The Open Group Trusted Technology Forum (OTTF): Wednesday
Objective of Meeting
The objective of the OTTF member meeting sessions held on Wednesday were to discuss::
- ISO PAS Submission of the O-TTPS Standard
- Status, Strategy, & Prioritization
- CC Mapping Activities – Liaison with CC-SAE5533 Mapping Activities
- Corrigenda: (1.1) version of the O-TTPS Standard
- Determining whether Change Requests and Problem Reports were within scope for 1.1 or should be postponed for discussion for 2.0 changes
- Making Recommendations for those CRs within scope for 1.1
ISO PAS Process
The OTTF has been discussing the submission of the O-TTPS via the PAS submission process for several months. The Steering Committee guidance we had received was to start the investigative process on logistics for submission and where in ISO it would best fit – with ISO/IEC 27036 being a major contender for that fit. The SC felt that the timing would be right to begin the process for submission once we had completed two pilots so we could better determine whether the standard would need to change significantly as a result. Now that there is one organization successfully through the pilot and in fact through the Accreditation Program, and we see no major changes to the standard in the near future, it seems that we should begin the ISO submission process in earnest.
We hope to be able to provide a definitive statement in our liaison reports to ISO – so hopefully we can obtain the necessary Open Group approvals before we need to submit the liaison statements (March) – or at least before April 1st when we could provide that update at the ISO Conference.
The PAS Process slides can be found here.
Where does the O-TTPS fit in ISO? Where do we and ISO see it fitting in the ISO/IEC 27036 standard? Should we consider a separate standard outside of existing standards?
The process discussion led us to further explore how we would fit with ISO/IEC 27036. There was some concern that ISO/IEC 27036 is a standard for both acquirers and suppliers, but it was felt that we could probably include O-TTPS as a separate part in ISO/IEC 27036 for which we could indicate that it was for COTS ICT providers (component suppliers, technology providers, and integrators) and specifically focused on mitigating the risks of maliciously tainted and counterfeit products.
We plan to discuss this with the editor of ISO/IEC 27036 in more detail next week to get a better idea of what is possible.
One of our major focus areas for the Member Meeting in San Francisco on all three days of the member meeting was reaching agreement on recommendations for Change Requests (CRs) to the O-TTPS. We used a spreadsheet with a row for each CR, as the basis for this activity. We recorded whether it was a CR or PR to be included in 1.1 or postponed to 2.0. and if it was to be included in 1.1 then we provided a proposed recommendation. In the spreadsheet there are a variety of submitted CRs:
- Rows 2-28 are CRs that were submitted to the 1.0 Review Process but were rejected as changes for that now published version and instead recorded for consideration for the next version of the Standard.
- Rows 29-50 are CRs that were submitted by James Andrews on behalf of the EOC (Evidence of Conformance) Task Group as that group worked through the evidence of conformance – and what would later become the Assessment Procedures.
- Rows 52-60 are Problem Reports (PRs) that were recently (within the last three months) submitted to the Problem Reporting Process and were categorized as Interpretations – which means they are Problem Reports against the Standard.
The rendering of the CRs and PRs were captured in the Changes for 1.1 worksheet and once cleaned up and edited will be posted to Plato. The suggested changes for 1.1 will be separated from those postponed for 2.0.
Obtain written commitment from IBM that they will sponsor this and who are the identified resources, and begin completing the Submission Form provided by Andrew Josey. The template Submission Form that he has provided us includes example text from existing successful PAS submissions, and it includes fields/text that should not be changed as they have been agreed already by The Open Group. Once this DRAFT is completed we will vet with the SC for any further suggestions.
Explore more with the editor of ISO/IEC 27036, how O-TTPS might fit with ISO/IEC 27036 should we decide and gain approval for a PAS submission to ISO. Sally to schedule a webex for the Forum to address some of the concerns and to do a bit of brainstorming on where it might fit.
We will announce to the Forum that we will be doing a version 1.1, ask for any additional change requests, work through the recommendations for those, and then ballot all of the CR recommendations for 1.1. Will then submit to Company Review.