Over the past couple of years, I’ve been working with The Open Group Trusted Technology Forum (OTTF) on the development of a new standard to help mitigate maliciously tainted and counterfeit products. I’ve written and spoken about some of the key developments:
- Shortly after the launch of the OTTF in January 2011, I wrote about how supply chain integrity was a very hot item and how The Open Group’s approach seemed very promising.
- In the summer of 2011, I participated in a podcast about “filling the gap for building trusted supply chain accreditation.”
- In the fall of 2011, I wrote about presenting to the International Common Criteria Conference in Kuala Lumpur about the work we were doing and how it was not a competitor to CC but rather was complimentary.
- In April 2012, I blogged about The Open Group’s Dave Lounsbury and his testimony to the House Energy and Commerce Oversight Committee on supply chain integrity and security.
- At the RSA Conference in February 2013, I joined a panel discussing the choice between accrediting an organization versus certifying a product.
Now with the recent publication of the Open Trusted Technology Provider Standard (O-TTPS) for the first time Commercial Off the Shelf (COTS) Information and Communication (ICT) providers have a common framework to use for supply chain assurance.
This is a significant development.
Prior to this standard there really wasn’t any one program that was looking at the dimensions covered by OTTF. The strong group of providers working together to build this framework is quite impressive. Here’s what some of them are saying about the new standard:
- Oracle’s Mary Ann Davidson– The Trusted Technology Forum: Best practices for securing the global technology supply chain and The Root of the Problem
- EMC’s Eric Baize — Open Group’s New Open Trusted Technology Provider Standard: How Trustworthy are Your Products?
- Atsec’s Fiona Pattinson – O-TTPS Consensus!
- The Open Group’s Sally Long — Developing standards to secure our global supply chain
So what’s next?
A pilot of the accreditation program will take us into late fall. We’ll take the lessons learned from the pilot and apply them, and by early next year, any provider will be able to sign up to get their organization the mark as a “Trusted Technology Provider.”
As ICT providers get on the list, they will ask their suppliers to get accredited and this will work its way down the “chain.” Suppliers that don’t get accredited will hopefully feel the pressure to get on the list. Remember the O-TTPS describes the best practices for the COTS ICT product life cycle the phases of design, sourcing, build, fulfillment, distribution, sustainment, and disposal. And the goal of this standard is to help guard against maliciously tainted and counterfeit products.
The only way to do that is for all “links” in the chain to follow the same best practices. Look for the O-TTPS to play a key role in reaching that objective.