Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations

ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This release of the Standard addresses threats related to maliciously tainted and counterfeit products. The provider's product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider ? for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) ? the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products.

Technologies de l'information — Norme de fournisseur de technologie de confiance ouverte (O-TTPS) — Atténuation des produits contrefaits et malicieusement contaminés — Partie 1: Exigences et recommandations

General Information

Status
Withdrawn
Publication Date
21-Feb-2018
Current Stage
9599 - Withdrawal of International Standard
Completion Date
24-Nov-2023
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 20243-1:2018 - Information technology -- Open Trusted Technology ProviderTM Standard (O-TTPS) -- Mitigating maliciously tainted and counterfeit products
English language
32 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 20243-1
First edition
2018-02
Information technology — Open
TM
Trusted Technology Provider
Standard (O-TTPS) — Mitigating
maliciously tainted and counterfeit
products —
Part 1:
Requirements and recommendations
Technologies de l'information — Norme de fournisseur de technologie
de confiance ouverte (O-TTPS) — Atténuation des produits contrefaits
et malicieusement contaminés —
Partie 1: Exigences et recommandations
Reference number
ISO/IEC 20243-1:2018(E)
©
ISO/IEC 2018

---------------------- Page: 1 ----------------------
ISO/IEC 20243-1:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 20243-1:2018(E)
Contents
1 Introduction . 1
1.1 Objectives . 1
1.2 Overview . 1
1.3 Conformance . 3
1.4 Terminology . 3
1.5 Future Directions . 4
2 Business Context and Overview . 5
2.1 Business Environment Summary . 5
2.1.1 Operational Scenario . 5
2.2 Business Rationale . 7
2.2.1 Business Drivers . 7
2.2.2 Objectives and Benefits . 8
2.3 Recognizing the COTS ICT Context . 9
2.4 Overview . 10
2.4.1 O-TTPF Framework Overview . 11
2.4.2 Standard Overview . 11
2.4.3 Relationship with Other Standards . 11
3 O-TTPS – Tainted and Counterfeit Risks . 13
4 O-TTPS – Requirements for Addressing the Risks of Tainted and Counterfeit
Products . 15
4.1 Technology Development . 16
4.1.1 PD: Product Development/Engineering Method . 16
4.1.1.1 PD_DES: Software/Firmware/Hardware
Design Process . 16
4.1.1.2 PD_CFM: Configuration Management . 17
4.1.1.3 PD_MPP: Well-defined
Development/Engineering Method Process
and Practices . 17
4.1.1.4 PD_QAT: Quality and Test Management . 17
4.1.1.5 PD_PSM: Product Sustainment Management . 18
4.1.2 SE: Secure Development/Engineering Method . 18
4.1.2.1 SE_TAM: Threat Analysis and Mitigation . 18
4.1.2.2 SE_RTP: Run-time Protection Techniques . 19
4.1.2.3 SE_VAR: Vulnerability Analysis and
Response . 19
4.1.2.4 SE_PPR: Product Patching and Remediation . 20
4.1.2.5 SE_SEP: Secure Engineering Practices . 20
4.1.2.6 SE_MTL: Monitor and Assess the Impact of
Changes in the Threat Landscape . 20
4.2 Supply Chain Security .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.