OTTP-S ISO20243 STD v1.1 en
OTTP-S ISO20243 STD v1.1 en
OTTP-S ISO20243 STD v1.1 en
List of Tables
Table 1: O-TTPS Constituents and their Roles ................................................................... 6
Table 2: Threat Mapping ................................................................................................... 14
List of Figures
Figure 1: Constituents ......................................................................................................... 6
Figure 2: Product Life Cycle – Categories and Activities ................................................. 15
The Open Group is a global consortium that enables the achievement of business objectives
through IT standards. With more than 400 member organizations, The Open Group has a diverse
membership that spans all sectors of the IT community – customers, systems and solutions
suppliers, tool vendors, integrators, and consultants, as well as academics and researchers – to:
Capture, understand, and address current and emerging requirements, and establish
policies and share best practices
Facilitate interoperability, develop consensus, and evolve and integrate specifications and
open source technologies
Offer a comprehensive set of services to enhance the operational efficiency of consortia
Operate the industry’s premier certification service
The Open Group publishes a wide range of technical documentation, most of which is focused
on development of Open Group Standards and Guides, but which also includes white papers,
technical studies, certification and testing documentation, and business titles. Full details and a
catalog are available at www.opengroup.org/bookstore.
Readers should note that updates – in the form of Corrigenda – may apply to any publication.
This information is published at www.opengroup.org/corrigenda.
This Document
The Open Group Trusted Technology Forum (OTTF or Forum) is a global initiative that invites
industry, government, and other interested participants to work together to evolve this Standard
and other OTTF deliverables.
This Standard is the Open Trusted Technology Provider Standard (O-TTPS). The Standard has
been developed by the OTTF and approved by The Open Group, through The Open Group
Company Review process. There are two distinct elements that should be understood with
respect to this Standard: the O-TTPF (Framework) and the O-TTPS (Standard).
The O-TTPS (Standard): The O-TTPS is an open standard containing a set of guidelines that
when properly adhered to have been shown to enhance the security of the global supply chain
and the integrity of COTS ICT products. It provides a set of guidelines, requirements, and
recommendations that help assure against maliciously tainted and counterfeit products
throughout the COTS ICT product life cycle encompassing the following phases: design,
sourcing, build, fulfillment, distribution, sustainment, and disposal.
Using the guidelines documented in the Framework as a basis, the OTTF is taking a phased
approach and staging O-TTPS releases over time. This staging will consist of standards that
focus on mitigating specific COTS ICT risks from emerging threats. As threats change or market
needs evolve, the OTTF intends to update the O-TTPS (Standard) by releasing addenda to
address specific threats or market needs.
The Standard is aimed at enhancing the integrity of COTS ICT products and helping customers
to manage sourcing risk. The authors of this Standard recognize the value that it can bring to
governments and commercial customers worldwide, particularly those who adopt procurement
and sourcing strategies that reward those vendors who follow the O-TTPS best practice
requirements and recommendations.
Note: Any reference to “providers” is intended to refer to COTS ICT providers. The use of
the word “component” is intended to refer to either hardware or software components.
Intended Audience
This Standard is intended for organizations interested in helping the industry evolve to meet the
threats in the delivery of trustworthy COTS ICT products. It is intended to provide enough
context and information on business drivers to enable its audience to understand the value in
adopting the guidelines, requirements, and recommendations specified within. It also allows
providers, suppliers, and integrators to begin planning how to implement the Standard in their
organizations. Additionally, acquirers and customers can begin recommending the adoption of
the Standard to their providers and integrators.
All other brands, company, and product names are used for identification purposes only and may
be trademarks that are the sole property of their respective owners.
In particular we would like to provide a special thank you and acknowledgement to the Chair
and Vice Chair of the OTTF: Andras Szakal, IBM (Chair) and Edna Conway, Cisco Systems
(Vice Chair).
The contributing members of The Open Group Trusted Technology Forum (OTTF):
Contributors Organization
Jon Amis Dell, Inc.
Paul Aschwald Hewlett-Packard Company
Nadya Bartol (formerly of) Booz Allen Hamilton
James Bean Juniper Networks
Kristen Baldwin US DoD AT&L
Terry Blevins MITRE
Joshua Brickman CA Technologies
Stan Brown CA Technologies
Ben Calloni Lockheed Martin
Suresh Cheruserri (formerly of) Tata Consultancy Services
YouHong (Robert) Chu Kingdee Software
Erv Comer Motorola Solutions
Erin Connor Electronic Warfare Associates (EWA) – Canada Ltd.
Tammy Compton (formerly of) SAIC
Edna Conway Cisco Systems Inc.
OTTF Vice-Chair
Don Davidson DOD-CIO
Mary Ann Davidson Oracle Corporation
Charles Dekle (formerly of) US DoD AT&L
Terrie Diaz Cisco Systems Inc.
Robert Dix Juniper Networks
Holly Dunlap Raytheon Company
Bob Ellison SEI
Marcus Fedeli (formerly of) NASA
Contributor Name
Randy Barr Qualys
Rance DeLong LynuxWorks
Chris Fagan (formerly of) Microsoft Corporation
Rob Hoffman High Assurance Systems, Inc.
Dave McDermitt (formerly of) SAIC
Terry Morgan (formerly of) Cisco Systems Inc.
Paul Nicholas Microsoft Corporation
Kerri Patterson (formerly of) Cisco Systems Inc.
Steve Venema The Boeing Company
Larry Wagoner NSA
Name Role
James Andrews The Open Group Conformance Quality Manager
Joe Bergmann Open Group Government Relations, Director, RT&ES
James de Raeve VP Certification
Cathy Fox Technical Editor
Jim Hietala VP Security
Andrew Josey Director, Standards
Sally Long Director, The Open Group Trusted Technology Forum (OTTF)
Dave Lounsbury Chief Technical Officer
This chapter introduces this Standard – the Open Trusted Technology Provider Standard (O-
TTPS) – and the normative terminology that should be understood in relation to specific
requirements and recommendations found in Chapter 4 of this document.
1.1 Objectives
The Open Trusted Technology Provider Standard (O-TTPS) is a set of guidelines, requirements,
and recommendations that, when practically applied, create a business benefit in terms of
reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer.
Documenting best practices that have been taken from the experience of mature industry
providers, rigorously reviewed through a consensus process, and established as requirements and
recommendations in this Standard, can provide significant advantage in establishing a basis to
reduce risk. A commitment by technology providers, large and small, suppliers of hardware and
software components, and integrators to adopt this Standard is a commitment to using specific
methodologies to assure the integrity of their hardware or software Commercial Off-the-Shelf
(COTS) Information and Communication Technology (ICT) products. This Standard is detailed
and prescriptive enough to be useful in raising the bar for all providers and lends itself to an
accreditation process to provide assurance that it is being followed in a meaningful and
repeatable manner.
1.2 Overview
This Standard (O-TTPS) is a set of guidelines, requirements, and recommendations that address
specific threats to the integrity of hardware and software COTS ICT products throughout the
product life cycle. This initial release of the Standard addresses threats related to maliciously
tainted and counterfeit products.
The provider’s product life cycle includes the work it does designing and developing products,
as well as the supply chain aspects of that life cycle, collectively extending through the
following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.
While this Standard cannot fully address threats that originate wholly outside any span of control
of the provider – for example, a counterfeiter producing a fake printed circuit board assembly
that has no original linkage to the Original Equipment Manufacturer (OEM) – the practices
detailed in the Standard will provide some level of mitigation. An example of such a practice
would be the use of security labeling techniques in legitimate products.
The two major threats that acquirers face today in their COTS ICT procurements, as addressed in
this Standard, are defined as:
1. Maliciously tainted product – the product is produced by the provider and is acquired
through a provider’s authorized channel, but has been tampered with maliciously.
Note: All instances, within this standard, of the use of the words: taint, tainted, tainting, refer
to maliciously taint, maliciously tainted, and maliciously tainting, respectively.
Trusted Technology Providers manage their product life cycle, including their extended supply
chains, through the application of defined, monitored, and validated best practices. The product’s
integrity is strengthened when providers and suppliers follow the requirements and
recommendations specified in this Standard. The industry consensus reflected here and in the
Open Trusted Technology Provider Framework (O-TTPF) draws from the following areas that
are integral to product integrity: product development/engineering, secure
development/engineering, and supply chain security. Additionally, product integrity and supply
chain security are enhanced by following practices among suppliers, trading partners, providers,
and, when appropriate, acquiring customers to preserve the product’s intended configuration.
This Standard is focused on the security of the supply chain versus the business management
aspects of the supply chain. This Standard takes a comprehensive view about what providers
should do in order to be considered a Trusted Technology Provider that “builds with integrity”.
This includes practices that providers incorporate in their own internal product life cycle
processes, that portion of product development that is “in-house” and over which they have more
direct operational control. Additionally, it includes the provider’s supply chain security practices
that need to be followed when incorporating third-party hardware or software components, or
when depending on external manufacturing and delivery or supportive services.
The Standard makes a distinction between provider and supplier. Suppliers are those upstream
vendors who supply components or solutions (software or hardware) to providers or integrators.
Providers are those vendors who supply COTS ICT products directly to the downstream
integrator or acquirer.
Ideally, the guidelines, requirements, and recommendations included in this Standard will be
widely adopted by providers and their suppliers regardless of size and will provide benefits
throughout the industry.
For this version of the Standard, the following elements are considered out of scope:
This Standard does not focus on guidelines, requirements, and recommendations for the
acquirer. The Forum is considering addressing this area in subsequent versions of the
Standard. In the meantime, an acquirer does have a role to play in assuring that the
products and components they procure are built with integrity. One of the ways that the
acquirer can do that is to require their providers, suppliers, and integrators to be Trusted
Technology Providers. Another way is to not knowingly support the “grey market”,
realizing that if an acquirer elects to receive hardware or software support from grey
market suppliers, it is at their own risk and generally outside of the influence of the
legitimate provider.
This Standard is not meant to be comprehensive as to all practices that a provider should
follow when building software or hardware. For a more comprehensive set of foundational
This Standard complements existing standards covering product security functionality and
product information assurance, such as ISO/IEC 15408 (Common Criteria).
1.3 Conformance
The OTTF intends to develop conformance criteria and create an Accreditation Policy and
Program for the Open Trusted Technology Provider Standard (O-TTPS) as a useful tool for all
constituents with an interest in supply chain security. Without the associated conformance
criteria and an Accreditation Program, there is no assurance that an organization has
implemented practices according to the O-TTPS.
Accreditation will provide formal recognition of conformance to the O-TTPS, which allows:
Providers and practitioners to make and substantiate clear claims of conformance to the
Standard
Acquirers to specify and successfully procure from providers who conform to the
Standard
1.4 Terminology
This section provides a set of terms and their definitions, which should be used when describing
and interpreting the Standard requirements and recommendations specified in Chapter 4 of this
Standard. These terms are aligned with ISO/IEC Directives, Part 2 (Annex H).
Can Used for statements of possibility and capability, whether material, physical,
or causal.
This chapter describes the typical business environment, the business rationale, the context of
Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT), and an
overview of the Open Trusted Technology Provider Framework (O-TTPF) and this Open
Trusted Technology Provider Standard (O-TTPS).
As cyber attacks increase in sophistication, stealth, and severity, global governments and larger
enterprises have also begun to take a more comprehensive approach to risk management as it
applies to product integrity and supply chain security. In addition to enhancing information
security by improving security practices across the enterprise, governments and enterprises have
begun inquiring about the practices COTS ICT vendors use to protect the integrity of their
products and services as they are developed and moved through the global supply chain. First,
one needs to understand the extent of the global supply chain by looking at an operational
scenario.
Accreditation
Figure 1: Constituents
Because COTS ICT products are used extensively in both private industry and government
acquisition, an alignment of interests exists between enterprise customers and government
customers. There is a shared business value in understanding the factors that contribute to the
integrity of COTS ICT products and supply chain security, identifying those practices that can
improve product integrity and supply chain security, accrediting providers who follow those best
practices, and knowing how to identify trustworthy products that were built by Trusted
Technology Providers.
The OTTF also intends to provide an accreditation program that will allow providers who meet
the O-TTPS requirements and recommendations to become accredited and acknowledged on a
public accreditation registry, so that customers from industry and government can buy from
those Trusted Technology Providers with increased confidence.
By working together, the members of the OTTF have brought to the table their own best
practices and have created a composite set of best practice requirements and recommendations to
be codified in this and future Standards. The OTTF work is notable in representing consensus for
commercially reasonable best practices from industry in addressing the threats in focus. Once the
Standards have been approved and published they will be available for large and small
organizations throughout the world, to reference and incorporate into their practices with the
intent of raising the bar for all providers and component suppliers. This, in and of itself, would
be a major benefit for global providers and customers, including governments.
Equally important to optimizing this Standard is limiting focus to those supply chain risks that
are specifically associated with a targeted supply chain attack. There is a clear difference
between the variety of supply chain business risks (e.g., a supplier going out of business or
selling a bad product) and those risks associated with a targeted supply chain attack (e.g.,
someone maliciously corrupting a component within a product being sold). Two of the principal
targeted attack areas relate to tainted and counterfeit products. Suppliers and customers should
rightly be concerned about these areas and they are discussed in Chapter 3 of this Standard. A
focus on best practices in these risk areas is likely to lead to the critical improvements that both
buyers and sellers want, and an improved global market encompassing trustworthy suppliers and
trustworthy products.
This is true for any software or hardware component, including government developed and
COTS ICT.
However important the area of “vulnerabilities” is to both buyers and sellers, it is a risk of
buying any product. While vulnerabilities can never be completely eradicated, this Standard does
provide best practice requirements that will help to limit them, including a set of best practice
requirements specifically related to vulnerability analysis and response.
Another property inherent in the use of COTS software and hardware requires that consumers
(acquirers) understand that COTS products are intended to meet the needs of a specific
commercial market segment. Whether a software or hardware product is “fit-for-purpose”,
including “fit for the security threats it will face”, is a business and system design decision that
must be understood by the customer, since COTS by definition is not “special-purpose, custom
design”. Thus, “determination of fitness-for-purpose” is not part of the scope of the best
practices in this Standard.
Lastly, even though “tainting” is rightly a focus area of this Standard, there are limitations of
best practices in ameliorating certain tainting risks. Chief among these is the problem of a
malicious yet fully authorized insider deliberately corrupting or tainting product; that is, putting
in unintended functionality (e.g., a backdoor allowing bad actor access) or corrupting
functionality (e.g., rendering access controls by-passable under some conditions). It is, in short,
impossible to completely prevent a fully authorized insider from changing code in a way that is
undetectable, even if you know where to look for the corrupt code.1 The practices described here
may be applied to mitigate risks introduced by both malicious insiders and outsiders.
Recognizing these COTS ICT realities and given the continual improvement in vulnerability
analysis tools and techniques, this Standard does identify best practice requirements and
recommendations in those areas of risk. If followed in conjunction with the other best practice
requirements identified in the Standard, they will help to reduce the possibility of malicious code
being introduced as the product progresses throughout its life cycle and measurably further the
1
For support of this premise, see the 2007 Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD
Software. It is not currently a solvable problem, or even a problem for which there are acceptable mitigation techniques.
2.4 Overview
This section provides overviews of the Framework and the O-TTPS (Standard), and adds
findings from the Standards Harmonization Work Stream of the OTTF.
The Framework organizes best practices into the following four categories:
Product Development/Engineering Method
Secure Development/Engineering Method
Supply Chain Security Method
Product Evaluation Method
The best practices within these methods are those considered most effective in protecting
customers from assuming unacceptable levels of product integrity and supply chain security
risks. The methods identify fundamental areas within the development and manufacturing
process where risk management and assurance have the greatest impact on the quality and
integrity of a COTS ICT product. These practices and methods are anticipated to evolve as new
common approaches and techniques are identified and adopted by Trusted Technology
Providers.
The first three methods identified above are in scope for this Standard. The concept of a Product
Evaluation Method as referenced in the Framework is focused specifically on product security.
This version of the Standard, however, expressly excludes from its scope best practice
requirements for the evaluations of product security functionality and information assurance of
individual products.
While the best practice requirements and recommendations found in this Standard have been
derived from and informed by the broad Framework method categories, only those requirements
and recommendations that pertain directly to the two specific risks identified in Chapter 3 –
namely, tainted and counterfeit products – are set forth in this Standard.
A publically available early version of the Framework can be found in the White Paper (see
Referenced Documents).
The Forum is working globally with governments and international standards organizations to
promote and harmonize this and future Standards. The Forum wishes, where appropriate, to
leverage evaluation and testing schemes while harmonizing with the security standards to which
those schemes relate.
This chapter highlights certain risks associated with tainted and counterfeit Commercial Off-the-
Shelf (COTS) Information and Communication Technology (ICT) products. The following
chapter, Chapter 4, specifies the requirements and recommendations of this Open Trusted
Technology Provider Standard (O-TTPS) that, when implemented by Trusted Technology
Providers, are designed to reduce those risks.
As defined in Chapter 1, a tainted product is a product that is produced by the provider and is
acquired through a provider’s authorized channel but has been tampered with maliciously. A
counterfeit product is produced other than by or for the provider, or is supplied by other than a
provider’s authorized channel, and is represented as legitimate. For example, a provider could
source from a supplier that supplies a product that purports to be from Vendor X, but is, instead,
a “fake”.
Counterfeiting poses significant risk to an organization because the integrity of a “fake” product
cannot be validated. In addition, counterfeit products are unsupported by the original provider
and can often result in significant financial and productivity losses. This damages the customer,
whose purchased product may fail at a critical juncture, as well as the supplier, whose revenue
stream and brand may be damaged due to a fake, inferior product. Even in cases where the
“fake” is a bit-for-bit copy of the original, a customer may be damaged by the inability to get
support services for a counterfeit product, and the supplier is damaged by loss of the revenue
stream that should rightly accrue from their intellectual property.
Tainting is important for similar reasons: a corrupted product may not perform as intended. In
fact, the tainting may well be for the precise reason of causing the product not to perform as
intended, thus enabling a specific attack on an entity using the tainted product. Failure, degraded
performance, rogue functionality, and weakened security mechanisms are all possible outcomes
of tainted products.
The concepts of tainted and counterfeit products can be confusing, so some examples of threats
relating to each concept are presented here to provide some useful clarification. An example of a
threat relating to a tainted product is “malware”, which can be thought of as the introduction of
unauthorized functionality into an otherwise genuine product, with the purpose of producing an
outcome undesirable for the provider and/or the acquirer.
An example of a threat relating to a counterfeit product is the use of scrap or sub-standard parts;
specifically, the introduction of parts into the supply chain that have been discarded at some
earlier stage of the supply chain, either through failing to meet a quality bar, or having reached
their end-of-life.
In addition to understanding the concepts of tainted and counterfeit products and their associated
risks, supply chain discussions require understanding of where in the chain those risks may be
relevant. From a provider’s perspective, technology development and supply chain activities can
be said to have “upstream” and “downstream” elements. “Upstream” of the provider are
In Table 2, the designation “Relevant” indicates that a specific risk can be thought of arising at a
particular stage in the continuum.
Table 2: Threat Mapping
Tainted Counterfeit
Upstream Provider Downstream Upstream Provider Downstream
Malware Relevant Relevant Relevant
Unauthorized Relevant Relevant Relevant Relevant
“Parts”
Unauthorized Relevant
Configuration
Scrap/Sub- Relevant
standard Parts
Unauthorized Relevant Relevant
Production
This chapter defines the requirements and recommendations relating to tainted and counterfeit
product risks for this version of the Open Trusted Technology Provider Standard (O-TTPS).
Note: It is important to understand that all of the requirements and recommendations listed in
the tables in this chapter are specified using prescriptive terms (e.g., shall, should,
may); for definitions of these terms, please refer to the definitions in Section 1.3
(Terminology). For reasons of consistency, these terms are equivalent to the
corresponding ISO definitions.
This Standard is described in terms of the provider’s product life cycle. The collection of
provider best practices contained in the O-TTPS are those that the OTTF considers best capable
of influencing and governing the integrity of a Commercial Off-the-Shelf (COTS) Information
and Communication Technology (ICT) product from its inception to proper disposal at end-of-
life. These provider practices are divided into two basic categories of product life cycle activities
as described in Section 2.4.2: Technology Development and Supply Chain Security:
The provider’s Technology Development activities for a COTS ICT product are mostly
under the provider’s in-house supervision in how they are executed. The methodology
areas that are most relevant to assuring against tainted and counterfeit products are:
Product Development/Engineering methods and Secure Development/Engineering
methods.
The provider’s Supply Chain Security activities focus on best practices where the provider
must interact with third parties who produce their agreed contribution with respect to the
product’s life cycle. Here, the provider’s best practices often control the point of
intersection with the outside supplier through control points that may include inspection,
verification, and contracts.
While these categories are useful as an organizing construct, they are not absolute distinctions;
for example, one product may be handled by the provider’s own organization exclusively, whilst
another product’s life cycle could involve many aspects being handled in conjunction with a
variety of third parties as governed by the provider. These two major categories of the product
life cycle are depicted in Figure 2:
Technology
Supply Chain
Development
The following sections include the prescriptive requirements and recommendations for this
Standard. The requirements are focused on the two identified threats. Some are highly correlated
to the specific threats; others are more foundational but considered essential.
Attribute Definition
A formal process exists that defines and documents how requirements are translated into a
product design.
Requirements
PD_DES.01 A process shall exist that assures the requirements are addressed in the design.
PD_DES.02 Product requirements shall be documented.
Attribute Definition
A formal process and supporting systems exist which assure the proper management, control,
and tracking of change to product development and manufacturing assets and artifacts.
Requirements
PD_CFM.01 A documented formal process shall exist which defines the configuration
management process and practices.
PD_CFM.02 Baselines of identified assets and artifacts under configuration management shall
be established.
PD_CFM.03 Changes to identified assets and artifacts under configuration management shall be
tracked and controlled.
PD_CFM.04 Configuration management should be applied to build management and
development environments used in the development/engineering of the product.
PD_CFM.05 Access to identified assets and artifacts and supporting systems shall be protected
and secured.
PD_CFM.06 A formal process shall exist that establishes acceptance criteria for work products
accepted into the product baseline.
Attribute Definition
Development/engineering processes and practices are documented, and managed and followed
across the life cycle.
Requirements
Attribute Definition
Quality and test management is practiced as part of the product development/engineering life
cycle.
PD_QAT.01 There shall be a quality and test product plan that includes quality metrics and
acceptance criteria.
PD_QAT.02 Testing and quality assurance activities shall be conducted according to the plan.
PD_QAT.03 Products or components shall meet appropriate quality criteria throughout the life
cycle.
Attribute Definition
Product support, release maintenance, and defect management are product sustainment services
offered to acquirers while the product is generally available.
Requirements
Attribute Definition
Threat analysis and mitigation identify a set of potential attacks on a particular product or system
and describe how those attacks might be perpetrated and the best methods of preventing or
mitigating potential attacks.
Requirements
SE_TAM.01 Product architecture and design shall be assessed against potential attacks to gain
an understanding of the threat landscape.
Attribute Definition
Requirements
Attribute Definition
Requirements
SE_VAR.01 Techniques and practices for vulnerability analysis shall be utilized. Some
techniques include: code review, static analysis, penetration testing, white/black
box testing, etc.
SE_VAR.02 The impact of published vulnerabilities to products and processes should be
analyzed and mitigated.
SE_VAR.03 A process shall exist for governing notification of newly discovered and
exploitable product vulnerabilities.
SE_VAR.04 Vulnerability analysis and response should feed into the processes for ongoing
product development, product patching, and remediation.
Attribute Definition
A well-documented process exists for patching and remediating products. Priority is given to
known severe vulnerabilities.
Requirements
SE_PPR.01 There shall be a well-documented process for patching and remediating products.
SE_PPR.02 There should be a process for informing an acquirer of notification and
remediation mechanisms.
SE_PPR.03 Remediation of vulnerabilities shall be prioritized based on a variety of factors,
including risk.
SE_PPR.04 Documented development and sustainment practices should be followed when
implementing product remediation.
Attribute Definition
Secure engineering practices are established to avoid common engineering errors that lead to
exploitable product vulnerabilities.
Requirements
SE_SEP.01 Secure coding practices shall be utilized to avoid common coding errors that lead
to exploitable product vulnerabilities. For example, user input validation, use of
appropriate compiler flags, etc.
SE_SEP.02 Secure hardware design practices (where applicable) shall be employed. For
example, zeroing out memory and effective opacity.
SE_SEP.03 Training on secure engineering practices shall be provided to the appropriate
personnel on a regular basis consistent with changing practices and the threat
landscape.
4.1.2.6 SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape
Attribute Definition
The threat landscape is monitored and the potential impacts of changes in the threat landscape
are assessed on development/engineering practices, tools, and techniques.
Requirements
Attribute Definition
The management of supply chain risk around tainted and counterfeit components and products
includes the identification, assessment, prioritization, and mitigation of corresponding business,
technical, and operational risks.
Requirements
Attribute Definition
Physical security procedures are necessary to protect development assets and artifacts,
manufacturing processes, the plant floor, and the supply chain.
Requirements
SC_PHS.01 Risk-based procedures for physical security shall be established and documented.
SC_PHS.02 Risk-based procedures for physical security shall be followed routinely.
SC_PHS.03 Risk-based procedures for physical security should be reviewed periodically by
practitioners, including management, and revised as appropriate.
Attribute Definition
Proper access controls are established for the protection of product-relevant intellectual property
against the introduction of tainted and counterfeit components where applicable in the supply
chain. Access controls can vary by type of intellectual property and over time, during the life
cycle.
Requirements
SC_ACC.01 Access controls shall be established and managed for product-relevant intellectual
property, assets, and artifacts. Assets and artifacts include controlled elements
related to the development/manufacturing of a provider’s product.
SC_ACC.02 Access controls established and managed for product-relevant intellectual
property, assets, and artifacts shall be documented.
SC_ACC.03 Access controls established and managed for product-relevant intellectual
property, assets, and artifacts shall be followed routinely.
SC_ACC.04 Access controls established and managed for product-relevant intellectual
property, assets, and artifacts should be reviewed periodically by practitioners,
including management, and revised as appropriate.
SC_ACC.05 Access controls established and managed for product-relevant intellectual
property, assets, and artifacts shall employ the use of access control auditing.
Attribute Definition
Background checks are conducted for employees and contractors whose activities are directly
related to sensitive product supply chain activities.
A Provider has a set of applicable business conduct guidelines for their employee and supplier
communities.
A Provider obtains periodic confirmation that suppliers are conducting business in a manner
consistent with principles embodied in industry conduct codes, such as the Electronic Industry
Citizenship Coalition (EICC) Code of Conduct.
Requirements
SC_ESS.01 Proof of identity shall be ascertained for all new employees and contractors
engaged in the supply chain, except where prohibited by law.
SC_ESS.02 Background checks should be conducted for employees and contractors whose
activities are directly related to sensitive product supply chain activities (within
reason given local customs and according to local law).
SC_ESS.03 A set of business conduct guidelines applicable to its employees and contractors
should exist, consistent with principles embodied in industry conduct codes such
as the Electronic Industry Citizenship Coalition (EICC) Code of Conduct.
SC_ESS.04 Business should be conducted in a manner consistent with principles embodied in
industry conduct codes, such as the Electronic Industry Citizenship Coalition
(EICC) Code of Conduct.
SC_ESS.05 Periodic confirmation that suppliers are conducting business in a manner
consistent with principles embodied in industry conduct codes, such as the
Electronic Industry Citizenship Coalition (EICC) Code of Conduct, should be
obtained.
(This includes, for example, Suppliers, Integrators, Logistic Partners, Channel Partners, and
Authorized Resellers.)
Attribute Definition
Relevant business partners follow the recommended supply chain security best practice
requirements specified by the O-TTPS.
Periodic confirmation is requested that business partners are following the supply chain security
best practices requirements specified by the O-TTPS.
SC_BPS.01 Supply chain security best practices (e.g., O-TTPS) shall be recommended to
relevant business partners.
SC_BPS.02 Legal agreements with business partners should reference applicable requirements
for supply chain security practices (e.g., O-TTPS).
SC_BPS.03 The provider should periodically request confirmation that business partners are
following the supply chain security best practice requirements specified by the
O-TTPS.
Attribute Definition
Personnel responsible for the security of supply chain aspects are properly trained.
Requirements
SC_STR.01 Training in supply chain security procedures shall be given to all appropriate
personnel.
Attribute Definition
Supply Chain information systems properly protect data through an appropriate set of security
controls.
Requirements
SC_ISS.01 Supply chain data shall be protected through an appropriate set of security
controls.
Attribute Definition
Supplied components are evaluated to assure that they meet component specification
requirements.
Suppliers follow supply chain security best practices with regard to supplied components (e.g.,
O-TTPS).
Requirements
SC_TTC.01 The quality of supplied components shall be assessed against the component
specification requirements.
Attribute Definition
Secure transmission and handling of assets and artifacts during delivery is needed to lower the
risk of product tampering while in transit to their destination.
Requirements
SC_STH.01 Secure transmission and handling controls shall be established and documented.
SC_STH.02 Secure transmission and handling controls shall be designed to lower the risk of
physical tampering with assets and artifacts that are physically transported.
SC_STH.03 Secure transmission and handling controls shall be designed to lower the risk of
tampering with assets and artifacts that are electronically transmitted.
SC_STH.04 Secure transmission and handling controls shall be followed routinely.
SC_STH.05 Secure transmission and handling controls should be reviewed periodically by
practitioners, including management, and revised as appropriate.
SC_STH.06 For assets and artifacts and related information that are considered to be high risk
from the supply chain perspective, additional countermeasures, such as
authenticity verification, should be employed.
SC_STH.07 Methods of verifying authenticity and integrity of products after delivery should
be available.
Attribute Definition
Open Source components are managed as defined by the best practices within the O-TTPS for
Product Development/ Engineering methods and Secure Development/Engineering methods.
Requirements
SC_OSH.01 Open Source assets and artifacts should be managed as defined by the best
practices within the O-TTPS for Product Development/Engineering methods and
Secure Development/Engineering methods.
SC_OSH.02 In the management of Open Source assets and artifacts, components sourced shall
be identified as derived from well-understood component lineage.
Attribute Definition
Practices are deployed to manufacture, deliver, and service products that do not contain
counterfeit components.
Practices are deployed to control the unauthorized use of scrap from the hardware manufacturing
process.
Requirements
Attribute Definition
Practices are employed that mitigate as much as practical the inclusion of malware in
components received from suppliers and components or products delivered to customers or
integrators.
Requirements
SC_MAL.01 One or more up-to-date malware detection tools shall be deployed as part of the
code acceptance and development processes.
SC_MAL.02 Malware detection techniques shall be used before final packaging and delivery
(e.g., scanning finished products and components for malware using one or more
up-to-date malware detection tools).
Accreditation Program
A process in which certification of competency or credibility is provided. As
used in this Standard, it is a process that a supplier goes through to certify
that they meet the requirements of an Open Trusted Technology Provider
Standard (O-TTPS).
Acquirer One who procures hardware and software products and services to create
solutions that meet their customers’ requirements.
Asset Anything you can use that is considered a thing of value (e.g., tool).
Best Practice Provides a clear description of a set of tried and tested processes, procedures,
and guidelines that, when practically applied to an operation, brings a
business advantage.
Certification/Accreditation Authority
Provides certification and/or testing services, especially those involved with
conformance certification and/or testing.
Component Supplier
Entity that supplies components, typically as business partners to providers.
Configuration Management
A formal process which ensures the proper management, control, and
tracking of change to product development and manufacturing assets and
artifacts.
Conformance Assessment
The act of determining the consistency of an implementation to a
specification, or the adherence of a business operation to a best practice or
process definition.
Contractors/System Integrators
Provide services and solutions to customers; typically used on large projects
that deal with multiple providers.
Development Method
System (or Software) Development Life Cycle (SDLC) development-based
method. Applicable to both hardware and software-based products.
Downstream Any entity that is further down the supply chain process from the subject;
i.e., the acquirer is downstream from the integrator (see Upstream).
Engineering Method
Method that is focused on manufacturing or development processes and
practices; for products with significant hardware-based technology
components (chips, firmware, systems, etc.).
Framework Defines a set of structured processes and templates that facilitates solving a
complex problem. As used in this Standard, a set of best practices identified
by a cross-industry forum which, if used by a technology vendor, may allow
a government or commercial enterprise customer to consider the vendor's
products as more secure and trusted.
Grey Market Distribution channels which, while legal, are unofficial, unauthorized, or
unintended by the original manufacturer.
Legitimate Product
The item is produced by the provider and is acquired through a provider’s
authorized channel.
May Refer to Section 1.3 (Terminology) for definition. Refer to the introduction to
Chapter 4 for context.
2
This definition is aligned with ISO/IEC 27000:2009.
Open Source Generically, the term “Open Source” refers to a program in which the source
code is available to the general public for use and/or modification from its
original design free-of-charge; i.e., open. Open Source code is typically
created as a collaborative effort in which programmers improve upon the
code and share the changes within the community. Open Source sprouted in
the technological community as a response to proprietary software owned by
corporations.3
OTTF The Open Group Trusted Technology Forum. A global standards initiative to
provide a collaborative, open environment for technology companies,
customers, government, and supplier organizations to create and promote
guidelines for manufacturing, sourcing, and integrating trusted, secure
technologies.
O-TTPS A standard established by consensus within the OTTF and approved through
The Open Group Company Review process that provides a set of
organizational commercial requirements that enhance the security of the
global supply chain and the integrity of COTS ICT products. It provides a set
of guidelines and best practice requirements and recommendations that help
assure against tainted and counterfeit products throughout the COTS ICT
product life cycle encompassing the following phases: design, sourcing,
build, fulfillment, distribution, sustainment, and disposal.
3
Source: Wikipedia.
Risk An event or condition that has a potentially negative impact and the
possibility that such an event will occur and adversely affect an entity’s
assets and artifacts, activities, and operations.
Risk Management
The process concerned with the identification, measurement, control, and
mitigation of risk.
Shall Refer to Section 1.3 (Terminology) for definition. Refer to the introduction to
Chapter 4 for context.
Should Refer to Section 1.3 (Terminology) for definition. Refer to the introduction to
Chapter 4 for context.
Standards Body Any organization whose primary activities are developing, coordinating,
promulgating, revising, amending, re-issuing, interpreting, or otherwise
producing standards that are intended to address the needs of some relatively
wide base of affected adopters.
Supply Chain A set of organizations, people, activities, information, and resources for
creating and moving a product or service (including its sub-elements) from
suppliers through to customers. One of the two major categories in this
standard is Supply Chain Security.
Tainted Product A product that is produced by the provider and is acquired through a
provider’s authorized channel but has been tampered with maliciously.
Note: All instances, within this standard, of the use of the words: taint,
tainted, tainting refer to maliciously taint, maliciously tainted, and
maliciously tainting, respectively.
Technology Provider
See Provider.
Technology-neutral
An approach whereby the decision to use technology required to meet a
stated need is free of any bias.
Threat The intention and capability of an adversary to undertake actions that would
be detrimental through disruption of processes or subversion of knowledge.
Upstream Any entity who is further up the supply chain process from the subject; i.e.,
vendors who supply component parts or solutions (software or hardware) to
providers or integrators (see Downstream).
Vulnerability Analysis
The process of determining whether a product contains vulnerabilities and
categorizing their potential severity.