargo, as defined in 46 U.S.C. 40102(4), such as agricultural products and petroleum products.

NIST Glossary

  • COTS: A product that is commercially available. (NIST SP 800-152)
  • COTS: software and hardware that already exists and is available from commercial sources. It is also referred to as off-the-shelf. (NISTIR 7622)
  • Commercial-off-the-shelf (COTS): A software and/or hardware product that is commercially ready-made and available for sale, lease, or license to the general public. (CNSSI 4009-2015)



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您組織中的內部開發團隊負責開發一個未來將部署到公共PaaS的新資訊系統,以支持組織的新任務(mission)。一家知名的顧問公司(已列在公司核準的供應商及產品列表中)被約聘為雲服務提供建議。 開發人員使用的一些工具是從Internet下載的免費軟件(freeware)。 以下哪項獲取來源在本專案中未被使用?
A. 上架商品(COTS)
B. 開源(Open Source)
C. 託管服務(Managed services)
D. 第三方(Third-party)

Leave a Reply