San Francisco 2017: Proceedings - OTTF

The Open Group Trusted Technology Forum (OTTF) Members' Meetings

(Monday, January 30)

Objective of Meeting

The group was to discuss the outreach strategy for 2017. The goal was to revisit the major OTTF deliverables and the outreach strategy activities that were proposed by the Framework Work Stream leading up to the member meeting, agree objectives for 2017, and outline activities with next steps for achieving each of the objectives.

Summary

Monday morning was set aside for attending the Plenary session.

Monday afternoon began with the Open Track Session on Trusted Technology featuring the following presentations:

• New Self-Assessed Certification – Providers Conforming to Product Integrity/Supply Chain Security
  Andras Szakal, CTO/CIO/CSO/CFO, IBM; and
  Sally Long, Director, The Open Group Trusted Technology Forum, The Open Group
• Addressing Product Integrity and Supply Chain Risk: The EWI ICT Buyers Security Guide
  Andy Purdy, Chief Security Officer, Huawei Technologies USA; and
  Andreas Kuhn, Senior Program Associate, EastWest Institute

The first presentation, from Andras Szakal and Sally Long, focused on the Open Trusted Technology Provider Standard (O-TTPS), highlighting the following announcements that were made during the event:

• The re-launch of the O-TTPS Certification Program, which now certifies Information and Communication Technology (ICT) providers for conformance to either the O-TTPS or to ISO/IEC 20243:2015, and which now includes a Self-Assessment tier option along with the existing Third-Party Assessment tier option. For more information on the O-TTPS Certification Program please visit the certification website.
• Publication of the new O-TTPS Executive Managers' Guide: O-TTPS for ICT Product Integrity and Supply Chain Security – A Management Guide, available from The Open Group Bookstore at www.opengroup.org/bookstore/catalog/g169.htm.

The Guide offers guidance to managers – business managers, procurement managers, or program managers – who are considering adopting the best practices or becoming certified as an Open Trusted Technology Provider™. It provides valuable information on:

• The best practices in the Standard, with an Appendix that includes all of the requirements
• The business rationale for why a company should consider implementing the Standard and becoming certified
• What an organization should understand about the Certification Program and how they can best prepare for the process
• The differences between the options (self-assessed or third-party assessed) that are currently available for the Certification Program
• The process steps and the terms and conditions of the certification, with pointers to the relevant supporting documents, which are freely available

For further information on the Manager’s Guide, have a look at The Open Group Blog by Sally Long.

The second presentation was from Andy Purdy focused on the EastWest Institute’s Buyers Guide. Increasing the security is paramount to their continued use of ICT in governments and businesses around the world. Guidance based upon objective standards, best practices, and risk management techniques can help purchasers of these products and services make informed decisions to reduce their own risk. The EWI Buyers Guide is intended to help buyers and suppliers better understand and address supply chain risk and aims to increase the global availability and use of secure ICT products and services..

Following the Open Track Session, the OTTF member meeting began with a brainstorming session on the OTTF 2017 Strategy.  That was continued throughout the day on Tuesday. See the proceedings for Tuesday for further details.

Outputs

Brainstorming input on the 2017 OTTF strategy was captured on Monday as a basis for continuing the discussion on Tuesday.

Next Steps

The member meeting began during the last session on Monday (4:00 – 5:30) and continued throughout the day on Tuesday. See the proceedings for Tuesday for agreed next steps to progress the strategy objectives.

Links

See above.

(Tuesday, January 31)

Objective of Meeting

The group was to discuss the outreach strategy for 2017. The goal was to revisit the major OTTF deliverables and the outreach strategy activities that were proposed by the Framework Work Stream leading up to the member meeting, agree objectives for 2017, and outline activities with next steps for achieving each of the objectives.

Summary

Tuesday began with a recap of the brainstorming output from Monday afternoon and continued with reaching consensus on explicit objectives for 2017.  This was followed by identifying activities for those objectives and drafting some next steps for those activities.

Outputs

The recommendations on objectives, activities, and next steps were captured and are included in notes for further discussion with the OTTF Steering Committee.

Next Steps

The first step is to vet the objectives and recommendations with the OTTF Steering Committee and then to proceed with progressing the agreed activities.

Links

The links to the outputs are not included here as they are for OTTF membership only.

(Wednesday, February 1)

Objective of Meeting

There were two objectives for Wednesday:

1. Review the new revision of the Cybersecurity Framework, which was posted by NIST and is now out for comment, and agree on a set of collective comments for submission to the NIST online comment site before the deadline. The deadline to send comments on the Draft Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 is April 10, 2017.
2. Review the ISO/IEC 17050 standard requirements to determine if we could cast the new tier as a “Supplier's Declaration of Conformity” as defined in that standard.

Summary

In reviewing the new draft of the Cybersecurity Framework, there was a good deal of discussion on the new supply chain sections that were added to the Tier characterizations within the Framework, the supply-chain subcategory that was added, and the external references that were supposed to have applied to supply chain. These comments were captured for further discussion at the Steering Committee.

The review of ISO/IEC 17050 was informative – but the members in attendance felt that because we had just launched the Self-Assessment tier, we should let it stand as-is, until we can see what uptake we get with the current/new version of the Certification Program. If, at a future date, any members feel they want to revise the Self-Assessment tier to align with ISO/IEC 17050, they can feel free to propose it to the Steering Committee as a new project.

Outputs

The suggested comments for the NIST Cybersecurity Framework were captured as comments or edits in a red-lined version of the Framework.

Next Steps

To share the comments with the OTTF Steering Committee. The comments can act as a basis for each member to draw from if they decide to individually submit their own comments to NIST.  The comments must be submitted to NIST by April 10, 2017.

Links

The links to the outputs are not included here as they are for OTTF membership only.