The Launch of the Open Trusted Technology Provider Standard

Over the past couple of years, I’ve been working with The Open Group Trusted Technology Forum (OTTF) on the development of a new standard to help mitigate maliciously tainted and counterfeit products.

Over the past couple of years, I’ve been working with The Open Group Trusted Technology Forum (OTTF) on the development of a new standard to help mitigate maliciously tainted and counterfeit products. I’ve written and spoken about some of the key developments:

  • Shortly after the launch of the OTTF in January 2011, I wrote about how supply chain integrity was a very hot item and how The Open Group’s approach seemed very promising.

  • In the summer of 2011, I participated in a podcast about “filling the gap for building trusted supply chain accreditation.”

  • In the fall of 2011, I wrote about presenting to the International Common Criteria Conference in Kuala Lumpur about the work we were doing and how it was not a competitor to CC but rather was complimentary.

  • In April 2012, I blogged about The Open Group’s Dave Lounsbury and his testimony to the House Energy and Commerce Oversight Committee on supply chain integrity and security.

  • At the RSA Conference in February 2013, I joined a panel discussing the choice between accrediting an organization versus certifying a product.

Now with the recent publication of the Open Trusted Technology Provider Standard (O-TTPS) for the first time Commercial Off the Shelf (COTS) Information and Communication (ICT) providers have a common framework to use for supply chain assurance.

This is a significant development.

Prior to this standard there really wasn’t any one program that was looking at the dimensions covered by OTTF. The strong group of providers working together to build this framework is quite impressive. Here’s what some of them are saying about the new standard:

So what’s next?

A pilot of the accreditation program will take us into late fall. We’ll take the lessons learned from the pilot and apply them, and by early next year, any provider will be able to sign up to get their organization the mark as a “Trusted Technology Provider.”

As ICT providers get on the list, they will ask their suppliers to get accredited and this will work its way down the “chain.” Suppliers that don’t get accredited will hopefully feel the pressure to get on the list. Remember the O-TTPS describes the best practices for the COTS ICT product life cycle the phases of design, sourcing, build, fulfillment, distribution, sustainment, and disposal. And the goal of this standard is to help guard against maliciously tainted and counterfeit products.

The only way to do that is for all “links” in the chain to follow the same best practices. Look for the O-TTPS to play a key role in reaching that objective.

Written by

Joshua Brickman

Joshua Brickman, PMP (Project Management Professional), runs CA Technologies Federal Certifications Program. He has led…

Published in

View this topic
  • James Holland

    This is great. Hooray for Disney’s imagineers!


    become a new brand in the share market research with its accurate research. Proven
    itself always right whether market is bull or bear. Last week all paid clients
    booked handsome profit in NIFTY, BANKINIFTY & STOCKS. Now for the coming
    week we expect more correction can come in NIFTY as the IRAQ issue is getting
    more tense, If it happens more then you will see a sharp fall in all world marketNSE BSE, STOCK TIPSbecause as we know all world run on
    crude & most of the crude comes from IRAQ. So be ready for a sharp fall so
    sell will be the best strategy for next week also. Traders can make a sell
    position in NIFTY around 7600-7650 with stoploss 7750 for the target of
    7300-7200.One can also make a sell call NIFTY 50 stocks as per NIFTY levels. You
    can also take our two days free trial to check our accuracy. For further updates
    you can visit our website.



  • king lear

    testing comment functionality, please do not publish this

  • Rachel Macik

    Love the personal pic :)

    • CAHighlight

      Thank you!

  • Plutora Inc

    This is a good case study. 2.3 sec’s off a login transaction is big.

  • Michele Hudnall

    While the analysts were hyping DevOps, I posted the oversight of not including security as part of that discussion as you are highlighting here. Instead of just talking DevOps, it should be DOS (what’s old is new again :-) – DevOpsSec. As a previous AppDev person, it’s the app, who’s using it, why and where rather than the device and having the service available.

    As you rightly point, out Security should be baked into the solution.

    Nice Post and Timely!


    • CAHighlight

      Thank you for your feedback Michele. Agreed – security cannot be overlooked. Appreciate your input!

  • Mitesh

    I would love a printed copy

  • Lars Johansson

    I love the idea of BYOID! This makes me choose if I am almost anonymous (with my Hotmail Nicname) or official with identity from an official organisation. My Identity Provider will attach identity with right level of LoA according to the need of the Service provider.

    • CAHighlight

      Thank you for your comment. BYOID has tangible benefits for end users and relying parties but it also has to be weighed in the balance with potential risks and liability concerns. It will be interesting to see how BYOID plays out in the enterprise.