Jump to content

Open Trusted Technology Provider Standard

Add links
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Danreddy (talk | contribs) at 01:25, 25 January 2016 (Measurement and Accreditation). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
  • Comment: All inline links must be removed, please, and turned into references if appropriate, Wikilinks, or external links in a section so named. See Wikipedia:External links Fiddle Faddle 15:00, 11 May 2015 (UTC)
  • Comment: In addition, this article does not have an NPOV, and has several formatting issues. Onel5969 (talk) 15:48, 5 March 2015 (UTC)

Open Trusted Technology Provider™ Standard (O-TTPS) (Mitigating Maliciously Tainted and Counterfeit Products) is a standard of The Open Group, that has also been approved for publication as a standard of the International Organization for Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243 [1]. It consists of a set of guidelines, requirements, and recommendations that align with best practices for the security of the global supply chain and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. This standard was built by technology industry and consumer members of The Open Group's Trusted Technology Forum (OTTF)[2].

The standard focuses on organizational practices that, according to The Open Group, may, when properly adhered to, provide assurance against maliciously tainted and counterfeit products throughout the COTS ICT product life cycle. The life cycle described in the standard encompasses the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. The current version of standard may be downloaded from the Open Group's publication library[3] or purchased from ISO/IEC.[4]. A Chinese translation has been published and is also available through The Open Group.

Background

The O-TTPS was written in response to the increased sophistication of cybersecurity attacks worldwide, as well as increased risks for product vulnerability across the supply chain due to the changing threat landscape.[5] The intent is to help providers build products with integrity and to enable their customers to have more confidence in the technology products they buy.[6] Private and public sector organizations rely largely on COTS ICT products to run their operations. These products are often produced globally, with processes like design, development and manufacturing taking place in different locations across the globe. With increased security threats worldwide, ICT providers need to show that their product organizations can act to reduce defects and vulnerabilities in their products while ensuring the security of their supply chains and reducing the risk of counterfeit and tainted products. [7]

The OTTF is managed like other forums in The Open Group using a formal consensus based process for building, publishing and managing its work. The OTTF aims to provide a vendor-neutral forum for technology and communications providers, integrators and distributors to work with customers and governments to develop standards that information technology providers can use to evaluate their engineering and manufacturing methods that enhance the security of global supply chains and the integrity of COTS ICT products. Membership in The Open Group is not required to download and use the O-TTPS or to seek compliance against the standard, but an organization must be a member of the OTTF to contribute to and vote on the work of the forum. [8]

Purpose

The OTTF is focused on increasing product integrity and security in global information technology supply chains. [9]

The Forum supports the development and utilization of global standards, accreditation programs, procurement strategies and related activities to decrease the risk of tainted and counterfeit components and products. [10]. The Forum has published an Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain[11] that The National Institute for Standards and Technology (NIST) lists as a cybersecurity industry resource. The document provides mapping between the NIST Cybersecurity Framework[12] and related organizational practices listed in the O-TTPS.

Measurement and Accreditation

An organization that wishes to be measured for their conformance to the requirements outlined in the O-TTPS can be assessed by recognized third-party assessors through the Open Group's Trusted Technology Provider Accreditation Program.[13] [14] Once an organization has been been successfully assessed as conforming to the requirements in O-TTPS then the organization is publicly listed in the Open Group's Accreditation Register.[15]The assessment process is governed by an Accreditation Policy.[16]

History

The effort to build the standard began in January 2010 with a meeting organized by The Open Group and including major industry representatives and the US Defense Department. The Open Trusted Technology Forum was formally launched in December 2010 as an initiative within The Open Group to develop industry standards to enhance the security of global supply chains and the integrity of COTS ICT products.[17]

The first product of the Forum was a whitepaper describing the overall Trusted Technology Framework published in 2010 by The Open Group.[18] The whitepaper was broadly focused on overall best practices that good commercial organizations follow while building and delivering their COTS ICT products. That broad focus was narrowed during late 2010 and early 2011 to address the most prominent threats of counterfeit and maliciously tainted products resulting in the O-TTPS which focuses specifically on those threats.

The first version of O-TTPS was published in April 2013.[19]Version 1.1 of the O-TTPS standard was published in July 2014.[20]

The O-TTPS Accreditation Program began in February 2014, IBM was the first company to achieve accreditation.[21]

The standard and accreditation program have been mentioned in testimony delivered to the US Congress regarding supply chain risk and cybersecurity.[22] [23]

See Also

Supply chain security

Counterfeit electronic components

International Organization for Standardization

Commercial off-the-shelf

Information and communications technology

http://csrc.nist.gov/scrm/references.html

http://www.afcea.org/committees/cyber/documents/Supplychain.pdf

http://www.networkworld.com/article/2196759/malware-cybercrime/defense-department-wants-secure--global-high-tech-supply-chain.html

http://www.computerworlduk.com/news/security/3343185/the-open-group-previews-o-ttps-security-standard-for-supply-chains/

http://www.opengroup.org/subjectareas/trusted-technology

http://www.infoworld.com/article/2613780/supply-chain-management/supply-chain-2013--stop-playing-whack-a-mole-with-security-threats.html

http://washingtontechnology.com/microsites/2012/sewp-2012/04-program-office-takes-leadership-role.aspx

http://www.dhs.gov/news/2011/01/06/securing-global-supply-chain

http://blogs.ca.com/2013/04/12/the-launch-of-the-open-trusted-technology-provider-standard/?intcmp=searchresultclick&resultnum=1

References

  1. ^ "ISO/IEC 20243:2015". ISO.org. ISO.org. Retrieved 24 September 2015.
  2. ^ "Open Group Trusted Technology Forum". opengroup.org. The Open Group. Retrieved 11 May 2015.
  3. ^ "Open Group's Publication Library". opengroup.org. The Open Group. Retrieved 22 June 2015.
  4. ^ "ISO/IEC 20243". ISO.org. ISO.org. Retrieved 24 September 2015.
  5. ^ "IT Supply Chain Security: Review of Government and Industry Efforts". US House of Representatives. {{cite web}}: |archive-date= requires |archive-url= (help)
  6. ^ Messmer, Ellen. "Defense Department wants secure, global high-tech supply chain". networkworld.com. IDG (International Data Group). Retrieved March 30, 2015. {{cite web}}: |archive-date= requires |archive-url= (help)
  7. ^ "Cybersecurity: An Examination of the Communications Supply Chain (testimony before Committee on Energy and Commerce Subcommittee on Communications and Technology U.S. House of Representatives" (PDF). Information Technology Industry Council. Retrieved 24 September 2015. {{cite web}}: horizontal tab character in |title= at position 15 (help)
  8. ^ "Membership". opengroup.org.
  9. ^ Szakal, Andras. "Enabling Providers to Raise the Bar on Security and Integrity" (PDF). buildsecurityin.us-cert.gov. US Dept. Of Homeland Security. Retrieved 16 April 2015.
  10. ^ "Help technology providers and their customers to "Build with Integrity, Buy with Confidence"™". opengroup.org. The Open Group. Retrieved 13 April 2015.
  11. ^ "Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain". NIST.Gov cybersecurity industry resources. The Open Group. Retrieved 24 September 2015.
  12. ^ "Cybersecurity Framework". NIST.Gov. NIST.Gov. Retrieved 24 September 2015.
  13. ^ "Recognized Assessor Register". opengroup.org. The Open Group. Retrieved 11 May 2015.
  14. ^ "Open Group Accreditation Program". Open Group. Open Group. Retrieved 22 June 2015.
  15. ^ "Open Group's Trusted Technology Register". The Open Group. The Open Group. Retrieved 22 June 2015.
  16. ^ opengroup.org. The Open Group http://ottps-accred.opengroup.org/docs/O-TTPS_Accreditation_Policy.pdf. Retrieved 22 June 2015. {{cite web}}: Missing or empty |title= (help)
  17. ^ "The Open Group Announces Formation of Trusted Technology Forum to Identify Best Practices for Securing the Global Technology Supply Chain". opengroup.org. Open Group. Retrieved 16 April 2015.
  18. ^ "Open Trusted Technology Framework". opengroup.org. The Open Group. Retrieved April 13, 2015.
  19. ^ "O-TTPS". opengroup.org. The Open Group. Retrieved 11 May 2015.
  20. ^ "Open Group's Trusted Technology Forum". Retrieved April 6, 2015.
  21. ^ "IBM Secure Engineering". ibm.com. IBM Corp. Retrieved 13 April 2015.
  22. ^ "Energy Committee". http://energycommerce.house.gov. US House Energy Commerce Commitee. Retrieved 13 April 2015. {{cite web}}: External link in |website= (help)
  23. ^ "US Senate Commerce Science & Transportation". http://www.commerce.senate.gov. US Senate. Retrieved 13 April 2015. {{cite web}}: External link in |website= (help)
Retrieved from "https://en.wikipedia.org/w/index.php?title=Open_Trusted_Technology_Provider_Standard&oldid=701516981"