Defense Department wants secure, global high-tech supply chain

Open Group made steward of trusted supply-chain initiative

Concern about the possibility of malicious back doors ending up in commercial high-tech products is prompting the U.S. Department of Defense (DoD) to push industry to establish a way to vet and identity what's being called a trusted global supply chain.

Also read: Security group preps IT shops to ask vendors "nasty questions"

This trusted supply-chain effort is being picked up by the Open Group, the consortium known for furthering open standards and e-commerce security initiatives. Today the Open Group announced the formation of what it's calling the "Trusted Technology Forum" to foster manufacturing best-practices guidelines to reduce supply-chain risk. According to the forum's members, which include IBM, HP, Microsoft and several others along with the DoD, the future work around the idea may lead to a  trusted supply-chain accreditation process for manufacturers and suppliers.

"Part of buying commercial products is accepting you have a global supply chain," says Dave Lounsbury, CTO at the Open Group, which plans to soon issue a so-called "framework" of best practices for manufacturing as a first step.European Commission and China, anticipates it may be possible to set up an international accreditation process of trusted suppliers globally.

Over time, the Trusted Technology Forum, which is in discussions not just with U.S. authorities but those in the

"This was started by the Defense Department," says Andras Szakal, IBM distinguished engineer and board member of the Open Group, about the idea of finding a way to formally and openly identify a trusted supply chain for all the software and hardware components that go into any particular high-tech product.

Founding members of the Trusted Technology Forum include: Boeing, Carnegie-Mellon SEI, CA Technologies, Cisco, HP, IBM, Kingdee International Software Group Company (said to be the Chinese government's official provider), Microsoft, Mitre, NASA, Oracle and the DoD.

The DoD has long had concerns about the possibility of malware and back-door trojans in high-tech goods, and those worries were voiced during the National Cybersecurity  Initiative that began back in the Bush Administration, says Szakal. He says the idea behind the Open Group's commitment announced today is to establish shared processes for "secure engineering and supply-chain integrity" that would mitigate any possible "supply-chain attack."

The DoD is said to be providing an undisclosed amount of funding to foster this idea of a supply-chain vetting process that might one day positively impact the procurement process. Like the international Common Criteria product-evaluation process for security in software applications — which Open Group members point to as a basis for looking at the issue — the goal is to organize an accreditation process that would be recognized internationally and used as a foundation for acquisitions.

"Think of it as a preferred list of trusted providers," says Josh Brickman, CA Technologies director of program management about what a supply-chain accreditation process might one day bring.

However, like the establishment of the international Common Criteria product-evaluation program, it could take several years to actually come about -- the Open Group membership acknowledges there's no certain timeframe for accomplishing its most ambitious goals.

Learn more about this topic

Security group preps IT shops to ask vendors "nasty questions"

Security metrics and risk assessment guides out this week

China renews vow to protect intellectual property rights

NSA IT accreditation process lags behind security advances

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT