San Diego 2015: Proceedings - OTTF

Printer-friendly version

The Open Group Trusted Technology Forum (OTTF)
Members' Meetings (Tues & Wed)

Objective of Meeting

The objectives of the OTTF member meeting sessions were to:

  1. Review the OTTF Roadmap
  2. Draft a response to the Due Diligence Acquisition RFI
  3. Update status and discuss any concerns on the Publically Available Specification (PAS) of the Open Trusted Technology Standard – Mitigating Tainted and Counterfeit Products (O-TTPS) v1.1
  4. Provide a progress report on the Simplified Chinese Translation of the O-TTPS v1.1
  5. Provide an update on the publication of v1.1 of the O-TTPS Assessment Procedures, which enhances the Assessment Procedures where they apply to Component Suppliers, Integrators, and Value-Add Resellers and Non-Value-Add Resellers – once published these will be updated on the Public O-TTPS Accreditation website
  6. Discuss and identify next steps for publication of the Common Criteria (CC) to O-TTPS Mapping Table
  7. Discuss and identify next steps for publication of the NIST Cybersecurity Framework to O-TTPS Mapping/Implementation Guide
  8. Reach consensus on updates to the Accreditation Policy to account for the O-TTPS and Accreditation Program revisions
  9. Provide an overview of and solicit feedback on The Open Group marketing strategy for OTTF, the Global Outreach priorities, and the Wikipedia Article proposed for publication

Summary

The OTTF members participated in the Monday Plenary and Open Track on Risk, Dependability, and Trusted Technology, where several OTTF members presented.

OTTF Roadmap

The Roadmap, which is updated each quarter, was presented and milestones were discussed.

Response to the Due Diligence Acquisition RFI

The response was drafted in a spreadsheet, which had the consensus of those at the meeting.

Sally will write the response in text form and submit to the Global Outreach and Standards Harmonization (GOSH) and SC simultaneously for consensus to submit.

If there is no consensus to submit collectively, anyone is free to submit all or part of the drafted response independently.

PAS Submission to ISO

The Open Group requested to ISO/IEC JTC1 that they approve the O-TTPS (Standard) as a PAS Submission in August 2014. The five-month Draft Ballot by ISO to continue the approval process was completed in January and approval was granted to move forward in ISO with the Final (two-month) Ballot to be issued soon.

Chinese Translation of O-TTPS v1.1

A translation (Simplified Chinese) of the O-TTPS v1.1 has been completed and the Company Review for that translation has begun – we are resolving Change Requests now and expect the Chinese Translation CR recommendations to be balloted soon by the OTTF Steering Committee, with publication of the Simplified Chinese version of the Standard expected in the March-April 2015 timeframe.

O-TTPS Assessment Procedures

A new version (1.1) of the Assessment Procedures will be published in Q1 of this year on the O-TTPS Accreditation website. This is to account for any changes resulting from the use-case scenarios that were applied to the Assessment Procedures; for example, Printed Circuit Board (PCB) providers, Integrators, and Value-Add Resellers and Distributors.

O-TTPS to Common Criteria (CC) Mapping Table

Last quarter the Forum completed a mapping table of Common Criteria Evaluation Procedures to O-TTPS Assessment Procedures. The mapping table is intended to be an O-TTPS Accreditation support document to be used by O-TTPS Recognized Assessors during assessments. It applies only to the O-TTPS Accreditation Program and only for those cases where a Selected Representative Product, which is being assessed in the program, is already a Common Criteria (CC) Target of Evaluation (TOE) with a published Security Target. This table will assist O-TTPS Recognized Assessors in determining which O-TTPS Assessment Procedures can be met by certain relevant CC SARs if they are stated as claims in the published Security Target and have been evaluated.

This document will now be presented to The Open Group Executive Management team and Legal Counsel to assure it is ready for publication – a meeting with the CC will likely accompany the publication of the document so that we can update them on our efforts. This mapping effort is an attempt to keep aligned with the OTTF philosophy of measuring once, so where reputable certificates of conformance already exist for some O-TTPS requirements, those certificates could be acceptable as evidence that an Organization has met those requirements – rather than needing to duplicate the effort/evidence.

The first version of the mapping table is expected to be published as an O-TTPS Accreditation support document on the O-TTPS Accreditation website in Q1 of 2015.

O-TTPS to NIST Cybersecurity Framework Mapping/Implementation Guide

The OTTF was asked by NIST to provide a mapping of the O-TTPS to the NIST Cybersecurity Framework. In response to that request, the OTTF Global Outreach and Standards Harmonization (GOSH) Working Group completed a final draft of the O-TTPS to NIST Cybersecurity Framework Mapping/Implementation Guide in January 2015.

The next steps prior to publication are to approve the document (two weeks) and complete The Open Group Guide Review Process.

Discuss Updates to the Accreditation Policy

The draft resolutions on policy updates will be brought back to the OTTF SC for approval – and will then need to go through the Company Review Process.

Provide an Overview of The Open Group Marketing Strategy for OTTF

The marketing strategy for OTTF, Global Outreach priorities, and proposed Wikipedia article were discussed, feedback was provided, and suggested edits incorporated for consideration. It was proposed that we might need additional meetings to refine and schedule some of the actions that involve membership.

Outputs

Outputs are described in the Summary above.

Next Steps

  1. The Roadmap is updated every quarter to reflect any changes that have occurred in the deliverables or the timelines.
  2. Complete the consensus building for the OTTF Response on the Due Diligence RFI and submit.
  3. Continue monitoring the O-TTPS PAS Submission Approval process and if approved work with Andrew Josey and ISO mentor to set up appropriate liaison/maintenance committee and process for evolution of the standard. If it is approved, The Open Group Marketing team will work a plan for announcing the approval.
  4. Complete the Company Review Process for the Simplified Chinese Translation of O-TTPS v1.1 and publish the translated version.
  5. Once the O-TTPS v1.1 Assessment Procedures has final Executive Management approval to publish, The Open Group Editor, Cathy Fox will publish the new version in The Open Group Bookstore and on the Accreditation website.
  6. The O-TTPS-to-CC Mapping Table is complete and will now be presented to The Open Group Executive Management team and Legal Counsel to assure it is ready for publication and will proceed with publication. The first version of the mapping table is expected to be published as an O-TTPS Accreditation support document on the O-TTPS Accreditation website in Q1 of 2015.
  7. The next steps prior to publication of the O-TTPS to NIST Cybersecurity Framework Mapping/Implementation Guide are to secure approval of the document (two weeks) by the OTTF Steering Committee and complete The Open Group Guide Review Process.
  8. Input on the Accreditation Policy to account for OTTF Standard and Accreditation Program revisions will be brought back to the OTTF SC for approval – and will then need to go through the Company Review Process.
  9. Continue to update the members on The Open Group marketing strategy for OTTF, the Global Outreach priorities, and the Wikipedia article proposed for publication. It was proposed that we might need additional meetings to refine and schedule some of the actions that involve membership.

Links

See above.