Early morning session: Meet with potential new members to discuss the value of the Forum and their work and to answer any questions they might have about the Forum.
Late morning session: Meet with additional government customers to gain feedback on the Open Trusted Technology Provider Standard (O-TTPS), which was released in March of this year for feedback, and is downloadable free-of-charge from The Open Group bookstore – see Background section below.
Afternoon session: Evolve the Accreditation Program definition in terms of defining the Assessment Methodology.
In the first morning session, the Forum met with a potential member who had heard about the OTTF through multiple channels and reportedly heard good reviews of the OTTF as a promising industry-government initiative that would deliver a standard of organizational best practices intended to be reasonable and practical. It was a good session – with excellent Q&A and follow-up steps in place.
Later in the morning, the Forum met with representatives from NSA and NIAP who provided feedback on the O-TTPS Standard. It was a good session of candid give and take, and the Forum recorded the suggestions and will be including them as part of the resolution process along with all of the other Change Requests (CRs) that have been submitted via the feedback process. At time of this meeting recap, we have collected about 45 CRs from multiple sources and organizations.
The afternoon sessions focused on what the Assessment Process would look like and what type of representative sampling would be utilized in defining the number or processes/products that would need to be evaluated in order to provide confidence in the assessment of the organization's best practices.
The Forum released the Open Trusted Technology Provider Standard (O-TTPS) Snapshot in March of this year and it can be downloaded free-of-charge from The Open Group bookstore by clicking on the link above.
The O-TTPS Snapshot is a draft – a snapshot in time – of what is intended to become an open standard for organizational commercial best practices that when properly adhered to will enhance the security of the global supply chain and the integrity of Commercial Off-The-Shelf (COTS) Information Communication Technology (ICT) products. It will provide a set of best practice requirements and recommendations that help assure specifically against tainted and counterfeit products throughout the COTS ICT product life cycle, encompassing the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.
Using the guidelines and best practices documented in the O-TTPF (Framework) as a basis, the OTTF will take a phased approach and stage the O-TTPS releases over time. This staging will consist of standards that focus on mitigating specific COTS ICT risks from emerging threats. As threats change or market needs evolve, the OTTF intends to update the O-TTPS (Standard) by releasing addenda to address specific threats or market needs.
The Framework, on which the Snapshot is based, is an evolving compendium of organizational guidelines and best practices relating to COTS ICT products, and the security of the supply chain throughout the entire product life cycle. A publically available early version of the Framework was released as a White Paper in February 2011.
Continue evolving the standard, the evidence of conformance, the Pilot program, and the Accreditation Program Policy. The Forum members meet twice a week to progress this work.
If you are interested in joining the OTTF so that your organization can be part of the consensus process as it defines the Accreditation Program and refines the Snapshot to Version 1.0 of the Standard, then please contact Chris Parnell at firstname.lastname@example.org.