Whether you're buying or selling hardware and software, or acting as systems integrator, the new supply-chain security standard put forward by the Open Group in April could end up having a huge impact on you. Here are a few frequently asked questions that explain why.
What is the Open Group supply-chain security standard and what was the driving force behind it?
It's a 32-page document entitled "Open Trusted Technology Provider Standard (O-TTPS)" Version 1.0. The Open Group itself includes about 400 members from industry, enterprise and government in 90 countries. The Open Group Trusted Technology Forum (OTTF) -- which is chaired by Andras Szakal, vice president and CTO at IBM, with Edna Conway, chief security officer, global value chain at Cisco, as vice chair -- developed the standard. Other OTTF members include representatives from the U.S. Department of Defense (DOD), NASA and Lockheed Martin, plus several IT companies, among them Oracle, EMC, HP, Juniper, Microsoft, Motorola Solutions, Tata Consultancy Services and Dell.
O-TTPS sets organizational guidelines, requirements and recommendations to enhance security in commercial-off-the-shelf (COTS) information and communications technology (ICT) products. O-TTPS is an effort to find ways to deter counterfeiting of IT products and also prevent "tainting" that might include deliberate malware or misconfigurations aimed at tampering with hardware and software. These kind of security risks and supply-chain attacks are of deep concern to all buyers of IT, especially the U.S. government and the defense sector.
So how does the O-TTPS hope to reduce counterfeiting and tampering risks and how does this impact me?
O-TTPS asks that certain practices in both logical and physical security be followed by IT and communications suppliers that want to be considered "Trusted Technology Providers." It's expected that a formal conformance and certification process to certify Trusted Technology Providers will be announced by year-end. If the standard is successfully implemented, companies that can say they're certified Trusted Technology Providers -- and this might be an advantage with buyers. In some cases, being a certified Trusted Technology Provider might even become a prerequisite in order to succeed in winning IT contracts. The Open Group forum says the goal is also to influence the overall marketplace over time to promote trust and accountability in the information infrastructure.
Credit: Open Group.How the Open Group's supply-chain security standard works.
How is the IT supply chain perceived in the standard?
The standard does make a distinction between a provider and a supplier in this way: "Suppliers are those upstream vendors who supply components or solutions (software or hardware) to providers and integrators" while "Providers are vendors who supply COTS ICT products directly to the downstream integrator or acquirer." Nevertheless, the standard is expected to be adopted by both providers and suppliers that want to attain "Trusted Technology Provider" status. It's meant to ensure in the global IT supply chain, third-party software and hardware in manufacturing and support services is secure and free of counterfeit components or malware. The standard also notes that the current O-TTPS Version 1 "does not apply to the operation or hosting infrastructure of on-line services, but can apply to COTS ICT products in as far as they are utilized by those services."
Sign up for CIO Asia eNewsletters.