The Forum devoted the morning and early afternoon to participating in the Plenary, and the OTTF Open Track session, to learn about the varying views from industry and government subject matter experts and see how they might take them into account as they progress their work.
The objective of the afternoon was to obtain customer feedback on their work on the Open Trusted Technology Provider Standard (O-TTPS) Snapshot and to progress the definition of the Accreditation Program they are developing for the O-TTPS.
The morning plenary and open track sessions (see also the Plenary report) featured a great set of presenters and discussions on CyberSecurity and Resiliency from subject matter experts in these fields including presentations from our own OTTF member organizations (denoted **), whose presentations focused on supply chain, new government practices, and government-industry partnerships – including some major highlights of the OTTF:
- America The Vulnerable: Inside the New Threat Matrix
Joel Brenner, Author and Attorney, Cooley LLP
- DoD Trusted Defense Systems Strategy
** Kristen Baldwin, Principal Deputy, DASD, Systems Engineering,
Systems Analysis DoD/AT&L
- Risk Management: Integrating Cyber Security Requirements into Organizational Mission and Business Processes
Dr. Ron Ross, Project Leader, NIST
- PANEL: Supply Chain: Mitigating Tainted & Counterfeit Products
Moderated by: Dave Lounsbury, CTO, The Open Group
** Panelists:
Edna Conway, Cisco; Daniel Reddy, EMC; Andras Szakal, IBM Federal
- Enterprise Resilience: Overcoming Vulnerability for Competitive Advantage
Dr. Yossi Sheffi, Director, MIT Center for Transportation and Logistics (CTL)
The afternoon on Monday was devoted to obtaining customer feedback on the Open Trusted Technology Provider Standard (O-TTPS) Snapshot and evolving the definition on the Accreditation Program for the O-TTPS.
Background
The Forum released the Open Trusted Technology Provider Standard (O-TTPS) Snapshot in March of this year and it can be downloaded free-of-charge from The Open Group bookstore by clicking on the link above.
The O-TTPS Snapshot is a draft – a snapshot in time – of what is intended to become an open standard for organizational commercial best practices that when properly adhered to will enhance the security of the global supply chain and the integrity of Commercial Off-The-Shelf (COTS) Information Communication Technology (ICT) products. It will provide a set of best practice requirements and recommendations that help assure specifically against tainted and counterfeit products throughout the COTS ICT product life cycle, encompassing the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.
Using the guidelines and best practices documented in the O-TTPF (Framework) as a basis, the OTTF will take a phased approach and stage the O-TTPS releases over time. This staging will consist of standards that focus on mitigating specific COTS ICT risks from emerging threats. As threats change or market needs evolve, the OTTF intends to update the O-TTPS (Standard) by releasing addenda to address specific threats or market needs.
The Framework, on which the Snapshot is based, is an evolving compendium of organizational guidelines and best practices relating to COTS ICT products, and the security of the supply chain throughout the entire product life cycle. A publically available early version of the Framework was released as a White Paper in February 2011.
Customer Input
The first afternoon session was devoted to obtaining customer feedback, in particular from a representative of the Department of Homeland Security, who also shared with us some of his ideas on certification and on mitigating the risks of weakness and vulnerabilities in the software aspects of the supply-chain – stressing the importance of process evaluation, which is the OTTF focus – as well as product evaluation. He also stressed the importance of best practices during development as well as during the traditional supply-chain activities.
Piloting the Concept of the Accreditation Program
This session was spent on discussion around a trial pilot, which would be conducted internally among the members to validate that our standard, the conformance requirements, and the evidence required to show conformance were defined sufficiently to allow for objectivity, repeatability, and consistency for all assessors and applicants.
Continue evolving the standard, the evidence of conformance, the Pilot program, and the Accreditation Program Policy. The Forum members meet twice a week to progress this work.
If you are interested in joining the OTTF so that your organization can be part of the consensus process as it defines the Accreditation Program and refines the Snapshot to Version 1.0 of the Standard, then please contact Chris Parnell at c.parnell@opengroup.org.
