TECHNICAL EVALUATION OF MANAGMENT SCIENCE AMERICA SOFTWARE PACKAGES MANUFACTURING PURCHASING ACCOUNTS PAYABLE

Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 25X1 UNCLASSIFIED Commercial Logistical Application System (CLAS) Technical Evaluation of Management Science America (MSA) Software Packages Manufacturing Purchasing Accounts Payable Prepared by: CSDD/MISG/OIT August 29, 1986 UNCLASSIFIED Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 Unclassified CONTENTS Chapter PIE 1. EXECUTIVE SUMMARY 1 2. INTRODUCTION 3 3. THE PACKAGES 4 Manufacturing 14 Batch Processing 5 Easy Screen 5 Purchasing 5 Batch Processing 6 Special Editing Commands 6 Accounts Payable 6 Batch Processing 7 Integration of Purchasing and Manufacturing . . ? 7 Online Processing 7 Package Differences 8 Information Expert 8 Data Communication Interface 8 Cullinet General Ledger (GL) 9 10 4. CORPORATE DATA REQUIREMENTS Integration With IDMS Database and Tools . ? 10 Corporate Data Program Standards 13 INTERFACING WITH CULLINET'S GENERAL LEDGER 14 General 14 Accounts Payable with Cullinet's General Ledger 14 Purchasing with Cullinet's General Ledger . . . ? 14 No Contention Within IDMS 15 6. SECURITY 16 MSA Provided 16 Security for Purchasing 17 Security Problems Surfaced 17 Reporting Utilities Outside of MSA Control . ? 17 NSEG Evaluation Results 17 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 7. REQUIRED MODIFICATIONS OF THE MSA SYSTEMS 19 Required Modifications 19 Audit Trails 19 New Signon Procedure 19 Security for Batch Jobs 19 IE Batch Job Verification 20 MSA Accessing IDMS Resources 20 Broad Subschema Access . . . ? ? 20 Local Print Options 20 JCLBUILD 20 Multiple Buying Entities 21 Requesting Stock Material Through Purchasing 21 Adding New Elements 21 New Reports 22 Summary 22 8. OTHER 23 Loading from CONIF and ICS 23 UPDT84 23 How to Modify the Menus 23 Understanding DCI 24 Copybooks 24 3270 Terminals 24 ADESSE Emulation Code 25 VSAM Files 25 9. ON THE HORIZON 26 New Versions of the Sofware 26 Financial Controller 26 Budget Control 27 10. MSA SERVICES 28 Hot Line 28 Custom Code 28 On Site Support 28 System Installation 29 11. SUMMARY 30 The Good News 30 The Bad News 30 12. RECOMMENDATIONS 32 Remain with MSA 32 Install New Versions of the Software in 2nd Quarter CY 87 32 Contract with TRW Through March 87 32 Schedule for IOC on October 1, 1988 32 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified Appendix 0E2 A. SPACE REQUIREMENTS 311 -iv- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 (..") ?fti Unclassified Chapter 1 EXECUTIVE SUMMARY The following pages detail the results of a 'six month technical evaluation of three Management Science America (MSA) software packages; Purchasing, Manufacturing, and Accounts Payable (AP). Four staff and two contract employees comprised the technical team. The team began loading the software into an unclassified TRW computer system in early March 1986. Because of the late availability of Purchasing, this loading was not complete until the end of April. After loading and a cursory checkout by the technical team, the functional evaluation teams from Office of Logistics (OL) and Office of Finance (OF) began their portion of the evaluation. The several chapters and appendices of this paper cover aspects of the MSA packages as well as how the software utilizes the Integrated Database Management System (IDMS). The results found in the paper include: 1. The technical evaluation found no reason for the software not to be used if found functionally acceptable by OL and OF. 2. IDMS reporting functions (e.g., Culprit and OLQ) are easily accessible from the MSA system. Data can be easily passed from MSA's Accounts Payable to Cullinet's General Ledger (GL). This is a requirement from the Budget and Accounting Resources System (BARS) project. The coding of one relatively small program will be required to allow data from the MSA Purchasing system to do the same. In both cases, GL will not require modification. 4. The MSA software was originally designed for Virtual Storage Access Method (VSAM) files and then converted to run on IDMS. The file design does not take full advantage of IDMS data storage capabilities and is not as efficient as it might have been if created specifically for IDMS. 5. The cost of modifications required to meet OL and OF requirements stated thus far is estimated by MSA to -1- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 tkod Unclassified be $249,000. However, other required modifications are expected as OL and OF continue their detailed evaluation of MSA features. . The next versions of the MSA packages, which are required to meet OL and OF requirements, will be available by April 1987. 7. Modifications to the MSA packages will be required to enhance security and to take advantage of the CIA computer system. These security and operational issues must be further evaluated by the Network Systems Engineering Group (NSEG) OIT before estimates could be available. NSEG has composed a comprehensive list for MSA. A response is expected by late September. MSA has agreed in writing that they will give technical guidance concerning any required changes and will review our planned implementation. -2- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 c,) Unclassified Chapter 2 INTRODUCTION A brief review of the Table of Contents will show you that there are chapters on: THE PACKAGES gives a brief overview of each of the software packages including items of interest on each. CORPORATE DATA REQUIREMENTS answers the questions posed at the beginning of the evaluation as to how well MSA's software would fit into an IDMS environment. INTERFACING WITH CULLINET'S GENERAL LEDGER answers the question about how MSA financial packages can be integrated with Cullinet's General Ledger (GL). SECURITY covers the security features provided by MSA and the "holes" found during the evaluation. REQUIRED MODIFICATIONS OF THE MSA SYSTEMS gives a review of the required changes anticipated for the packages, and cost estimates when available. OTHER contains those topics that did not neatly fit in one of the other chapters. ON THE HORIZON reviews the new products to be available in the near term from MSA. MSA SERVICES gives an overview of MSA services provided along with their software. SUMMARY. RECOMMENDATIONS. -3- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 Unclassified Chapter 3 THE PACKAGES 3.1 MANUFACTURING The Manufacturing System is the largest of the packages with some 400 thousand lines of code, 350 menus, 200 programs, 36 files, and 120 reports. The majority of the data input and update is done online and directly into the data files. The Manufacturing System is made up of five subsystems; General Systems (GS), Advanced Inventory Management (AIM), Manufacturing Standards (MS), Inventory Control (IC), and Material Requirements Planning (MRP). Six other subsystems are available but were not purchased for this evaluation. .General Systems is the systems administrator for the manufacturing applications. It sets the functions and values needed to operate the modules within manufacturing. Manufacturing Standards uniquely identifies each item in inventory and defines the materials or items that make up each item. It also identifies the steps and the amount of time it takes to manufacture an item. Inventory Control keeps an accurate balance on hand for each item in stock and the location of each item. It also has the ability to create customer orders for items that are to be distributed and to create purchase orders for items that are to be replenished. Purchase order creation is very limited compared to options available in the Purchasing system. Material Requirement Planning (MRP) identifies the materials that are required in order to manufacture an item and projects future planned demands. MRP can prepare requisitions to send to Purchasing for the replenishment of stocked items. Advanced Inventory Management (AIM) keeps track of the warehouse location of each individual item and establishes the most efficient way to process a customer order. -4- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 U ?41 Unclassified 3.1.1 Batch Processing Batch processing is begun with the execution of a program called JCLBUILD. This would be executed during the evening shift as no users may be connected during this processing. Depending on the transactions entered on the Manufacturing menus during the day, JCLBUILD will create from two to six jobs. Each of these jobs must be run, in order, to accomplish the batch functions required. The functions include updating the manufacturing databases, producing reports that the users have requested, and interfacing with the Purchasing databases. Getting JCLBUILD to run was an extremely difficult task during the evaluation. Before being used in a production environment, we will seek a more structured mode of operation. This would better allow for those backup and recovery procedures that are required for all jobs of this type. 3.1.2 Easy Screen Manufacturing is the only system to use "Easy Screen" for the creation of its menus. Menus for all systems are created by passing data cards to the Data Communications Interface (DCI) program. Easy Screen simply allows for an easier method of building these data cards. We were able to create and utilize new menus using Easy Screen. 3.2 PURCHASING Purchasing is almost as large as Manufacturing with 370 thousand lines of code, 140 menus, 286 programs, 19 files, and over 30 reports. The majority of the data input and update is done online and directly into the data files. The Purchasing system has been by far the most unstable package. Software problems have occurred on a regular basis throughout the evaluation. MSA has been responsive to fixing the software, but this level of problems should never have occurred. A tape of program fixes and a MSA technician to load them are expected in mid-September. Purchasing has three unique features; it uses the Information Expert (IE) reporting capability to create its reports, it has the ability to set security parameters via menus, and it can change menu literals (fixed characters) -5- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 Unclassified online. In future versions of the other systems, these same features will be available. 3.2.1 Batch Processing All print jobs use MSA's Information Expert (IE) Reporting and Retrieval (R&R) capability to retrieve information from the Purchasing database and to print reports. Before batch jobs can be run, the audit trail data collected from the on-line processing cycle is copied to an extract file and the audit trail activity reports created. 3.2.2 Special Editing Commands The Purchasing System has several editing commands that are used for processing information on a purchasing screen. Three in particular can be used to save the user time and effort when keying data in; the Save, Show, and Copy commands. The Save command will temporarily store new data keyed in from any screen that has the option available. This will allow the user the opportunity to switch from one screen to another and later redisplay his saved screen(s) with the Show command. A list of the saved screens can be viewed so the user can delete the saved screens or obtain page numbers without having to 'Show' them. The Copy command can be used to avoid re-entering duplicate information for the same screen. The user would develop a screen model of the standard information once, store it, retrieve and copy it to a blank screen, and then enter any remaining information that is unique for the current screen. 3.3 ACCOUNTS PAYABLE Accounts Payable (AP) is the smallest of the three systems with 83 thousand lines of code, 48 menus, 99 programs, 9 files, and 88 reports. The majority of the data input and update is done by creating transaction files, and the data files are updated in batch. Because the required version, 5.0, was not available in time for the evaluation, version 4.2 was used. Though these two versions are significantly different, it was very useful to evaluate 4.2. Enough was learned to quantify an AP to Cullinet GL interface (documented elsewhere). AP version -6- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 Q,) Unclassified 4.2 is not linked in any way with Manufacturing or Purchasing. AP 5.0 is integrated with Manufacturing 6.4 and Purchasing 2.0 which are the releases expected early next year. 3.3.1 Batch Processing The Accounts Payable system is a batch system with few online capabilities. Only the Vendor file may be updated online. Batch transactions are created online for the following: 1. Policy 2. Invoices 3. Payments 4. Reports. The transactions are processed through batch jobs. Each of the following groups of jobs is a processing cycle. 1. Daily batch cycle 2. Period end processing 3. Month end processing 4. General Ledger extract 5. Year end processing There are also several stand-alone jobs which print reports or do backup and restore procedures. 3.4 INTEGRATION OF PURCHASING AND MANUFACTURING The Manufacturing and Purchasing systems are said to be "integrated". This means that from certain menus of either system, data files of the other system may be queried or updated. In some cases, the update is done online and others in batch. 3.5 ONLINE PROCESSING The packages function online in much the same manner. The first menu presented asks which of the three systems the user wishes to use. After being accepted to that system, the user is led from menu to menu to complete the required processing. The user may request reports, perform online queries, or input and update data. In those cases where more than one menu is required for input, the second or third menu is presented automatically. With instruction and a definition of how OL and OF wish to utilize the system, a user could rapidly learn their way through the menus. -7- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 tft,) ?1/4001 Unclassified 3.6 PACKAGE DIFFERENCES Although all are from the same vendor, the packages have many differences, and it is evident that the systems were written independently. The documentation manuals are laid out differently and the use of system supporting files varies. The impact is that understanding how one system functions does not necessarily tell you how another system does. MSA states that the evolution of the systems in succeeding new versions will bring them closer together. 3.7 INFORMATION EXPERT The Purchasing System is presently the only system to utilize the "Expert Reporting" feature of what MSA calls their "Information Expert (IE) Environment". It allows a user to walk through 10 menus prompting for requirements for a report. These responses are stored and the user can run the report request in a batch mode. The resulting report is stored in a data file and available for display on the screen or printing. The next version of all three packages will utilize IE. 3.8 DATA COMMUNICATION INTERFACE The Data Communication Interface (DCI) allows each of the MSA systems to communicate with the terminals. It places the requested menu on the screen and executes the appropriate program. Menus that have to be executed in a predetermined order are "chained" together. Thus, when processing for one is complete, the next is automatically shown. For any given menu, up to five programs are available for execution. DCI will execute the programs in their proper sequence. DCI also provides the security aspects of the software. It allows users to utilize permitted menus and to see/not see selected data. For Manufacturing and AP, this is accomplished by creating data cards. Purchasing uses online screens for setting up security. DCI provides security by both user and terminal. Terminals are designated to be operated by specific operators. Thus, every operator must have a data card showing the terminals he/she might use. This would not be appropriate in our environment. We were able to install a fix provided by MSA so that these data cards would not be required. -8- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 La, Unclassified We have begun negotiating with MSA to have the DCI source code available for our review. 3.9 CULLINET GENERAL LEDGER (GL) Cullinet's GL package was installed midway through the evaluation. No evaluation was performed as GL is under the purview of the BARS project. GL was only in place so that an AP-to-GL interface could be evaluated and a review of the data element naming convention could be accomplished. -9- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 L) Unclassified Chapter 4 CORPORATE DATA REQUIREMENTS Because the MSA software will be part of the Corporate Data environment, the MSA software will be subject to Corporate Data policies. The areas of concern are: integration with other Corporate systems, integration with IDMS, and adherence to Corporate Data's established IDMS standards. 4.1 INTEGRATION WITH IDMS DATABASE AND TOOLS There are six IDMS tests against which the MSA software was evaluated. The tests and the evaluations are listed below. Test 1 - Utilization of the Integrated Data Dictionary (IDD). MSA must use normal features of IDD to store all application data. The packages, being designed to operate in other than an IDMS environment, do not make full use of the options provided within IDMS. However, the usual configuration management (CM) techniques will be put into place to provide the required support. MSA populates the IDMS dictionary with the data descriptions and all data elements are defined in the IDD. MSA's data editing, which is more complex than the IDD provides for, e.g., patterns, is done through its own software rather than the IDD. MSA uses "copybooks" for storing its schemas rather than taking the version from the IDD. The IE dictionary also has a copy of the schema. Should a change be required to a record format or schema, the appropriate copybook and IE dictionary will also require updating. Information about programs is captured automatically and placed into the dictionary directory by the IDMS DML compiler. MSA's COBOL programs are not compiled through the DML compiler because MSA gets its structures from copybooks -10- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 Unclassified rather than the IDD. Therefore, some of IDMS's self documenting/reporting features cannot be fully exploited. For example, we cannot get data element-to-program cross reference reports from the IDD. The SCAN function available on VM will perform a similar function for MSA programs and copybooks. Test 2 - Integration with ADS. See if MSA software can call and be called by ADS. Application Development System (ADS) encompasses two Cullinet products which simplify application development. ADS/Batch is for the development of batch programs. ADS/Online (ADS/0) is for development and execution of online applications. ADS/0 uses the Online Mapping (OLM) facility which helps the developer to design screens for the terminal. Per discussions with technical Cullinet representatives, we have learned that we can access ADS/0 dialogues (programs) from an MSA COBOL program. However, it is a difficult and complicated process. Having ADS/0 call a COBOL program is technically easier. ADS/0 customized screens could not be added within an MSA application. However, they could be accessed by going into the IDMS mode from MSA. This would be simple enough to do, but might break the flow of the processing. The real thrust of this question was to see if ADS/0 could be used to build new menus, if required, for the MSA systems. Though it would be simple enough to leave MSA control and use menus created with ADS/0 and then return to MSA control, we recommend simply creating new menus with the many COBOL and DCI "tools" provided by MSA. We were able to create new menus and to blend them into the MSA flow of control using these MSA tools. Test 3 - Utilization of OLQ. See if MSA data is accessible by OLQ from within the MSA application. Online Query (OLQ) is Cullinet's inquiry/response system which provides access to databases operating under IDMS. OLQ has been tested using MSA data. In fact, it has been very useful for answering user questions during the evaluation. We have queried the data -11- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 1/4.ti Unclassified using selection criteria and have written "canned" queries. Currently, we do not believe that OLQ can be called from within an MSA application nor do we see a reason to do so. MSA provides a large number of inquiry screens. If another query is required, it is simple enough to leave an MSA menu, enter the OLQ task through IDMS, and then return. To leave MSA, the user simply presses the "clear" function key, and returns by typing MSAS. Test 4 - Integration with Culprit. User should be able to execute Culprit reports while in the middle of an MSA application. Culprit is an information. retrieval tool that generates user-designed reports . from IDMS databases and conventional files. We were able to execute Culprit reports against the MSA databases. Here, as with OLQ, it MSA control, generate a The MSA systems provide is simple enough to leave report, and return to MSA. many reports. Test 5 - IDMS Schema Analysis. Review schema to show efficiency of organization, reasons for data redundancy, and logical data access methods. We have reviewed the MSA schemas applications. Although they inefficiencies in their designs, schemas are acceptable and for the three have some we feel the will perform sufficiently. The inefficiencies are caused primarily because the schemas were converted from the original VSAM structures. We estimate less than 5% data duplication and this largely due to the fact that the VSAM keys remain in the structures. Test 6 - IDMS Version 10. MSA software IDMS release 10, using IDMS/DC. During the TRW evaluation, we (Universal Communications Facility) as the teleprocessing monitor. version was run for a short test ability to do so. -12- must run under used IDMS/UCF utilizing TSO The IDMS/DC to ensure the Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 4.2 CORPORATE DATA PROGRAM STANDARDS The Corporate Data Program (CDP) has standards, procedures, and guidelines to be followed for systems using IDMS. MSA does not follow the standards in the following areas: 1. Naming conventions of the data elements and IDMS system components. 2. Screen design standards. 3. COBOL programming standards. We have asked for and received exemption from CDP for the above infractions. With the quality of the MSA code, the use of copybooks, and MSA's own standard procedures, the waiver of CDP standards will have no detrimental impact. -13- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Cr) Unclassified Chapter 5 INTERFACING WITH CULLINET'S GENERAL LEDGER 5.1 GENERAL One of the important reasons for this evaluation was to see how difficult and expensive it would be to integrate the financial packages from MSA with Cullinet's GL. Having Integrated them, if possible, what would be the cost of future maintenance? 5.2 ACCOUNTS PAYABLE WITH CULLINET'S GENERAL LEDGER AP was chosen as the "guinea pig" for the evaluation. After a review of GL and AP, we see the integration as being almost trivial and at no extra cost to the government. AP creates a data file (GLEXT) suitable for input to Cullinet's General Ledger (GL). The GL will accept that data set with no modifications required for GL. Cullinet will therefore update its files with AP data the exact same way it does with its own input. 5.3 PURCHASING WITH CULLINET'S GENERAL LEDGER After looking at the integration between GL and AP, we reviewed Purchasing. Purchasing has a program that reads a dataset extracting records that are ready to have their Purchase Orders (PO) printed. These are the same records that are ready to have their obligation values passed to GL. Either this program could be modified to create a GL dataset or another could be written. Again, GL would require no modification. -111- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 5.4 NO CONTENTION WITHIN IDMS We successfully added a secondary dictionary to the IDMS system for Cullinet's GL system. We experienced no contention between the two vendors packages executing under one Central Version of IDMS. There was also no duplication of file names or data element names. -15- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 C4=2) Unclassified Chapter 6 SECURITY Security is divided here into two sections; that provided by MSA and the problems surfaced during the evaluation. 6.1 MSA PROVIDED MSA provides the following levels of security: 1. Userid and password. Each user wishing access to any of the systems must first be admitted to the MSA "system". Here, a userid and password are requested and verified. Having passed this test, a menu is presented giving a choice of each of the available systems. 2. Each system. Users may be given access to a system while being denied access to others. Upon trying to gain access to a system, the software checks for its availability to the user. 3. Menus. Each of the menus may be permitted or not permitted for each user. 4. Within Purchasing menus. Extra security may be designated for specific values in the buying entity, paying entity, nd catalog identifiers. For all menus where these data elements appear, security may be designated for their viewing or updating. 5. Within AP menus. Extra security may be designated for specific values of the paying entity. For all menus where paying entity appears, security may be designated for its viewing or updating. 6. Within Manufacturing, there is no security provided below the menu level. -16- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Q Unclassified 6.1.1 Security for Purchasing The Purchasing system uses menus rather then data cards to designate security restrictions. These menus are used to complete the operator definition which will establish any additional options and controls. 6.2 SECURITY PROBLEMS SURFACED 6.2.1 Reporting Utilities Outside of MSA Control The security that MSA provides is primarily for the online menus. Outside of this menu control, the data may be viewed by other products but not updated. For example, Cullinet's OLQ and Culprit and MSA's IE may all be used to view data that may have been marked "off limits" by MSA online security. The protection against this will be to limit the use.of these functions to only those that have a requirement to view all of the data at any time. During a more thorough review of this problem, other solutions will be sought. 6.2.2 NSEG Evaluation Results The Network Systems Engineering Group (NSEG), OIT, was requested by the CLAS technical team to review the MSA packages for suitability in the Agency computer environment. Following is NSEG's list of concerns in priority order. 1. There is a lack of audit trails generated by the software. 2. The MSA applications require a separate MSA operator ID and SIGNON as distinct from the VM and IDMS user authentication process. Software will be required to link the VM and the MSA userids together. 3. There are no provisions within the MSA software to provide security for batch jobs. The security features provided for in the online system are not available in the batch mode. L. The Information Expert (IE) component has job submission capability that must be integrated into our systems in a secure manner. 5. MSA software may bypass IDMS controls. Some MSA components, for example, issue their own OPENs to data files rather than using IDMS to control access to the data. -17- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 6. There are a number of exposures related to the fact that data to be accessed via MSA applications systems is defined with very broad subschemas. These grant read/write access to all data in all systems against which any given transaction runs. These views are then narrowed by the MSA online software. This is a problem because: a. Any user of the MSA software could use non-MSA software (e.g. CULPRIT or any other reporting package) to circumvent the checking performed by the MSA packages and gain access to more data than they are allowed to through the MSA software. b. The IDMS subschemas (views) defined by MSA allow read-write access to all data, including the MSA security rules. This problem is aggravated by the fact that all users must be given access to the security rules in order to sign on to the MSA applications. 7. Interfaces would have to be developed between the MSA software and the Agency's print network to allow for output classification and routing. This is not a security issue, but rather an important convenience for the user. -18- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy ApIproved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified Chapter 7 REQUIRED MODIFICATIONS OF THE MSA SYSTEMS 7.1 REQUIRED MODIFICATIONS The required modifications shown here do not make an exhaustive list. Only with further experience with the packages will OF and OL complete their list. The first seven of these are requested by NSEG, the eighth by the technical team, and the remainder by the functional teams. 7.1.1 Audit Trails NSEG requires that an audit trail be made available so that all inner workings of the packages may be monitored. This includes "who updated what and when", and recording who received or was denied access to the system or its components. 7.1.2 New Signon Procedure Software must be added so that upon entering MSA, is not required and the appropriate MSA id assigned for the users VM userid. If not found will not gain access to MSA. As part of this, requested that the MSA userid be changed from eight alpha characters. a password number is , the user it will be numeric to 7.1.3 Security for Batch Jobs MSA provides online security for data viewing and updating, but this is not carried forth to the batch environment. Either this security must be added or the user must declare that it is not required. -19- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 7.1.4 IE Batch Job Verification In order to provide security for batch jobs entering the system, the IE software must be changed so that it can be assured that the userid used by the system for validation is the same as the VM signon userid. 7.1.5 MSA Accessing IDMS Resources All locations where MSA software accesses IDMS resources by bypassing IDMS controls must be determined. The impact of each must then be evaluated and modified if required. 7.1.6 Broad Subschema Access Because MSA has chosen to give broad access to its data and then limit this access within its own programs, the security is not provided when other programs are executed against the same data. Either this security must be added within IDMS for the data or the user must declare that it is not required. The MSA security rules are vulnerable to tampering because of this broad access. A technique must be prepared to protect them. 7.1.7 Local Print Options Modifications are required so that MSA software may utilize the many print facilities here at the Agency. 7.1.8 JCLBUILD The flexibility provided in JCLBUILD appears to be more of a drawback then a feature. When production jobs are provided they should be more structured then free-flowing. Effort will be required to look into how JCLBUILD can be made to be more structured. This will include ensuring database integrity for the VSAM files as discussed in section 8.7. We estimate six man months of staff effort. -20- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 (?) Unclassified 7.1.9 Multiple Buying Entities The system interface between Manufacturing and Purchasing only allows for one Buying Entity (BE) to be identified and used when entering a requisition in the Manufacturing system to be passed to Purchasing. OL requires the ability to specify multiple BEs on the Manufacturing requisition. The system interface also limits the BE for a requisition entered in Purchasing to the single entity specified in Manufacturing when the items are to be passed back to Manufacturing. Here again, OL requires these be multiple BEs. MSA responded to this requirement with an estimate of $45,000. 7.1.10 Requesting Stock Material Through Purchasing OL would like to control all material/service requests through the Purchasing system. The system provides for entering a customer order through the Manufacturing system and processing that order. OL would like to acknowledge the requisition within Purchasing and, for "stock" items, pass the information to Manufacturing automatically for processing through a "customer" type order. Once the order has been shipped, the system should pass the proper Information back to Purchasing in order to "close out" the originating purchase order/requisition. MSA responded to this requirement with an estimate of $60,000. 7.1.11 Adding New Elements Each of the three systems will require the addition of several new data elements. New menus for their input and update will be required. It is predicted that three new screens will be required for new data elements for each of the three systems. MSA responded to this requirement with an estimate of $15,500 per screen. More than one screen would not necessarily mean a multiple of that amount however. This estimate includes functional specifications, development, updating IDMS subschemas, and updating the IE dictionary. MSA also responded with estimates on adding fields to an existing menu, $3,000, and increasing the length of a "key" field on an existing menu, $1,500. These prices could vary depending on the menu and the "key" field. -21- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part- Sanitized Copy Approved forRelease2013/10/24 : CIA-RDP90-00191R000100050024-2 Unclassified 7.1.12 New Reports Each of the three systems will require new reports. Their format and complexity is unknown. 7.2 SUMMARY Requirement Cost Audit Trails New Signon Procedure Security for Batch Jobs IE Batch Job Verification Bypassing of IDMS controls Enhancing security in IDMS Local Print Option JCLBUILD ** Multiple Buying Entities $45,000 Requesting Stock Through Purchasing $60,000 New Menus $144,000 (This assumes 3 new menus, 1 modified menu, and 1 lengthened key for each system) Reports * * * Total of known costs $249,000 * Awaiting Estimates ** Would be done by staff. *** Requirements unknown at this time. -22- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified Chapter 8 OTHER 8.1 LOADING FROM CONIF AND ICS The packages also allow for batch updating as well as online. This will be very handy when we move data from CONIF and ICS to the MSA files. Transactions can be created with the data that is stored in these databases and processed by the MSA software as if it had been entered through the menus. 8.2 UPDT84 MSA provides a utility called UPDT84, to assist with keeping MSA software up to date. UPDT84 is used in the batch environment where parameter cards are passed telling it whether this is a deletion, insertion, or a change of source code. COBOL, ASSEMBLER, or copybooks may be updated in this manner. 8.3 HOW TO MODIFY THE MENUS Menu literals are relatively easy to modify. However, a good working knowledge of how MSA utilizes the SYSTEM files and the programs used by each of the systems will be required before logic changes can be made. A menu may execute up to 5 programs during its life cycle. Each system has its own set of modules. Manufacturing uses six programs to process all of its menus while Purchasing has a different program for each menu. -23- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 8.4 UNDERSTANDING DCI The DCI Programmers Manual has several very worthwhile sections. In particular, it has sections on the COBOL functions available for programming those modules to be executed by the DCI during screen processing. With a good understanding of COBOL and the use of the functions provided, new menus should be relatively easy to create. However, a good working knowledge of how MSA utilizes the DCI system files and the programs used by each of the systems, will be required before building menus or modifying them. When modifying or building a new menu for any of the packages, you are also building or modifying a screen control card to be used by DCI. That is why it is essential to know how the DCI processes a menu as well as understanding the programs that execute the menus for each package. 8.5 COPYBOOKS MSA uses "copybooks" in the majority of their COBOL programs. Program code that is common to more than one program is kept as a separate member in the source library. These include subschema descriptions, working storage records, linkage sections, and common processing statements like error procedures. The using program has a COPY statement where the common code should be inserted. The code is copied into the program when it is compiled. This cuts down on the size of the source code per program and if changes of code located in a copybook is required, the change is made in only one place. 8.6 3270 TERMINALS The 3270 terminal, replacement for the Delta Data, is fully compatible with the MSA packages. MSA software utilizes the color features of the terminal to show various features in different colors e.g. input errors are flagged in red, menu literals in green, and input fields in white. Declassified in in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 8.7 ADESSE EMULATION CODE In order to use the Delta Data (DD) terminals with MSA software, the ADESSE 3270 emulator code must be used. This will make the DD appear to MSA software to be an IBM 3270 terminal. This code and the slow-speed, asynchronous teletype communications network may slow the applications. 8.8 VSAM FILES When MSA developed their IDMS versions of the Manufacturing and Purchasing systems, they chose to leave six files in VSAM format. These "native" VSAM files have been defined to IDMS and are under IDMS control. They can be accessed and updated using IDMS programs and IDMS tools. The majority of IDMS utilities cannot be run against VSAM files. However, there is always an equivalent IBM utility which can be used. The native VSAM file can also be processed outside of IDMS control as is done in JCLBUILD. When this is done, the user must create his own backup because IDMS journals will not capture changes made outside of IDMS. There will be only three such files remaining after the new versions of the software are loaded. -25- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified Chapter 9 ON THE HORIZON 9.1 NEW VERSIONS OF THE SOFWARE During the first quarter of CY 87, MSA plans to release new versions of each of the packages evaluated. The added functionality will be documented by the functional teams. We are aware of no technical impacts from these new releases except for having to load them and evaluate their performance. This should be much easier this time because of the experience we have gained during these last six months. Known differences include: 1. Each of the packages will be "integrated" - rather than only Purchasing and Manufacturing. 2. AP version 5.0 will have more online functions rather than being primarily batch. 3. Manufacturing and AP will use IE for reporting. 9.2 FINANCIAL CONTROLLER By April 87, MSA is planning to present its Financial Controller (FC) software. FC is to be a single point of interface for each of MSA's financial packages including AP, Purchasing, GL, and Budget Control. Rather than each of these packages communicating with the other, they will communicate via the Financial Controller. It appears that FC would assist the packages in communicating even better with Cullinet's GL. -26- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 9.3 BUDGET CONTROL Budget Control (BC), available from MSA by July 87, will provide functions thought to be in Cullinet's Funds Control. These include the ability to monitor expenditures, commitments, and obligations and to determine the status of funds for departments, projects, programs, and line items. These requirements, however, are under the purview of the BARS project and are mentioned here only for informational purposes. -27- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified Chapter 10 MSA SERVICES 10.1 HOT LINE The "hot line" was used primarily to report software problems. Responses were usually available within 24 hours. This is an extremely valuable service. I doubt very seriously if we could have loaded and made available the software without their assistance. The software would be almost worthless without this type of vendor support. However, MSA's IDMS support is limited. 10.2 CUSTOM CODE MSA has a staff located in Hamden, Connecticut available for customizing MSA systems to meet user requirements. We met with a representative, and his estimates on making CLAS software changes are found in this paper. 10.3 ON SITE SUPPORT Functional support is available on a part time basis. Each of the three "Account Managers" visited about once a month during the evaluation. The senior functional representative is presently visiting one day each week. Technical support is not available on site except for a very short duration. -28- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 10.4 SYSTEM INSTALLATION MSA provides technicians for the original loading of the software. They loaded the tapes and went through a preset list of demonstration programs. As the technicians were loading, they were also throwing out helpful tidbits, fixing broken code, and pointing out critical aspects. This was all being done during shifts that went well into the night and early morning. It was several weeks "after the dust settled" before we completely figured out what all had happened. The technical team will be much better prepared when we load the new versions of the software. -29- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 11.1 THE GOOD NEWS Chapter 11 SUMMARY In summary, the following points should be considered: 1. No technical "show stoppers" were found. However, there will be changes required in the system. Some for functional and others for technical and security reasons. 2. IDMS reporting functions, Culprit and OLQ, are easily accessible from the MSA software. 3. There was no conflict between Cullinet GL and MSA data element or file names. L. AP integrates easily with GL. No modifications to either are required. 5. The writing of a simple program will allow Purchasing to pass data to GL. 6. We have a much better understanding of the software and have found it to be modular and maintainable. A contract is possible with MSA to provide software modifications. 8. MSA support has been found to be acceptable. 11.2 THE BAD NEWS The following points need to also be considered: 1. It is difficult to get on site technical support for extended periods. 2. These are large intricate systems. OIT maintenance personnel will require vendor training and a lengthy read-in period. -30- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 3. Security problems have been found and the entire impact is yet to be diagnosed. We will begin working on these with MSA and NSEG immediately. 4. Support for IDMS questions from the MSA hot line was limited. The number of people available for consultation on IDMS problems is quite small. 5. The Purchasing system had an inordinate number of problems. Hopefully, the software fixes expected in September will alleviate them. 6. File design is not optimal because of originally being created for VSAM files. -31- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Unclassified 12.1 REMAIN WITH MSA Chapter 12 RECOMMENDATIONS This new world of package software is by no means perfect. Our experience with MSA has been good and their product appears to be put together well and maintainable. However, problems with the Purchasing system remain. Other problems may well occur and we feel that MSA will support us in resolving them. There are several hurdles to overcome before going "production", but we feel it can be done. 12.2 INSTALL NEW VERSIONS OF THE SOFTWARE IN 2ND QUARTER CY 87 New versions of AP, Purchasing, and Manufacturing are to be released in the first quarter of CY 87. These versions are the ones OL plans to go into production with. 12.3 CONTRACT WITH TRW THROUGH MARCH 87 An extension of our contract for the TRW computer, space, and personnel is recommended. This is an excellent location for continued evaluation and the TRW personnel have been exceptional. As we move the software to HQ, it will be important to have this location for parallel running when problems at HQ appear. 12.4 SCHEDULE FOR IOC ON OCTOBER 1, 1988 With the acceptance of this evaluation and that of the functional teams, plans should be set in motion immediately for a planned Initial Operating Capability (IOC) at 1 October 1988. The personnel in place at this time should remain. Much has been learned, but there is much, much more to do; the software must be moved to HQ, new versions are to be installed, conversion of CONIF and ICS must be planned, requirements must be more thoroughly documented, and plans -32- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 V 0 Unclassified for the required software changes made. We have only scratched the surface! Momentum and institutional knowledge must not be lost! -33- Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 Declassified in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2 V Unclassified Appendix A SPACE REQUIREMENTS Cylinders Purchasing 302 Manufacturing 358 Integration (Mfr/Pur) 59 Accounts Payable 167 IE 118 DCI 111 Common Components (Misc. Files) 48 GDGs (130 files) 65 Total 1228 Declassified in in Part - Sanitized Copy Approved for Release 2013/10/24: CIA-RDP90-00191R000100050024-2