Whether you're buying or selling hardware and software, or acting as systems integrator, the new supply-chain security standard put forward by the Open Group in April could end up having a huge impact on you. Here are a few frequently asked questions that explain why.
What is the Open Group supply-chain security standard and what was the driving force behind it?
It's a 32-page document entitled "Open Trusted Technology Provider Standard (O-TTPS)" Version 1.0. The Open Group itself includes about 400 members from industry, enterprise and government in 90 countries. The Open Group Trusted Technology Forum (OTTF) -- which is chaired by Andras Szakal, vice president and CTO at IBM, with Edna Conway, chief security officer, global value chain at Cisco, as vice chair -- developed the standard. Other OTTF members include representatives from the U.S. Department of Defense (DOD), NASA and Lockheed Martin, plus several IT companies, among them Oracle, EMC, HP, Juniper, Microsoft, Motorola Solutions, Tata Consultancy Services and Dell.
O-TTPS sets organizational guidelines, requirements and recommendations to enhance security in commercial-off-the-shelf (COTS) information and communications technology (ICT) products. O-TTPS is an effort to find ways to deter counterfeiting of IT products and also prevent "tainting" that might include deliberate malware or misconfigurations aimed at tampering with hardware and software. These kind of security risks and supply-chain attacks are of deep concern to all buyers of IT, especially the U.S. government and the defense sector.
So how does the O-TTPS hope to reduce counterfeiting and tampering risks and how does this impact me?
O-TTPS asks that certain practices in both logical and physical security be followed by IT and communications suppliers that want to be considered "Trusted Technology Providers." It's expected that a formal conformance and certification process to certify Trusted Technology Providers will be announced by year-end. If the standard is successfully implemented, companies that can say they're certified Trusted Technology Providers -- and this might be an advantage with buyers. In some cases, being a certified Trusted Technology Provider might even become a prerequisite in order to succeed in winning IT contracts. The Open Group forum says the goal is also to influence the overall marketplace over time to promote trust and accountability in the information infrastructure.
Credit: Open Group
How the Open Group's supply-chain security standard works.
How is the IT supply chain perceived in the standard?
The standard does make a distinction between a provider and a supplier in this way: "Suppliers are those upstream vendors who supply components or solutions (software or hardware) to providers and integrators" while "Providers are vendors who supply COTS ICT products directly to the downstream integrator or acquirer." Nevertheless, the standard is expected to be adopted by both providers and suppliers that want to attain "Trusted Technology Provider" status. It's meant to ensure in the global IT supply chain, third-party software and hardware in manufacturing and support services is secure and free of counterfeit components or malware. The standard also notes that the current O-TTPS Version 1 "does not apply to the operation or hosting infrastructure of on-line services, but can apply to COTS ICT products in as far as they are utilized by those services."
What kind of security practices does O-TTPS ask IT providers to adopt?
O-TTPS sets forth several required "best practices" and recommendations related to the entire product lifecycle that ranges from design, sourcing, build, fulfillment, distribution, sustainment and disposal. Among the security-related requirements listed in Section 4 of O-TTPS can be found:
- Full documentation of the engineering process, configuration and components and tracking and, if need be, any that "are proven to be targets of tainting or counterfeiting as they progress through the lifecycle."
- Established quality testing procedures, and security update and defect management processes.
- Threat analysis and mitigation to assess potential attacks, plus vulnerability analysis, patching and remediation.
- Secure coding practices and regular training of secure engineering, plus monitoring changes to the "threat landscape."
- Risk-based physical security procures that are well-documented.
- Access controls established for all product-relevant intellectual property and assets, subject to audit.
- Background checks on employees and contractors "whose activities are directly related to sensitive product supply chain activities (within reason given local customs and according to local law)."
- Recommending O-TTPS to "relevant business partners."
- Secure transmission and handling controls related to IT assets, plus physical security. Methods of verifying authenticity and integrity of products after delivery should be available.
- To keep malware out of components received from suppliers or in products delivered to customers and integrators, commercial malware detection tools need to be deployed as part of the code acceptance and development process, and before delivery.
There are specific requirements and recommendations related to use of open-source software components. What are they?
Open source assets and components have to be identified "as derived from well-understood component lineage." For these components, ongoing support and patching "shall be clearly understood." This means that there needs to be a tight rein on open source so that it's treated like any other type of software under the O-TTPS guidelines.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: email@example.com.