Open Trusted Technology Provider Standard

Last updated

The Open Trusted Technology Provider Standard (O-TTPS) (Mitigating Maliciously Tainted and Counterfeit Products) is a standard of The Open Group that has also been approved for publication as an Information Technology standard by the International Organization of Standardization and the International Electrotechnical Commission through ISO/IEC JTC 1 and is now also known as ISO/IEC 20243:2015. [1] The standard consists of a set of guidelines, requirements, and recommendations that align with best practices for global supply chain security and the integrity of commercial off-the-shelf (COTS) information and communication technology (ICT) products. [2] [3] It is currently in version 1.1. [4] [5] A Chinese translation has also been published. [6]

Contents

Background

The O-TTPS was developed in response to a changing landscape and the increased sophistication of cybersecurity attacks worldwide. [7] The intent is to help providers build products with integrity and to enable their customers to have more confidence in the technology products they buy. [8] Private and public sector organizations rely largely on COTS ICT products to run their operations. These products are often produced globally, with development and manufacturing taking place at different sites in multiple countries. [9] The O-TTPS is designed to mitigate the risk of counterfeit and tainted components and to help assure product integrity and supply chain security throughout the lifecycle of the product. [10] [11]

The Open Group's Trusted Technology Forum (OTTF) is a vendor-neutral international forum that uses a formal consensus based process for collaboration and decision making about the creation of standards and certification programs for information technology, including the O-TTPS. [12] In the forum, ICT providers, integrators and distributors work with organizations and governments to develop standards that specify secure engineering and manufacturing methods along with supply chain security practices. [13]

The Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain [14] provides mapping between The National Institute of Standards and Technology (NIST) Cybersecurity Framework [15] and related organizational practices listed in the O-TTPS. NIST referenced O-TTPS in their NIST Special Publication 800-161 "Supply Chain Risk Management Practices for Federal Information Systems and Organizations" that provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. [16]

Purpose

The standard, developed by industry experts within the Forum, specifies organizational practices that provide assurance against maliciously tainted and counterfeit products throughout the COTS ICT product lifecycle. [17] The lifecycle described in the standard encompasses the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.

Measurement and Certification

Organizations can be certified for their conformance to the standard through the Open Group's Trusted Technology Provider Accreditation Program. [18] Conformance to the standard is assessed by Recognized third party Assessors. [19] Once an organization has been successfully assessed as conforming to the standard then the organization is publicly listed in the Open Group's Accreditation Register. [20] The third party assessment process is governed by the Accreditation Policy and Assessment Procedures. [21]

History

The effort to build the standard began in January 2010 with a meeting organized by The Open Group and including major industry representatives and the United States Department of Defense and NASA. The Open Trusted Technology Forum was formally launched in December 2010 to develop industry standards and enhance the security of global supply chains and the integrity of COTS ICT products. [22]

The first publication of the Forum was a whitepaper describing the overall Trusted Technology Framework in 2010. [23] The whitepaper was broadly focused on overall best practices that good commercial organizations follow while building and delivering their COTS ICT products. That broad focus was narrowed during late 2010 and early 2011 to address the most prominent threats of counterfeit and maliciously tainted products resulting in the O-TTPS which focuses specifically on those threats.

The first version of O-TTPS was published in April 2013. [24] Version 1.1 of the O-TTPS standard was published in July 2014. [4] This version was approved by ISO/IEC in 2015 as ISO/IEC 20243:2015.

The O-TTPS Accreditation Program began in February 2014. IBM was the first company to achieve accreditation for conformance to the standard. [25]

The standard and accreditation program have been mentioned in testimony delivered to the US Congress regarding supply chain risk and cybersecurity. [26] [27] The National Defense Authorization Act for Fiscal Year 2016 Section 888 (Standards For Procurement Of Secure Information Technology And Cyber Security Systems) requires that the United States Secretary of Defense conduct an assessment of O-TTPS or similar public, open technology standards and report to the Committees on Armed Services of the US Senate and the US House of Representatives within a year. [28]

See also

Related Research Articles

<span class="mw-page-title-main">American National Standards Institute</span> American standards development organization

The American National Standards Institute is a private nonprofit organization that oversees the development of voluntary consensus standards for products, services, processes, systems, and personnel in the United States. The organization also coordinates U.S. standards with international standards so that American products can be used worldwide.

The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has 900+ member organizations and provides a number of services, including strategy, management, innovation and research, standards, certification, and test development. It was established in 1996 when X/Open merged with the Open Software Foundation.

The InterNational Committee for Information Technology Standards (INCITS),, is an ANSI-accredited standards development organization composed of Information technology developers. It was formerly known as the X3 and NCITS.

Commercial-Off-The-Shelf or commercially available off-the-shelf (COTS) products are packaged or canned (ready-made) hardware or software, which are adapted aftermarket to the needs of the purchasing organization, rather than the commissioning of custom-made, or bespoke, solutions. A related term, Mil-COTS, refers to COTS products for use by the U.S. military.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

Supply chain security activities aim to enhance the security of the supply chain or value chain, the transport and logistics systems for the world's cargo and to "facilitate legitimate trade". Their objective is to combine traditional practices of supply-chain management with the security requirements driven by threats such as terrorism, piracy, and theft. A healthy and robust supply chain absent from security threats requires safeguarding against disturbances at all levels such as facilities, information flow, transportation of goods, and so on. A secure supply chain is critical for organizational performance.

<span class="mw-page-title-main">BSI Group</span> British standards development organization

The British Standards Institution (BSI) is the national standards body of the United Kingdom. BSI produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and promote standards in the fields of information and communications technology (ICT).

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

The Health Industry Business Communications Council (HIBCC) is a primary standard-setting and educational organization for healthcare bar coding in the United States. It provides publications, trade shows, educational resources, conferences and training programs.

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.

IEC 62443 is an international series of standards that address cybersecurity for operational technology in automation and control systems. The standard is divided into different sections and describes both technical and process-related aspects of automation and control systems cybersecurity.

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS are aligned and the compatibility of these standards is enhanced.

<span class="mw-page-title-main">External dependencies management assessment</span>

The External Dependencies Management Assessment is a voluntary, in-person, facilitated assessment created by the United States Department of Homeland Security. The EDM Assessment is intended for the owners and operators of critical infrastructure organizations in the United States. It measures and reports on the ability of the subject organization to manage external dependencies as they relate to the supply and operation of information and communications technology (ICT). This area of risk management is also sometimes called Third Party Risk Management or Supply Chain Risk Management.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

ISO/IEC 5230 is an international standard on the key requirements for a high-quality open source license compliance program. The standard was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in late 2020. The standard is based on the Linux Foundation OpenChain Specification 2.1. It focuses on software supply chains, easier procurement and license compliance. Organizations that meet the requirements of the standard can self-certify to ISO/IEC 17021, from an accredited certification body or after successfully completing an audit.

References

  1. "ISO/IEC 20243:2015". ISO.org. ISO.org. Retrieved 24 September 2015.
  2. Bartol, Nadya (23 May 2016). "Cyber supply chain security practices DNA – Filling in the puzzle using a diverse set of disciplines". Technovation. 34 (7): 354–361. doi:10.1016/j.technovation.2014.01.005.
  3. Whitman, Dave (March 2015). "Cybersecurity in Supply Chains". In LeClair, Jane; Keeley, Gregory (eds.). Cybersecurity in Our Digital Lives. Hudson Whitman Excelsior College Press. ISBN   978-0-9898451-4-4.
  4. 1 2 "Open Group's Publication Library". opengroup.org. The Open Group. Retrieved 22 June 2015.
  5. "ISO/IEC 20243:2015 - Information Technology -- Open Trusted Technology ProviderTM Standard (O-TTPS) -- Mitigating maliciously tainted and counterfeit products". ISO. Retrieved 2016-05-23.
  6. "Open Trusted Technology Provider Standard 1.1 (Chinese)". Open Group Publications Library. The Open Group. Retrieved 6 June 2016.
  7. "IT Supply Chain Security: Review of Government and Industry Efforts". US House of Representatives.
  8. Messmer, Ellen. "Defense Department wants secure, global high-tech supply chain". Network World . IDG (International Data Group). Retrieved 30 March 2015.
  9. Lennon, Mike (9 March 2012). "USCC Releases Report on Chinese Capabilities for Cyber Operations and Cyber Espionage". Security Week. No. 9 March 2012. Wired Business Media. Retrieved 25 January 2016.
  10. "Cybersecurity: An Examination of the Communications Supply Chain (testimony before Committee on Energy and Commerce Subcommittee on Communications and Technology U.S. House of Representatives" (PDF). Information Technology Industry Council. Retrieved 24 September 2015.
  11. Prince, Brian (5 March 2012). "Consortium Pushes Security Standards for Technology Supply Chain". SecurityWeek. No. March 5, 2012. Wired Business Media. Retrieved 25 January 2016.
  12. "Membership". opengroup.org.
  13. "Open Group Trusted Technology Forum". opengroup.org. The Open Group. Retrieved 11 May 2015.
  14. "Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain". NIST.Gov cybersecurity industry resources. The Open Group. Retrieved 24 September 2015.
  15. "Cybersecurity Framework". NIST.Gov. NIST.Gov. Retrieved 24 September 2015.
  16. Boyens, Jon (April 2015). "Supply Chain Risk Management Practices for Federal Information Systems and Organizations". National Institute of Technology and Standards. doi: 10.6028/NIST.SP.800-161 .{{cite journal}}: Cite journal requires |journal= (help)
  17. "Executive Summary of The Open Group's testimony to the House Energy and Commerce Oversight and Investigations Subcommittee Hearing on IT Supply Chain Security: Review of Government and Industry Efforts" (PDF). Energycommerce.house.gov. US Congress. Retrieved 6 June 2016.
  18. "Open Group Accreditation Program". Open Group. Open Group. Retrieved 22 June 2015.
  19. "Recognized Assessor Register". opengroup.org. The Open Group. Retrieved 11 May 2015.
  20. "Open Group's Trusted Technology Register". The Open Group. The Open Group. Retrieved 22 June 2015.
  21. "Open Trusted Technology Provider Standard (O-TTPS) Accreditation Policy" (PDF). The Open Group. The Open Group. Retrieved 25 January 2016.
  22. "The Open Group Announces Formation of Trusted Technology Forum to Identify Best Practices for Securing the Global Technology Supply Chain". opengroup.org. Open Group. Retrieved 16 April 2015.
  23. "Open Trusted Technology Framework". opengroup.org. The Open Group. Retrieved April 13, 2015.
  24. "O-TTPS". opengroup.org. The Open Group. Retrieved 11 May 2015.
  25. "IBM Secure Engineering". ibm.com. IBM Corp. Retrieved 13 April 2015.
  26. "Energy and Commerce Committee, United States House of Representatives". United States House Energy and Commerce Committee. Retrieved 13 April 2015.
  27. "US Senate Commerce Science & Transportation". US Senate. Retrieved 13 April 2015.
  28. "National Defense Authorization Act for Fiscal Year 2016 (S. 1356)". GovTrack.us. Retrieved 2016-05-23.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.