SAE EIA-649 CM Standard Rev C
The new Rev C update to 649 is here. Hats off to those who worked on the update. The Rev C fixes many of the issues with 649, but not all of them. Let me explain. There are some fundamental flaws with 649, that are not the fault of those working on the update. Typically, implementing a standard is a fairly straight forward task. Surprisingly, that is not possible with 649.
What makes a standard so important is that they take a subject matter and differentiates between what is required and what is optional or can be tailored. A standard by definition, is intended to be a requirements/compliance document. A standard does this through the use of modal verbs, such as “must, shall, may.” If a statement says “Must,” it is a mandatory and auditable requirement, and recognized by the US Supreme Court as such. The term “May” grants permission, but is not a requirement. I have helped author, and worked with CM Standards for over three decades. 649 is the first CM Standard, or any standard I am aware of, with so few “Must” and “Shall” statements, that you can count them on one hand.
This is not good because it marginalized CM, howbeit unintentionally. When the authors working on commercial initiatives such as ITIL, or methodologies like Agile and Scrum, with no hands-on CM experience, look at 649, a CM standard, with no firm requirements, then they feel empowered to remove CM from the playing field. Then they make bad decisions, like giving change authority to other functions that don't know CM, and don’t understand how to do it right in a Service environment. This is exactly what has happened to CM with ITIL. And this has caused a lot of confusion.
Instead of using shall statements, 649 is written around CM Principles, the first of which comes from my seminars over twenty years ago. I still have the “transparency” to prove it! These principles are called “statements of fact” in the standard. However, facts are debatable. In court, legal teams for both the plaintiff and defendant use the same set of facts to try and sway the jury to reach opposing verdicts. To avoid this debate, subject matter standards are written as requirements documents, with modal verbs. 649 is not a requirements document, as it clearly states. 649 is divided into “informative” (nice to know) and “nomative” sections (required to claim conformance with the standard). But without shall statements, 649 becomes a guide, not a standard. This makes 649 Implementation very subjective, and no longer a legal binding “standard framework” for implementing CM. This opens the door for too much tailoring, which then compromises good CM practices. When that happends, you can end up with a situation where you are delivering production equipment before you have set your baselines or conducted Configuration Audits.
To address the requirements issue, accompanying standards, 649-1 and 649-2, for the US Military and NASA respectively, have been released. And these do contain shall statements. However, it would take about 20 more CM requirement standards to cover the most common CM industries. So this decision to create a CM Standards without CM requirements, might not have been such a good idea. Industries like Rail, IT, Medical, Energy, etc. do not have a companion requirements standard, so they still have an issue whith how to implement 649. And even 649-1 and 649-2 do not address all the CM requirements for those in Military and NASA doing oversight and quality assurance of contractor CM implementation, let alone their own Customer CM programs.
There is another issue with implementing 649. Whole new industries have arived since the first draft of this standard. This is a twenty year old standard. Few people know that work began on 649 way back in 1995. Even with the new update, and good fixes, it has fallen behind. We have new challenges for which CM practitioners need direction from a standard. For example, some commercial companies installing and maintaining Networks for the Military are unfamiliar with how CIs are used In-Service. Consequently, they either have no CI’s, or far too many. And CM has really grown over the past few decades. CM is no longer comprised of only five functions. Key CM issues, like how to differentiate between Engineering CM and Service CM, Software CM and IT Network CM, Model Based System Engineering, Agile, Scrum, SecCM, RMF and NIST, Virtualization and VMM CM, all important new CM challenges, but missing from 649.
The bottom line is, the new revision of 649 has just arrived, and it is already in need of an update. The publisher plans updates every five years. I think that is too far apart. I think I just head a collective grown from the G-33 committee members who are clearly looking forward to a break.
649-1 CM Requirements for Defense Contracts
SAE EIA-649-1, Configuration Management Requirements For Defense Contracts, defines requirements for a defense enterprise implementation of the ANSI/EIA-649 Configuration Management Standard in an Acquirer/Supplier contractual relationship. 649 is a non-government standard void of mandatory shall statements, which are the basis of any contracted CM Program. That is why 649-1 is so important. It fills the gaps between CM Functions to Principles in 649-B and contract tailored CM requirements and implementation tasks.
The release of 649-1 brings both good and bad news. We now have a set of CM requirements that can be contractually imposed on defense suppliers. But that requires completion of the 649-1 ANNEX A Tailoring Worksheet, a daunting task for even an experienced CM SME. All those CM requirements must be tailored by the Acquirer. And the Supplier must respond to those contract obligations with a complaint Configuration Management Plan and implementation tasks. In addition, commercial enterprises, or those not in an Acquirer/Supplier role, are still without any guidance on how they can get actionable requirements and CM tasks out of 649, since 649-1 is for defense.
SAE EIA-649-2 Configuration Management Requirements For NASA
NASA has replaced their CM standard with SAE EIA-649B. 649 organizes CM around five CM functions and 37 CM principles, but in a slightly different manner than traditional CM which formed the basis of Std-0005. Consequently, a new CM product, EIA 649-2 Configuration Management Requirements For NASA, restructures NASA CM around the 649 framework, yet addresses their unique environment. NASA knows CM, and they do a very good job at implementing CM. Everyone should have a read through 649-2. I prefer the content of 649-2 over 649-1. However, I think the tailoring Annex A found in the -1 would be a great addition to NASA's -2.
GEIA-HB-649 Configuration Management Handbook
In the past, there were two CM Handbooks, MIL-HDBK-61A, and GEIA-HB-649. One was more in line with the old traditional way of doing CM, and one followed 649. This new handbook harmonizes and consolidates the content of both books into a single handbook and new companion for SAE EIA-649. This is a great CM resource. Well done, very comprehensive, with lots of good CM information. Props to those who work so hard on putting this together. I highly recommend you pick up a copy, and start indexing topics of interest.
The Problem With Configuration Management Standards Today
As stated, 649 is not a CM requirements standard. 649-1 and 649-2 are intended to fill the role of requirements standards, but they are based on the limitations of 649, and incorrectly use the word "shall" instead of "must." Consequently, a comprehensive up to date requirements standard for Configuration Management does not exist today. The reason for this, is that with the end of the non-profit EIA organization some time ago, and the closure of the defense standards office, the stewardship role of CM and many other standards, was placed into the hands of publishing/marketing companies and for profit enterprises. This creates a vast breeding ground for conflict of interest, by those running the committees developing and revising the standards, and those seeking to benefit from their role in the process. Government, military, and industry organizations then adopt and impose these standards, based on copyrighted principles, effectively shirking their responsibility over these key subject matters, and granting ownership and control to profit driven publishers and marketeers.
The following is a short list of a few of the key systemic problems associated with the process in which CM and other standards are currently developed:
- Standards should be available to everyone free of charge.
- It is ill-advised to place the control of our standards in the hands of profit driven publishers and marketeers.
- Standards are best developed by experts with real experience.
- Standards should be developed in an international forum.
- Copyrighted principles in standards used by defense is just wrong.
- Currently there is rampant conflict of interest; with who/how standards are developed.
- A five-year standard review cycle is non responsive to change, and the review takes too long; revision out of date upon release.
- “Must” is the only word that imposes a legal obligation; the U.S. Supreme court has ruled “shall” is not a legal obligation.
I am hopeful that all these issues can and will be addressed and fixed in the near future.