IT supply-chain security standard aims to prevent counterfeits, tampering

Open Group's "Open Trusted Technology Provider Standard" backed by Cisco, IBM, NSA, DoD, others

The danger of counterfeit and tampered IT products is well known, and to fight it, the Open Group has published a technical security standard aimed at supply-chain safety. It's anticipated that by year-end there will also be an official process under way for accreditation so technology suppliers can prove adherence to the standard, according to some involved, which include IBM and Cisco.

The Open Group's Trusted Technology Forum (OTTF) has published the standard, called the "Open Trusted Technology Provider Standard (O-TTPS)," as a 32-page document available on the Open Group website. It's described as "a set of guidelines, requirements and recommendations that, when practically applied, create a business benefit in terms of reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer."

It seeks to lay out best practices in design, sourcing, building, fulfillment and other facets of supply chain distribution, including for integrators. It addresses the huge concern that fake or tampered electronics, hardware and software is being sold, a concern that has been voiced specifically by the U.S. government and the Department of Defense in particular.

Andras Szakal

Andras Szakal

Andras Szakal, vice president and chief technology officer at IBM, is chair of OTTF, and Edna Conway, chief security officer, global value chain, at Cisco, serves as its vice chair.

Background: GAO goes undercover to expose electronics parts fraud against DoD

While neither would discuss specifics about how the Open Group's new supply-chain safety standard might be adopted at IBM and Cisco, they underscored the importance ascribed to it. They indicated a formal accreditation process is being formulated at Open Group in which technology suppliers in the future would be able to demonstrate adherence to O-TTPS.

"The focus is on conformance criteria to the standard and the structure of an accreditation program," said Szakal, adding the goal is to have a formal independent accreditation process in place towards the end of the year.

O-TTPS is intended to assure satisfactory security controls are in place for both logical and physical security for a trusted supplier, even down to how open-source components are used in information security and how you mitigate malware, Szakal says.

In addition to IBM and Cisco, high-tech firms and government agencies contributing to it include Juniper, Raytheon, CA Technologies, HP, Microsoft, Booz-Allen Hamilton, Huawei, EMC, Qualys, LynuxWorks, Boeing, the National Security Agency, the U.S. Department of Defense and NASA.

Conway pointed out that this public-private partnership for the standard was accomplished to address concerns that have been raised about the safety of the supply chain, as Department of Homeland Security Secretary Janet Napolitano emphasized over a year ago in her talk at the global economics conference in Davos, Switzerland.

The Open Group was seen as a good technical forum to develop a supply-chain safety standard because its membership extends to over 90 countries, says Sally Long, director of the Open Group Trusted Technology Forum (OTTF). While there's no specific date yet set to announce how the conformance testing and accreditation process for the Open Group standard will be carried out, the standard's backers are urging their IT industry supply-chain partners of all stripes to become familiar with the concepts in the document as adherence to it is expected to grow in importance as time goes on.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies