Wikipedia

Open Trusted Technology Provider Standard: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Monkbot (talk | contribs)
Bots
3,695,952 edits
m Task 18 (cosmetic): eval 28 templates: del empty params (7×); hyphenate params (22×);
Rescuing 2 sources and tagging 3 as dead.) #IABot (v2.0.9.5
 
(8 intermediate revisions by 5 users not shown)
Line 1:
<!-- How do I change the title of the entry itself to be ISO 20243:Open Trusted Technology Provider Standard EDIT BELOW THIS LINE -->
The '''Open Trusted Technology Provider[[Trademark symbol|™]] Standard''' (O-TTPS) (''Mitigating Maliciously Tainted and Counterfeit Products'') is a standard of [[The Open Group]] that has also been approved for publication as an [[Information technology|Information Technology]] standard by the [[International Organization forof Standardization]] and the [[International Electrotechnical Commission]] through [[ISO/IEC JTC 1]] and is now also known as ISO/IEC 20243:2015.<ref>{{cite web|title=ISO/IEC 20243:2015|url=http://www.iso.org/iso/catalogue_detail.htm?csnumber=67394|website=ISO.org|publisher=ISO.org|access-date=24 September 2015}}</ref> The standard consists of a set of guidelines, requirements, and recommendations that align with [[best practice]]s for global [[supply chain security]] and the integrity of [[commercial off-the-shelf]] (COTS) [[information and communication technology]] (ICT) products.<ref>{{Cite journal|last=Bartol|first=Nadya|date=23 May 2016|title=Cyber supply chain security practices DNA – Filling in the puzzle using a diverse set of disciplines|journal=Technovation|doi=10.1016/j.technovation.2014.01.005|volume=34|issue=7|pages=354–361}}</ref><ref>{{Cite book|title=Cybersecurity in Our Digital Lives|last=Whitman|first=Dave|publisher=Hudson Whitman Excelsior College Press|yeardate=March 2015|isbn=978-0-9898451-4-4|editor-last=LeClair|editor-first=Jane|chapter=Cybersecurity in Supply Chains|editor-last2=Keeley|editor-first2=Gregory}}</ref> It is currently in version 1.1.<ref name=":0">{{cite web|url=https://www2.opengroup.org/ogsys/catalog/C147|title=Open Group's Publication Library|website=opengroup.org|publisher=The Open Group|access-date=22 June 2015}}</ref><ref>{{Cite web|url=http://www.iso.org/iso/catalogue_detail.htm?csnumber=67394|title=ISO/IEC 20243:2015 - Information Technology -- Open Trusted Technology ProviderTM Standard (O-TTPS) -- Mitigating maliciously tainted and counterfeit products|website=ISO|access-date=2016-05-23}}</ref> A Chinese translation has also been published.<ref>{{Cite web|url=https://www2.opengroup.org/ogsys/catalog/C147CH|title=Open Trusted Technology Provider Standard 1.1 (Chinese)|website=Open Group Publications Library|publisher=The Open Group|access-date=6 June 2016}}</ref>
 
== Background ==
The O-TTPS was developed in response to a changing landscape and the increased sophistication of cybersecurity attacks worldwide.<ref name="United States House of Representatives Commerce and Energy Committee">{{cite web|title=IT Supply Chain Security: Review of Government and Industry Efforts|url=http://energycommerce.house.gov/hearing/it-supply-chain-security-review-government-and-industry-efforts|publisher=US House of Representatives|archiveaccess-date=2015-03-27 March 2012|archive-date=2014-12-08|archive-url=https://web.archive.org/web/20141208053201/https://energycommerce.house.gov/hearing/it-supply-chain-security-review-government-and-industry-efforts|url-status=dead}}</ref> The intent is to help providers build products with integrity and to enable their customers to have more confidence in the technology products they buy.<ref>{{cite web|author1=Messmer, Ellen|title=Defense Department wants secure, global high-tech supply chain|url=httphttps://www.networkworld.com/article/2196759716997/malware-cybercrime/-defense-department-wants-secure--global-high-tech-supply-chain.html|website=networkworld.com[[Network World]]|publisher=IDG (International Data Group)|access-date=30 March 2015|archive-date=15 December 2010}}</ref> Private and public sector organizations rely largely on COTS ICT products to run their operations. These products are often produced globally, with development and manufacturing taking place at different sites in multiple countries.<ref>{{cite news|last1=Lennon|first1=Mike|title=USCC Releases Report on Chinese Capabilities for Cyber Operations and Cyber Espionage|url=http://www.securityweek.com/uscc-commissioner-cyberattacks-getting-harder-chinas-leaders-claim-ignorance|access-date=25 January 2016|work=Security Week|issue=9 March 2012|publisher=Wired Business Media|date=9 March 2012}}</ref> The O-TTPS is designed to mitigate the risk of counterfeit and tainted components and to help assure product integrity and supply chain security throughout the lifecycle of the product.<ref>{{cite web|title=Cybersecurity: An Examination of the Communications Supply Chain (testimony before Committee on Energy and Commerce Subcommittee on Communications and Technology U.S. House of Representatives|url=http://www.itic.org/dotAsset/3/a/3a48cdde-f1e5-4080-9773-315bf14a5142.pdf|publisher=Information Technology Industry Council|access-date=24 September 2015}}</ref><ref>{{cite news|last1=Prince|first1=Brian|title=Consortium Pushes Security Standards for Technology Supply Chain|url=http://www.securityweek.com/consortium-pushes-security-standards-technology-supply-chain|access-date=25 January 2016|work=SecurityWeek|issue=March 5, 2012|publisher=Wired Business Media|date=5 March 2012}}</ref>
 
[[The Open Group| The Open Group's Trusted Technology Forum]] (OTTF) is a vendor-neutral international forum that uses a formal consensus based process for collaboration and decision making about the creation of standards and certification programs for information technology, including the O-TTPS.<ref>{{cite web|url=http://www.opengroup.org/getinvolved/becomeamember|title=Membership|publisher=opengroup.org}}</ref> In the forum, ICT providers, integrators and distributors work with organizations and governments to develop standards that specify secure engineering and manufacturing methods along with supply chain security practices.<ref>{{cite web|url=http://opengroup.org/subjectareas/trusted-technology|title=Open Group Trusted Technology Forum|website=opengroup.org|publisher=The Open Group|access-date=11 May 2015}}</ref>
 
The Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain<ref>{{cite web|url=https://www.nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm|title=Implementation Guide to Leveraging Open Trusted Technology Providers in the Supply Chain|website=NIST.Gov cybersecurity industry resources|publisher=The Open Group|access-date=24 September 2015}}</ref> provides mapping between The [[National Institute forof Standards and Technology]] (NIST) Cybersecurity Framework<ref>{{cite web|url=https://www.nist.gov/cyberframework/|title=Cybersecurity Framework|website=NIST.Gov|publisherdate=NIST.Gov12 November 2013 |access-date=24 September 2015}}</ref> and related organizational practices listed in the O-TTPS. NIST referenced O-TTPS in their NIST Special Publication 800-161 "Supply Chain Risk Management Practices for Federal Information Systems and Organizations" that provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.<ref>{{Cite journal|title=Supply Chain Risk Management Practices for Federal Information Systems and Organizations|last=Boyens|first=Jon|yeardate=April 2015|publisher=National Institute of Technology and Standards|doi=10.6028/NIST.SP.800-161|doi-access=free}}</ref>
 
== Purpose ==
Line 13:
 
== Measurement and Certification ==
Organizations can be certified for their conformance to the standard through the Open Group's Trusted Technology Provider Accreditation Program.<ref>{{cite web|title=Open Group Accreditation Program|url=http://ottps-accred.opengroup.org/home-public|website=Open Group|publisher=Open Group|access-date=22 June 2015}}</ref> Conformance to the standard is assessed by Recognized third party Assessors.<ref>{{cite web|title=Recognized Assessor Register|url=http://ottps-accred.opengroup.org/recognized-assessors|website=opengroup.org|publisher=The Open Group|access-date=11 May 2015}}{{Dead link|date=August 2025 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> Once an organization has been successfully assessed as conforming to the standard then the organization is publicly listed in the Open Group's Accreditation Register.<ref>{{cite web|title=Open Group's Trusted Technology Register|url=http://ottps-accred.opengroup.org/accreditation-register|website=The Open Group|publisheraccess-date=The22 OpenJune Group2015|accessarchive-date=2217 JuneApril 2015|archive-url=https://web.archive.org/web/20150417113043/http://ottps-accred.opengroup.org/accreditation-register|url-status=dead}}</ref> The third party assessment process is governed by the Accreditation Policy and Assessment Procedures.<ref>{{cite web|title=Open Trusted Technology Provider™Provider Standard (O-TTPS) Accreditation Policy|url=http://ottps-accred.opengroup.org/sites/ottps-accred.opengroup.org/files/docs/O-TTPS_Accreditation_Policy_pdf/O-TTPS_Accreditation_Policy.pdf|website=The Open Group|publisher=The Open Group|access-date=25 January 2016}}</ref>
 
== History ==
The effort to build the standard began in January 2010 with a meeting organized by The Open Group and including major industry representatives and the [[United States Department of Defense]] and [[NASA]]. The Open Trusted Technology Forum was formally launched in December 2010 to develop industry standards and enhance the security of global supply chains and the integrity of COTS ICT products.<ref>{{cite web|title=The Open Group Announces Formation of Trusted Technology Forum to Identify Best Practices for Securing the Global Technology Supply Chain|url=http://www.opengroup.org/news/press/open-group-announces-formation-trusted-technology-forum-identify-best-practices-securing-|website=opengroup.org|publisher=Open Group|access-date=16 April 2015}}{{Dead link|date=August 2025 |bot=InternetArchiveBot |fix-attempted=yes }}</ref>
 
The first publication of the Forum was a whitepaper describing the overall Trusted Technology Framework in 2010.<ref>{{cite web|url=https://www2.opengroup.org/ogsys/catalog/W157|title=Open Trusted Technology Framework|website=opengroup.org|publisher=The Open Group|access-date=April 13, 2015}}</ref> The whitepaper was broadly focused on overall best practices that good commercial organizations follow while building and delivering their COTS ICT products. That broad focus was narrowed during late 2010 and early 2011 to address the most prominent threats of counterfeit and maliciously tainted products resulting in the O-TTPS which focuses specifically on those threats.
Line 22:
The first version of O-TTPS was published in April 2013.<ref>{{cite web|title=O-TTPS|url=https://www2.opengroup.org/ogsys/catalog/C139|website=opengroup.org|publisher=The Open Group|access-date=11 May 2015}}</ref> Version 1.1 of the O-TTPS standard was published in July 2014.<ref name=":0" /> This version was approved by ISO/IEC in 2015 as ISO/IEC 20243:2015.
 
The O-TTPS Accreditation Program began in February 2014. [[IBM]] was the first company to achieve accreditation for conformance to the standard.<ref>{{cite web|title=IBM Secure Engineering|url=http://www-03.ibm.com/security/secure-engineering/ibmottpsaccreditation.html|archive-url=https://web.archive.org/web/20150411025751/http://www-03.ibm.com/security/secure-engineering/ibmottpsaccreditation.html|url-status=dead|archive-date=April 11, 2015|website=ibm.com|publisher=IBM Corp|access-date=13 April 2015}}</ref>
 
The standard and accreditation program have been mentioned in testimony delivered to the US Congress regarding supply chain risk and cybersecurity.<ref>{{cite web|title=Energy and Commerce Committee, United States House of Representatives|url=http://energycommerce.house.gov/hearing/it-supply-chain-security-review-government-and-industry-efforts|publisher=United States House Energy and Commerce Committee|access-date=13 April 2015}}{{Dead link|date=August 2025 |bot=InternetArchiveBot |fix-attempted=yes }}</ref><ref>{{cite web|title=US Senate Commerce Science & Transportation|url=http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=EC6AF856-95AA-449C-8BF1-A763C9B9B3CF|publisher=US Senate|access-date=13 April 2015}}</ref> The [[National Defense Authorization Act for Fiscal Year 2016]] Section 888 (Standards For Procurement Of Secure Information Technology And Cyber Security Systems) requires that the [[United States Secretary of Defense]] conduct an assessment of O-TTPS or similar public, open technology standards and report to the [[United States Senate Committee on Armed Services|Committees on Armed Services]] of the [[United States Senate|US Senate]] and the [[United States House of Representatives|US House of Representatives]] within a year.<ref>{{Cite web|url=https://www.govtrack.us/congress/bills/114/s1356|title=National Defense Authorization Act for Fiscal Year 2016 (S. 1356)|website=GovTrack.us|access-date=2016-05-23}}</ref>
 
==See also==
* [[Supply chain security]]
* [[Counterfeit electronic components]]
* [[International Organization for Standardization]]
* [[Commercial off-the-shelf]]
* [[Information and communications technology]]
 
== References ==
{{Reflist}}
 
Line 39:
*http://csrc.nist.gov/scrm/references.html
*http://www.afcea.org/committees/cyber/documents/Supplychain.pdf
*httphttps://www.networkworld.com/article/2196759716997/malware-cybercrime/-defense-department-wants-secure--global-high-tech-supply-chain.html
*http://www.computerworlduk.com/news/security/3343185/the-open-group-previews-o-ttps-security-standard-for-supply-chains/
*http://www.opengroup.org/subjectareas/trusted-technology
Retrieved from "https://en.wikipedia.org/wiki/Open_Trusted_Technology_Provider_Standard"