blog.fichtmueller.org
msa transceivers procurement
MSA-Compliance Is Not Vendor-Compatibility — Procurement Keeps Confusing the Two

MSA-Compliance Is Not Vendor-Compatibility — Procurement Keeps Confusing the Two

Rene Fichtmueller / 2026-05-18 / ~3 min read

The MSA — Multi-Source Agreement — is a document. It is a good document. It defines the mechanical envelope, the pinout, the power envelope, and the management interface for a class of optical modules. It is what makes a QSFP-DD from one vendor physically fit into the cage of another.

It does not make the two modules functionally identical. Procurement teams keep treating "MSA-compliant" as a synonym for "interoperable". That isn't what the MSA promises. The gap between the two is where every "vendor lock-in" complaint I've ever seen lives.

What the MSA actually covers

Three things, well-defined.

Mechanical and electrical envelope. Cage dimensions, lane count, signal pinout, supply voltage tolerance, total power class. If your module says QSFP-DD MSA, it will physically fit and the host will see it on the I²C management bus.

Management protocol baseline. The CMIS specification (running alongside SFF-8636 for older form factors) defines registers for module identity, status, and basic monitoring. A compliant module exposes vendor name, part number, temperature, optical power readings at known register offsets.

Functional class. A 400ZR module identifies as 400ZR, supports the OIF-defined modulation, and exposes the FEC class. A 400G-DR4 declares itself as such.

That's the floor. That is everything the MSA agrees to.

What the MSA explicitly does not cover

The list is longer than people think.

FEC interop above the floor. OIF 400ZR defines a single FEC mode and any compliant pair will negotiate. OIF 400ZR+ has variants, and not every vendor implements every variant. Two compliant 400ZR+ modules from different vendors might both pass standalone qualification and still fail to link with each other because they negotiated incompatible sub-modes.

DOM threshold semantics. The CMIS register tells you what the receive power is. It does not tell you what the vendor's warning and alarm thresholds are. One vendor's "yellow" can be another vendor's "green". The data is interoperable; the alarm policy is not.

Switch-side vendor qualification. The host switch checks the module's vendor name against a qualified-vendor list. If your switch firmware doesn't recognise the OUI, it can refuse to bring the port up — or it can bring the port up with a warning that triggers your monitoring system as a fault. That's not the module's failure. It's switch behaviour the MSA never touched.

Custom diagnostic extensions. Many vendors ship private MIB extensions for proactive diagnostics — fiber attenuation trends, polarisation state, span health. These live above CMIS, in vendor-specific register ranges. If you've built any operational tooling around those, you've built it around one vendor's API. The MSA didn't promise you portability.

Firmware update interface. Module firmware updates happen via a CMIS-compatible flow in theory. In practice, the binary, the verification, and the rollback semantics vary per vendor. A "firmware update" workflow from one vendor's documentation will not work on another vendor's modules.

Where the procurement story goes wrong

The conversation in the RFP usually sounds like this. Vendor sales says "our modules are MSA-compliant". Buyer hears "fully interoperable". Buyer's procurement contract treats them as substitutable line items. Six months later, the operations team has a switch logging vendor-mismatch warnings, a monitoring tool firing false alarms because the alarm thresholds shifted, and a firmware update workflow that didn't transfer.

None of that is the MSA being violated. All of it is procurement confusing two different things.

Three questions to ask before signing

If you treat MSA-compliance as the floor it actually is, the conversation gets healthier fast. Three questions, every time.

One — what is your qualified-vendor list? Both for the modules and for the host switches. If the host vendor's QVL doesn't include the module vendor, get that test result in writing before purchase, not after.

Two — what are your DOM threshold defaults, and can they be reconfigured? If a module ships with conservative defaults and your monitoring layer expects different thresholds, you either change one or live with false alarms.

Three — what does the firmware update flow look like, end to end? From binary delivery, to in-service update, to rollback, to verification. If the vendor can't walk you through it on the call, it isn't qualified.

What good vendor relationships look like

The vendors who handle this well don't argue about the MSA. They publish their interop test matrix, name the switch platforms they've validated against, list the DOM threshold options, and document the firmware flow honestly. The ones who say "we're MSA-compliant, what else do you need" are the ones whose modules end up generating support tickets two quarters in.

The MSA is the table stakes. The conversation that matters starts above it.

← Previous Rest Is Not Laziness Next → MCP Security: The Attack Surface Nobody Is Auditing
// support this blog
Enjoyed this post?
I write about networking, infrastructure & security in my spare time. If you found this useful, a coffee keeps the late-night writing sessions going.
Buy me a coffee
// projects & tools
Magatama
Unified Security Platform — 6 pillars covering AppSec, Cloud, AI, Pentest, Runtime & Compliance.
magatama.dev →
PeerCortex
Network Intelligence Platform — RPKI, ASPA, BGP Health Reports for 70,000+ networks.
peercortex.org →
GitHub
Open source — PeerCortex, PaperCortex, ShieldX, Transceiver DB & more.
github.com/renefichtmueller →
NOGnet
Global NOG Support Program — empowering Network Operator Groups worldwide.
nognet.net →
// about the author
Rene Fichtmueller
Social Networker
20+ years building and breaking networks. Optical transport, peering, data center infrastructure. Writing about the things that go wrong at 2AM — and how to prevent them.
LinkedIn Website