Open Trusted Technology Forum (OTTF)
Monday, July 17, 2017
Objective of Meeting
The objectives for the Monday sessions were as follows:
- To discuss the OTTF strategy for 2017, revisit the major OTTF deliverables and outreach strategy, and agree next steps for achieving the 2017 strategy goals
- To discuss and plan how to extend the focus of the OTTF to other areas – in addition to the Forum’s current focus of mitigating the risk of tainted and counterfeit components in ICT
- To determine actions and next steps for outreach activities to increase awareness and market adoption of the Open Trusted Technology Provider™ Standard (O-TTPS) – Mitigating the Risk of Tainted and Counterfeit Products, also known as ISO/IEC 20243, and the O-TTPS Certification Program
The Monday morning session began by recapping the deliverables and milestones of our work thus far and how we might evolve or extend our deliverables.
Highlights of the OTTF deliverables and milestones are captured below:
- The Open Trusted Technology Provider™ Standard – Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS) is the first standard with a certification program that specifies measurable conformance criteria for both product integrity and supply chain security practices
- The standard defines a set of best practices that information and communication technology (ICT) providers should follow throughout the full life cycle of their products from design through disposal – including their supply chains – in order to mitigate the risk of tainted and counterfeit components
- The O-TTPS released Version 1.1 in July 2014; this version was submitted to the International Standards Organization (ISO) and approved as ISO/IEC 20243:2015
- The OTTF also developed the O-TTPS Certification Program, which was launched in February 2014 and includes third-party assessment by O-TTPS Recognized Assessors to evaluate evidence of conformance to the standard, as defined in the publicly available O-TTPS Assessment Procedures; the certification is available to all ICT providers in the supply chain: Original Equipment Manufacturers (OEMs), hardware and software component suppliers, Value-Add Resellers, and Distributors
- In January, 2015, The Open Group announced an additional tier in the certification program; the Self-Assessed tier, which offers applicants the option of conducting their own assessment; the O-TTPS Certification Program provides certificates for conformance to the O-TTPS and ISO/IEC 20243:2015 as the standards are technically equivalent
Discussion on how we might extend the OTTF deliverables is captured below:
The primary area under consideration for extending the OTTF focus is to expand the focus of the Forum to other cybersecurity-related areas and communities in need of standards and best practices (e.g., the IoT community).
The discussions that followed were centered on IoT, noting that it is likely the most important emerging area for cybersecurity. There is ample opportunity and a huge need to increase awareness of and collaboration among the existing communities working on IoT security issues, within and outside of The Open Group. The goal is to begin exploring those opportunities by gaining a better understanding of what Forums are currently working on with respect to security. This effort is being accomplished through an exploratory activity (the cybersecurity coordination project) within The Open Group to see how we might build on the work of individual Forums, by embracing related standards that already exist within or outside of The Open Group, as appropriate.
During the Monday morning sessions the Forum members reviewed and discussed several existing efforts (principles and frameworks) related to IoT to get a better idea of what they addressed, what was missing, and whether there were gaps that could be filled by The Open Group and specifically the OTTF given their expertise in creating cybersecurity best practices (i.e., the O-TTPS and its certification program). Among those IoT-related efforts outside The Open Group, the following documents were reviewed/discussed:
- Department of Homeland Security (DHS) Strategic Principles for Securing the IoT
- Industrial Internet Consortium Industrial Internet of Things Volume G4: Security Framework
- Online Trust Alliance – an Internet Society Initiative: IoT Security & Privacy Trust Framework v2.5
Moving on from the discussion on evolution of the O-TTPS to extend to IoT, the members revisited, reviewed, and discussed priorities for outreach and re-assigned action/leads for the various priority targets.
On Monday afternoon, there was review and discussion on the development of O-TTPS training programs that would help educate organizations or individuals on:
- How to implement the O-TTPS (ISO/IEC 20243) standard using the O-TTPS Assessment Procedures as a basis
- How to prepare for certification once an organization is familiar with the standard and the conformance criteria
Plans for this training effort are still being developed, but may be kicked off later in this quarter with a webcast that provides the basics.
The Monday afternoon session wrapped up with additional status updates and review for the following items:
- Review and editing of the current Frequently Asked Questions (FAQ) regarding the O-TTPS standard and the certification program (the current FAQ can be found on the certification website in the left-hand navigation bar)
Update on work that is ongoing in ISO/IEC related to the OTTF:
- The O-TTPS Assessment Procedures were submitted to ISO/IEC under the PAS process and were approved last quarter by ISO/IEC
- The O-TTPS standard and Assessment Procedures will be combined as Part 1 and 2 of ISO/IEC 20243
- The ISO Technical Report on ISO/IEC standards for Frameworks, which calls out supply chain standards and references ISO/IEC 20243 (the O-TTPS), is now being balloted
Notes for internal distribution were captured and will be brought back to the entire Forum at the next Steering Committee call.
- Attend the joint session (with multiple Forums) on Wednesday to learn about and discuss the cybersecurity priorities with multiple Forums from within The Open Group
- Taking into account the Monday discussions and the discussions on Wednesday that will have taken place with multiple Forums on the Cybersecurity Coordination Project, the OTTF will agree (during this quarter) as to which cybersecurity-related work they will pursue to extend or evolve the OTTF work