Open Trusted Technology Provider Standard: Difference between revisions

The Open Trusted Technology Provider[[Trademark symbol|™]] Standard (O-TTPS) (''Mitigating Maliciously Tainted and Counterfeit Products'') is a standard of [[The Open Group]] that has also been approved for publication as an [[Information technology|Information Technology]] standard by the [[International Organization for Standardization]] and the [[International Electrotechnical Commission]] through [[ISO/IEC JTC 1]] and is now also known as ISO/IEC 20243:2015 <ref>{{cite web|title=ISO/IEC 20243:2015|url=http://www.iso.org/iso/catalogue_detail.htm?csnumber=67394|website=ISO.org|publisher=ISO.org|accessdate=24 September 2015}}</ref>. The standard consists of a set of guidelines, requirements, and recommendations that align with [[best practice]]s for global [[supply chain security]] and the integrity of [[commercial off-the-shelf]] (COTS) [[information and communication technology]] (ICT) products.<ref>{{Cite journal|last=Bartol|first=Nadya|date=23 May 2016|title=Cyber supply chain security practices DNA – Filling in the puzzle using a diverse set of disciplines|url=http://www.sciencedirect.com/science/article/pii/S0166497214000066|journal=Technovation|doi=10.1016/j.technovation.2014.01.005|pmid=|access-date=23 May 2016}}</ref> <ref>{{Cite book|title=Cybersecurity in Our Digital Lives|last=Whitman|first=Dave|publisher=Hudson Whitman Excelsior College Press|year=March 2015|isbn=978-0-9898451-4-4|editor-last=LeClair|editor-first=Jane|___location=|pages=|chapter=Cybersecurity in Supply Chains|editor-last2=Keeley|editor-first2=Gregory}}</ref> It is currently in version 1.1 <ref name=":0">{{cite web|url=https://www2.opengroup.org/ogsys/catalog/C147|title=Open Group's Publication Library|website=opengroup.org|publisher=The Open Group|accessdate=22 June 2015}}</ref> <ref>{{Cite web|url=http://www.iso.org/iso/catalogue_detail.htm?csnumber=67394|title=ISO/IEC 20243:2015 - Information Technology -- Open Trusted Technology ProviderTM Standard (O-TTPS) -- Mitigating maliciously tainted and counterfeit products|website=ISO|access-date=2016-05-23}}</ref>. A Chinese translation has also been published.<ref>{{Cite nameweb|url="https:0"//www2.opengroup.org/ogsys/catalog/C147CH|title=Open Trusted Technology Provider Standard 1.1 (Chinese)|last=|first=|date=|website=Open Group Publications Library|publisher=The Open Group|access-date=6 June 2016}}</ref>

The standard, developed by industry experts within the Forum, specifies organizational practices that provide assurance against maliciously tainted and counterfeit products throughout the COTS ICT product lifecycle. <ref>{{cite web|url=httphttps://wwwenergycommerce.opengrouphouse.orggov/contentsites/trustedrepublicans.energycommerce.house.gov/files/Hearings/OI/20120327/HHRG-technology112-forumIF02-buildWState-integrityLounsburyD-buy-confidence20120327.pdf|title=HelpExecutive technologySummary providersof andThe Open theirGroup’s customerstestimony to “Buildthe withHouse Integrity,Energy Buyand Commerce Oversight and Investigations Subcommittee Hearing on IT Supply Chain Security: Review of Government and withIndustry Confidence"™Efforts|website=opengroupEnergycommerce.orghouse.gov|publisher=The OpenUS GroupCongress|accessdate=136 AprilJune 20152016}}</ref> The lifecycle described in the standard encompasses the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. 

Organizations can be certified for their conformance to the standard by recognized third-party assessors through the Open Group's Trusted Technology Provider Accreditation Program.<ref>{{cite web|title=RecognizedOpen AssessorGroup RegisterAccreditation Program|url=http://ottps-accred.opengroup.org/recognizedhome-assessorspublic|website=opengroup.orgOpen Group|publisher=The Open Group|accessdate=1122 MayJune 2015}}</ref> Conformance to the standard is assessed by Recognized third party Assessors.<ref>{{cite web|title=OpenRecognized GroupAssessor Accreditation ProgramRegister|url=http://ottps-accred.opengroup.org/homerecognized-publicassessors|website=Open Groupopengroup.org|publisher=The Open Group|accessdate=2211 JuneMay 2015}}</ref> Once an organization has been been successfully assessed as conforming to the standard then the organization is publicly listed in the Open Group's Accreditation Register.<ref>{{cite web|title=Open Group's Trusted Technology Register|url=http://ottps-accred.opengroup.org/accreditation-register|website=The Open Group|publisher=The Open Group|accessdate=22 June 2015}}</ref> The third party assessment process is governed by the Accreditation Policy and Assessment Procedures.<ref>{{cite web|title=Open Trusted Technology Provider™ Standard (O-TTPS) Accreditation Policy|url=http://ottps-accred.opengroup.org/sites/ottps-accred.opengroup.org/files/docs/O-TTPS_Accreditation_Policy_pdf/O-TTPS_Accreditation_Policy.pdf|website=The Open Group|publisher=The Open Group|accessdate=25 January 2016}}</ref>

The first version of O-TTPS was published in April 2013.<ref>{{cite web|title=O-TTPS|url=https://www2.opengroup.org/ogsys/catalog/C139|website=opengroup.org|publisher=The Open Group|accessdate=11 May 2015}}</ref>Version 1.1 of the O-TTPS standard was published in July 2014.<ref>{{cite web|titlename=Open Group's Trusted Technology Forum|url=http"://www3.opengroup.org/getinvolved/forums/trusted|accessdate=April 6,0" 2015}}</ref> This version was approved by ISO/IEC in 2015 as ISO/IEC 20243:2015.