The Open Trusted Technology Provider Standard (O-TTPS) (''Mitigating Maliciously Tainted and Counterfeit Products'') is a standard of

The Open Group The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has over 840 member organizations and provides a number of servi ...

that has also been approved for publication as an

Information Technology Information technology (IT) is the use of computers to create, process, store, retrieve, and exchange all kinds of data . and information. IT forms part of information and communications technology (ICT). An information technology system ...

standard by the

International Organization of Standardization The International Organization for Standardization (ISO ) is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in Ar ...

and the

International Electrotechnical Commission The International Electrotechnical Commission (IEC; in French: ''Commission électrotechnique internationale'') is an international standards organization that prepares and publishes international standards for all electrical, electronic and ...

through

ISO/IEC JTC 1 ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and pr ...

and is now also known as ISO/IEC 20243:2015. The standard consists of a set of guidelines, requirements, and recommendations that align with

best practice A best practice is a method or technique that has been generally accepted as superior to other known alternatives because it often produces results that are superior to those achieved by other means or because it has become a standard way of doing ...

s for global

supply chain security __NOTOC__ Supply chain security (also "supply-chain security") activities aim to enhance the security of the supply chain or value chain, the transport and logistics systems for the world's cargo and to "facilitate legitimate trade".Government o ...

and the integrity of

commercial off-the-shelf Commercial off-the-shelf or commercially available off-the-shelf (COTS) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of ...

(COTS)

information and communication technology Information and communications technology (ICT) is an extensional term for information technology (IT) that stresses the role of unified communications and the integration of telecommunications (telephone lines and wireless signals) and computers ...

(ICT) products. It is currently in version 1.1. A Chinese translation has also been published.

Background

The O-TTPS was developed in response to a changing landscape and the increased sophistication of cybersecurity attacks worldwide. The intent is to help providers build products with integrity and to enable their customers to have more confidence in the technology products they buy. Private and public sector organizations rely largely on COTS ICT products to run their operations. These products are often produced globally, with development and manufacturing taking place at different sites in multiple countries. The O-TTPS is designed to mitigate the risk of counterfeit and tainted components and to help assure product integrity and supply chain security throughout the lifecycle of the product. The Open Group's Trusted Technology Forum (OTTF) is a vendor-neutral international forum that uses a formal consensus based process for collaboration and decision making about the creation of standards and certification programs for information technology, including the O-TTPS. In the forum, ICT providers, integrators and distributors work with organizations and governments to develop standards that specify secure engineering and manufacturing methods along with supply chain security practices. The Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain provides mapping between The

National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...

(NIST) Cybersecurity Framework and related organizational practices listed in the O-TTPS. NIST referenced O-TTPS in their NIST Special Publication 800-161 "Supply Chain Risk Management Practices for Federal Information Systems and Organizations" that provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.

Purpose

The standard, developed by industry experts within the Forum, specifies organizational practices that provide assurance against maliciously tainted and counterfeit products throughout the COTS ICT product lifecycle. The lifecycle described in the standard encompasses the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.

Measurement and Certification

Organizations can be certified for their conformance to the standard through the Open Group's Trusted Technology Provider Accreditation Program. Conformance to the standard is assessed by Recognized third party Assessors. Once an organization has been successfully assessed as conforming to the standard then the organization is publicly listed in the Open Group's Accreditation Register. The third party assessment process is governed by the Accreditation Policy and Assessment Procedures.

History

The effort to build the standard began in January 2010 with a meeting organized by The Open Group and including major industry representatives and the

United States Department of Defense The United States Department of Defense (DoD, USDOD or DOD) is an executive branch department of the federal government charged with coordinating and supervising all agencies and functions of the government directly related to national secur ...

and

NASA The National Aeronautics and Space Administration (NASA ) is an independent agency of the US federal government responsible for the civil space program, aeronautics research, and space research. NASA was established in 1958, succeedi ...

. The Open Trusted Technology Forum was formally launched in December 2010 to develop industry standards and enhance the security of global supply chains and the integrity of COTS ICT products. The first publication of the Forum was a whitepaper describing the overall Trusted Technology Framework in 2010. The whitepaper was broadly focused on overall best practices that good commercial organizations follow while building and delivering their COTS ICT products. That broad focus was narrowed during late 2010 and early 2011 to address the most prominent threats of counterfeit and maliciously tainted products resulting in the O-TTPS which focuses specifically on those threats. The first version of O-TTPS was published in April 2013. Version 1.1 of the O-TTPS standard was published in July 2014. This version was approved by ISO/IEC in 2015 as ISO/IEC 20243:2015. The O-TTPS Accreditation Program began in February 2014. IBM was the first company to achieve accreditation for conformance to the standard. The standard and accreditation program have been mentioned in testimony delivered to the US Congress regarding supply chain risk and cybersecurity. The

National Defense Authorization Act for Fiscal Year 2016 National may refer to: Common uses * Nation or country ** Nationality – a ''national'' is a person who is subject to a nation, regardless of whether the person has full rights as a citizen Places in the United States * National, Maryland, c ...

Section 888 (Standards For Procurement Of Secure Information Technology And Cyber Security Systems) requires that the

United States Secretary of Defense The United States secretary of defense (SecDef) is the head of the United States Department of Defense, the executive department of the U.S. Armed Forces, and is a high ranking member of the federal cabinet. DoDD 5100.1: Enclosure 2: a The ...

conduct an assessment of O-TTPS or similar public, open technology standards and report to the Committees on Armed Services of the

US Senate The United States Senate is the upper chamber of the United States Congress, with the House of Representatives being the lower chamber. Together they compose the national bicameral legislature of the United States. The composition and p ...

and the

US House of Representatives The United States House of Representatives, often referred to as the House of Representatives, the U.S. House, or simply the House, is the lower chamber of the United States Congress, with the Senate being the upper chamber. Together they c ...

within a year.

References

External links

*http://csrc.nist.gov/scrm/references.html *http://www.afcea.org/committees/cyber/documents/Supplychain.pdf *http://www.networkworld.com/article/2196759/malware-cybercrime/defense-department-wants-secure--global-high-tech-supply-chain.html *http://www.computerworlduk.com/news/security/3343185/the-open-group-previews-o-ttps-security-standard-for-supply-chains/ *http://www.opengroup.org/subjectareas/trusted-technology *http://www.infoworld.com/article/2613780/supply-chain-management/supply-chain-2013--stop-playing-whack-a-mole-with-security-threats.html *http://washingtontechnology.com/microsites/2012/sewp-2012/04-program-office-takes-leadership-role.aspx *https://www.dhs.gov/news/2011/01/06/securing-global-supply-chain *http://blogs.ca.com/2013/04/12/the-launch-of-the-open-trusted-technology-provider-standard/?intcmp=searchresultclick&resultnum=1 {{Open Group standards Open Group standards

Background

Purpose

Measurement and Certification

History

See also

References

External links