OOTTF: Frequently Asked Questions

What is the Trusted Technology Forum?
The Trusted Technology Forum (OOTTF) is a global consortium established to promote the adoption of best practices for secure technology engineering and procurement strategies in order to establish a more trustworthy global technology supply chain

What organizations are involved in the OOTTF?
Founding members of the OOTTF include Boeing, Carnegie Mellon SEI, CA Technologies, Cisco Systems, Hewlett-Packard, IBM, Kingdee, Microsoft, MITRE, NASA, Oracle, OUSD (AT&L) and the U.S. Department of Defense; the forum will operate under the stewardship of the Open Group.

Who is The Open Group?
The Open Group is an international vendor- and technology-neutral consortium upon which organizations rely to lead the development of IT standards and certifications, and to provide them with access to key industry peers, suppliers and best practices. The Open Group will provide guidance and an open environment in order to ensure interoperability and vendor neutrality.

What is the purpose of the OOTTF?
The forum seeks to provide a framework, guidelines and related resources to help the technology and communications industries “build with integrity” by providing vendors, distributors and integrators commercially reasonable integrity practices. The guidelines are intended to:

  • Enable customers to buy with confidence
  • Identify procurement strategies to protect the consumer, thereby…
  • Supporting global innovation and promoting global adoption

The OOTTF’s ultimate objective is to develop a marked accreditation program, which will help companies identify secure technology providers and products in the global supply chain, enabling suppliers to build with integrity and customers to buy with confidence.

Who will benefit from this forum?
Governments and large enterprises that base their purchasing decisions on trusted technology providers who have developed their products using the best practices identified by the OOTTF will be able to rely on a more comprehensive approach to risk management and product assurance when selecting commercial off-the-shelf technology products. 

Vendors and suppliers that conform to the practices developed by the OOTTF will be able to assure and protect the integrity of their products and services as they move through the global supply chain, earning a deserved market differentiation.

How does the OOTTF relate to other standards bodies and activities?
The Open Group has extensive experience and a long track record in facilitating consensus across standards bodies to develop standards, including defining new standards, evolving existing ones, building consensus and providing support services, and developing best practices. A primary goal of the OOTTF will be to facilitate consensus and rationalize efforts across global supply chain security standards efforts. The OOTTF will provide a venue for establishing a unified voice for IT Vendors to provide input into international standards and policy initiatives related to supply chain integrity and secure engineering practices.

QUESTIONS REGARDING THE MARKET

What market need is the OOTTF expected to address?
The OOTTF is being formed in response to the increased sophistication and severity of cybersecurity attacks worldwide, and the vulnerabilities introduced by use of technology provided through the global supply chain. Governments and organizations buy products from companies they trust, but those companies usually do not manufacture all the components of their products. Developing an accreditation program that ensures product integrity throughout the supply chain of a given vendor can alleviate security worries for the customer.

Why should companies be worried about cybersecurity and the global supply chain?
Cybersecurity attacks are on the increase worldwide.  The members of the OOTTF recognize the importance of establishing a trust between manufacturers, vendors and customers.  The forum is being formed in response to the need to establish industry best practices that will help protect organizations from such attacks — as well as from shoddy security practices as a whole.

Are there other forums or consortia within the industry currently addressing this problem?
While other industries have looked at supply chain security and creating some assurance that companies can be trusted (for example the energy industry), the members of the OOTTF believe that best practices are needed in this area, starting with technology and communications companies. We're not aware of anyone working on such a project from the global and industry-led perspective that the OOTTF has, but The Open Group is always open to collaboration and liaising with other groups working on this problem - it is not our intent to reinvent anything that is adequately addressed. 

What industry challenges will the OOTTF address?
The OOTTF will respond to current industry challenges by:

  • Reducing risks that may be introduced from global supply chain providers
  • Identifying manufacturing practices and checkpoints throughout the lifecycle that mitigate risk from uncontrolled, unprotected development methods and engineering procedures
  • Develop conformance criteria and accreditation for trusted technology providers than will instill trust and confidence in consumers
  • Work with the global community to develop responsible and realistic procurement policies that mitigate the risks introduced from supply chain vulnerabilities for all governments and vertical industries

How will the OOTTF provide market differentiation for member companies?
As part of the forum’s deliverables, the OOTTF will develop a marked accreditation program to help identify trusted technology providers and products in the global supply chain.

Why is market differentiation important?
Establishing market differentiation will allow governments and large enterprises to use the standards developed by the OTTF as part of their purchasing decisions when selecting commercial off-the-shelf technology products.  Vendors and suppliers will be able to show that their products and services have been built with integrity and conform to industry standards.

What are the benefits of being a participating member of the OTTF?
Benefits of OTTF membership include:

  • The ability to work collaboratively with peer organizations, suppliers and customers to define, review and approve all best practices, technical standards, profiles and conformance or accreditation programs; to collaboratively set the standards
  • Industry members of the OTTF can directly interact with government acquisition leaders through their participation in the forum and government members can interact with their suppliers in an open, neutral forum
  • Market differentiation through the accreditation program, and status as an organization that pioneered the program
  • Members can network with their peers in similar organizations around the globe

What vertical markets will benefit from the OTTF?
The OTTF is intended to benefit technology buyers across all industries concerned with secure development practices and supply chain management, including government and defense, transportation, healthcare and financial services.

QUESTIONS REGARDING DELIVERABLES

What deliverables or activities are expected from the OTTF?
The OTTF intends to develop and provide the following deliverables:

  • Development of the Trusted Technology Provider Framework (TTPF)
  • Trusted Technology Provider Framework Whitepaper
  • Trusted Technology Business Scenario
  • TTPF Best Practices and Conformance Criteria
  • White papers that provide guidance for developing trusted technology
  • Standards mapping to OTTF best practices
  • Global government outreach related to technology supply chain integrity
  • A program to accredit vendors against the TTPF
  • Partner with international standards bodies to help guide the development of practical standards, policies and best practices for securing the global technology supply chain

What is the Trusted Technology Provider Framework?
The Trusted Technology Provider Framework (TTPF) will provide a framework for identifying best practices and product assurance standards for trusted technology providers and products in the global supply chain.  The framework is intended to benefit technology buyers across all industries concerned with secure development practices and supply chain management.

What is the Trusted Technology Business Scenario?
The Trusted Technology Business Scenario is a paper that is intended to help businesses identify and illustrate the business value for all stakeholders involved in the OTTF in identifying best practices and creating programs for identifying trusted technologies. 

When will the initial version of the TTPF become available?
The initial version of the Trusted Technology Provider Framework (TTPF) was drafted as a final deliverable of the ACS Initiative (see below for more on the ACS). That work will be published as an official Open Group White Paper prior to the Open Group San Diego Conference in February. Copies of the ACS Initiative TTPF document will be made available to interested parties as needed. The TTPF white paper will be published on the Open Group web site and made available to the public.

How does the OTTF and the Trusted Technology Provider Framework (TTPF) relate to the Common Criteria standard?
The foundation of the TTPF is based on open standards and practices. The members of the OTTF believe that the Common Criteria standard plays an essential role in the security evaluation of IT products. However, the breadth of supply chain security encompasses more than the security evaluation of a single IT product. The TTPF will focus on best practices for ensuring the integrity and trust of IT products. The TTPF answers how vendors effectively develop trusted technology products, whereas the Common Criteria validates that a product meets expected security criteria. The TTPF seeks to identify the industry best practices for developing and manufacturing trusted technology, of which Common Criteria has been identified as an essential best practice for validating an IT product’s security function.

ORGANIZATIONAL QUESTIONS

Who will manage the OTTF?
The Open Group will provide guidance and stewardship for the OTTF.

What is The Open Group’s role as steward of the OTTF?
The Open Group will provide guidance and an open environment for OTTF members to define their accreditation program and best practices while ensuring interoperability and vendor neutrality.

Does The Open Group have experience managing industry forums?
The Open Group has more than 20 years’ experience in creating industry best practices, standards, certification and accreditation programs for global organizations in all vertical markets.  The Open Group’s Membership Forums and their Collaboration Services business unit provides guidance to organizations throughout the lifecycle of consortium development to help organizations focus on solving business problems and creating certifiable industry standards. The Open Group’s services for their own forums and for industry consortia offer a clear path to market impact through standards and certification.

What is the ACS?
The Acquisition Cybersecurity (ACS) Initiative is a collaborative industry/government effort that was facilitated by the Open Group beginning in 2009.  The ACS was intended to help vendors identify the current best practices and processes that contribute to both the creation of trusted technology and the establishment of trust in technology supply chains.  The ACS has begun the work of creating the framework, and will conclude once the final draft of the OTTFP is submitted to the OTTF and the Open Group for approval.

What role is the US government playing in the OTTF?
In 2009, the US Department of Defense worked with The Open Group to establish the ACS Initiative. The DoD will continue to work with the OTTF in working towards its goal of an accreditation program.

The Open Group already manages a number of industry forums. Why the OTTF as well?
The Open Group has long served as an open environment and facilitator where member organizations worldwide can collaborate to create initiatives that drive industry standards development. The Open Group recognizes the critical need for new standards to address security risks across the supply chain and is looking forward to working with some of the most innovative companies in the world to grow the OTTF and its programs.

What role do the members play in the forum management?
Members will work collaboratively with peer organizations, suppliers and customers to define, review and approve all activities, best practices, technical standards, profiles and conformance or accreditation programs.

How can organizations join the forum?
Organizations interested in joining the OTTF should contact Mike Hickey m.hickey@opengroup.org or see the following:

Forum membership agreement:
http://www.opengroup.org/member/membership_agreement.pdf
Standard Open Group membership terms/fees:
http://www.opengroup.org/member/howtojoin.htm
Open Group Standards Process:
http://www.opengroup.org/standardsprocess/main.html

Who can I talk to if I still have questions about this announcement?
For more information on the OTTF, please contact: 

Dave Lounsbury, The Open Group, d.lounsbury@opengroup.org
Sally Long, The Open Group, s.long@opengroup.org
Andras Szakal, OTTF Chairman, aszakal@us.ibm.com

 


The Open Group
Platinum Members
HP IBM Oracle Philips