ISO/IEC 20243:2015

INTERNATIONAL ISO/IEC
STANDARD 20243
First edition
2015-09-15
Information Technology — Open
Trusted Technology ProviderTM
Standard (O-TTPS) — Mitigating
maliciously tainted and counterfeit
products
Technologies de l’information — Norme de fournisseur de technologie
de confiance ouverte (O-TTPS) — Atténuation des produits contrefaits
et malicieusement contaminés
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

Contents
1 Introduction.1
1.1 Objectives . 1
1.2 Overview . 1
1.3 Conformance . 3
1.4 Terminology . 3
1.5 Future Directions . 4
2 Business Context and Overview .5
2.1 Business Environment Summary . 5
2.1.1 Operational Scenario . 5
2.2 Business Rationale . 7
2.2.1 Business Drivers . 7
2.2.2 Objectives and Benefits . 8
2.3 Recognizing the COTS ICT Context . 9
2.4 Overview . 11
2.4.1 O-TTPF Framework Overview . 11
2.4.2 Standard Overview . 11
2.4.3 Relationship with Other Standards . 12
3 O-TTPS – Tainted and Counterfeit Risks .13
4 O-TTPS – Requirements for Addressing the Risks of Tainted and Counterfeit

Products.15
4.1 Technology Development . 16
4.1.1 PD: Product Development/Engineering Method . 16
4.1.1.1 PD_DES: Software/Firmware/Hardware
Design Process . 16
4.1.1.2 PD_CFM: Configuration Management . 17
4.1.1.3 PD_MPP: Well-defined
Development/Engineering Method Process
and Practices . 17
4.1.1.4 PD_QAT: Quality and Test Management . 17
4.1.1.5 PD_PSM: Product Sustainment Management . 18
4.1.2 SE: Secure Development/Engineering Method . 18
4.1.2.1 SE_TAM: Threat Analysis and Mitigation . 18
4.1.2.2 SE_RTP: Run-time Protection Techniques . 19
4.1.2.3 SE_VAR: Vulnerability Analysis and
Response . 19
4.1.2.4 SE_PPR: Product Patching and Remediation . 20
4.1.2.5 SE_SEP: Secure Engineering Practices . 20
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 iii
© ISO/IEC 2015 – All rights reserved

4.1.2.6 SE_MTL: Monitor and Assess the Impact of
Changes in the Threat Landscape . 20
4.2 Supply Chain Security . 21
4.2.1 SC: Supply Chain Security . 21
4.2.1.1 SC_RSM: Risk Management . 21
4.2.1.2 SC_PHS: Physical Security . 22
4.2.1.3 SC_ACC: Access Controls . 22
4.2.1.4 SC_ESS: Employee and Supplier Security
and Integrity . 23
4.2.1.5 SC_BPS: Business Partner Security . 23
4.2.1.6 SC_STR: Supply Chain Security Training . 24
4.2.1.7 SC_ISS: Information Systems Security . 24
4.2.1.8 SC_TTC: Trusted Technology Components . 24
4.2.1.9 SC_STH: Secure Transmission and Handling . 25
4.2.1.10 SC_OSH: Open Source Handling . 25
4.2.1.11 SC_CTM: Counterfeit Mitigation . 26
4.2.1.12 SC_MAL: Malware Detection . 26
List of Tables
Table 1: O-TTPS Constituents and their Roles . 6
Table 2: Threat Mapping . 14
List of Figures
Figure 1: Constituents . 6
Figure 2: Product Life Cycle – Categories and Activities . 15
iv Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

Preface
The Open Group
The Open Group is a global consortium that enables the achievement of business objectives
through IT standards. With more than 400 member organizations, The Open Group has a diverse
membership that spans all sectors of the IT community – customers, systems and solutions
suppliers, tool vendors, integrators, and consultants, as well as academics and researchers – to:
 Capture, understand, and address current and emerging requirements, and establish
policies and share best practices
 Facilitate interoperability, develop consensus, and evolve and integrate specifications and
open source technologies
 Offer a comprehensive set of services to enhance the operational efficiency of consortia
 Operate the industry’s premier certification service
Further information on The Open Group is available at www.opengroup.org.
The Open Group publishes a wide range of technical documentation, most of which is focused
on development of Open Group Standards and Guides, but which also includes white papers,
technical studies, certification and testing documentation, and business titles. Full details and a
catalog are available at www.opengroup.org/bookstore.
Readers should note that updates – in the form of Corrigenda – may apply to any publication.
This information is published at www.opengroup.org/corrigenda.
This Document
The Open Group Trusted Technology Forum (OTTF or Forum) is a global initiative that invites
industry, government, and other interested participants to work together to evolve this Standard
and other OTTF deliverables.
This Standard is the Open Trusted Technology Provider Standard (O-TTPS). The Standard has
been developed by the OTTF and approved by The Open Group, through The Open Group
Company Review process. There are two distinct elements that should be understood with
respect to this Standard: the O-TTPF (Framework) and the O-TTPS (Standard).
The O-TTPF (Framework): The Framework is an evolving compendium of organizational
guidelines and best practices relating to the integrity of Commercial Off-the-Shelf (COTS)
Information and Communication Technology (ICT) products and the security of the supply chain
throughout the entire product life cycle. An early version of the Framework was published as a
White Paper in February 2011 (see Referenced Documents). The Framework serves as the basis
for this Standard, future updates, and additional standards. The content of the Framework is the
result of industry collaboration and research as to those commonly used commercially
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 v
© ISO/IEC 2015 – All rights reserved

reasonable practices that increase product integrity and supply chain security. The members of
the OTTF will continue to collaborate with industry and governments and update the Framework
as the threat landscape changes and industry practices evolve.
The O-TTPS (Standard): The O-TTPS is an open standard containing a set of guidelines that
when properly adhered to have been shown to enhance the security of the global supply chain
and the integrity of COTS ICT products. It provides a set of guidelines, requirements, and
recommendations that help assure against maliciously tainted and counterfeit products
throughout the COTS ICT product life cycle encompassing the following phases: design,
sourcing, build, fulfillment, distribution, sustainment, and disposal.
Using the guidelines documented in the Framework as a basis, the OTTF is taking a phased
approach and staging O-TTPS releases over time. This staging will consist of standards that
focus on mitigating specific COTS ICT risks from emerging threats. As threats change or market
needs evolve, the OTTF intends to update the O-TTPS (Standard) by releasing addenda to
address specific threats or market needs.
The Standard is aimed at enhancing the integrity of COTS ICT products and helping customers
to manage sourcing risk. The authors of this Standard recognize the value that it can bring to
governments and commercial customers worldwide, particularly those who adopt procurement
and sourcing strategies that reward those vendors who follow the O-TTPS best practice
requirements and recommendations.
Note: Any reference to “providers” is intended to refer to COTS ICT providers. The use of
the word “component” is intended to refer to either hardware or software components.
Intended Audience
This Standard is intended for organizations interested in helping the industry evolve to meet the
threats in the delivery of trustworthy COTS ICT products. It is intended to provide enough
context and information on business drivers to enable its audience to understand the value in
adopting the guidelines, requirements, and recommendations specified within. It also allows
providers, suppliers, and integrators to begin planning how to implement the Standard in their
organizations. Additionally, acquirers and customers can begin recommending the adoption of
the Standard to their providers and integrators.
vi Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

Trademarks
® ® ® ® ®
ArchiMate , DirecNet , Jericho Forum , Making Standards Work , OpenPegasus , The Open
® ® ®
Group , TOGAF , and UNIX are registered trademarks and Boundaryless Information Flow™,
Build with Integrity Buy with Confidence™, Dependability Through Assuredness™, FACE™,
Open Platform 3.0™, Open Trusted Technology Provider™, and The Open Group Certification
Mark™ are trademarks of The Open Group.
All other brands, company, and product names are used for identification purposes only and may
be trademarks that are the sole property of their respective owners.
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 vii
© ISO/IEC 2015 – All rights reserved

Acknowledgements
The Open Group acknowledges the contribution of the following people and organizations in the
development of this Standard (presented in alphabetical order).
In particular we would like to provide a special thank you and acknowledgement to the Chair
and Vice Chair of the OTTF: Andras Szakal, IBM (Chair) and Edna Conway, Cisco Systems
(Vice Chair).
The contributing members of The Open Group Trusted Technology Forum (OTTF):
Contributors Organization
Jon Amis Dell, Inc.
Paul Aschwald Hewlett-Packard Company
Nadya Bartol (formerly of) Booz Allen Hamilton
James Bean Juniper Networks
Kristen Baldwin US DoD AT&L
Terry Blevins MITRE
Joshua Brickman CA Technologies
Stan Brown CA Technologies
Ben Calloni Lockheed Martin
Suresh Cheruserri (formerly of) Tata Consultancy Services
YouHong (Robert) Chu Kingdee Software
Erv Comer Motorola Solutions
Erin Connor Electronic Warfare Associates (EWA) – Canada Ltd.
Tammy Compton (formerly of) SAIC
Edna Conway Cisco Systems Inc.
OTTF Vice-Chair
Don Davidson DOD-CIO
Mary Ann Davidson Oracle Corporation
Charles Dekle (formerly of) US DoD AT&L
Terrie Diaz Cisco Systems Inc.
Robert Dix Juniper Networks
Holly Dunlap Raytheon Company
Bob Ellison SEI
Marcus Fedeli (formerly of) NASA
viii Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

Contributors Organization
Luke Forsyth CA Technologies
Susan Fultz Hewlett-Packard Company
Steve Goldberg (formerly of) Motorola Solutions
Tim Hahn IBM Corporation
Wes Higaki Apex Assurance Group
Ken Hong Fong (formerly of) US DoD AT&L
Helmut Kurth atsec information security
Mike Lai Microsoft Corporation
David Ling Hewlett-Packard Company
Steve Lipner Microsoft Corporation
O-TTPF Work Stream Co-Chair
Dr. David McQueeney IBM Corporation
Jim Mann Hewlett-Packard Company
Al Marshall NASA
Michele Moss Booz-Allen Hamilton
Shawn Mullen IBM Corporation
Fiona Pattinson atsec information security
Brendan Peter CA Technologies
Glenn Pittaway Microsoft Corporation
Andy Purdy Huawei Technologies
Dan Reddy EMC Corporation
Karen Richter IDA
Jim Robinson Hewlett-Packard Company
Hart Rossman (formerly of) SAIC
Mark Schiller (formerly of) Hewlett-Packard Company
Thomas Stickels MITRE
Andras R. Szakal IBM Corporation
OTTF Chair and O-TTPF Work Stream Co-Chair
Steve Whitlock The Boeing Company
Jim Whitmore IBM Corporation
Robert Williamson SAIC
Eric Winterton Booz Allen Hamilton
Joanne Woytek NASA
Chee Wai Foong Cisco Systems Inc.
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 ix
© ISO/IEC 2015 – All rights reserved

The individuals providing early contributions to this work:
Contributor Name
Randy Barr Qualys
Rance DeLong LynuxWorks
Chris Fagan (formerly of) Microsoft Corporation
Rob Hoffman High Assurance Systems, Inc.
Dave McDermitt (formerly of) SAIC
Terry Morgan (formerly of) Cisco Systems Inc.
Paul Nicholas Microsoft Corporation
Kerri Patterson (formerly of) Cisco Systems Inc.
Steve Venema The Boeing Company
Larry Wagoner NSA
The Open Group staff:
Name Role
James Andrews The Open Group Conformance Quality Manager
Joe Bergmann Open Group Government Relations, Director, RT&ES
James de Raeve VP Certification
Cathy Fox Technical Editor
Jim Hietala VP Security
Andrew Josey Director, Standards
Sally Long Director, The Open Group Trusted Technology Forum (OTTF)
Dave Lounsbury Chief Technical Officer
x Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

Referenced Documents
The following documents are referenced in this Standard:
 2007 Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD
Software, September 2007; findings and recommendations located at:
www.acq.osd.mil/dsb/reports/ADA486949.pdf.
 Electronic Industry Citizenship Coalition (EICC) Code of Conduct; refer to:
www.eicc.info.
 ISO/IEC 15408: Information Technology – Security Techniques – Evaluation Criteria for
IT Security (Common Criteria).
 ISO/IEC 27000:2009: Information Technology – Security Techniques – Information
Security Management Systems – Overview and Vocabulary.
 ISO/IEC Directives, Part 2: Rules for the Structure and Drafting of International
Standards.
 NIST 800-12: An Introduction to Computer Security: The NIST Handbook.
 White Paper: Open Trusted Technology Provider Framework (O-TTPF), W113, published
by The Open Group, February 2011; refer to:
www.opengroup.org/bookstore/catalog/w113.htm.
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 xi
© ISO/IEC 2015 – All rights reserved

© ISO/IEC 2015 – All rights reserved

1 Introduction
This chapter introduces this Standard – the Open Trusted Technology Provider Standard (O-
TTPS) – and the normative terminology that should be understood in relation to specific
requirements and recommendations found in Chapter 4 of this document.
1.1 Objectives
The Open Trusted Technology Provider Standard (O-TTPS) is a set of guidelines, requirements,
and recommendations that, when practically applied, create a business benefit in terms of
reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer.
Documenting best practices that have been taken from the experience of mature industry
providers, rigorously reviewed through a consensus process, and established as requirements and
recommendations in this Standard, can provide significant advantage in establishing a basis to
reduce risk. A commitment by technology providers, large and small, suppliers of hardware and
software components, and integrators to adopt this Standard is a commitment to using specific
methodologies to assure the integrity of their hardware or software Commercial Off-the-Shelf
(COTS) Information and Communication Technology (ICT) products. This Standard is detailed
and prescriptive enough to be useful in raising the bar for all providers and lends itself to an
accreditation process to provide assurance that it is being followed in a meaningful and
repeatable manner.
1.2 Overview
This Standard (O-TTPS) is a set of guidelines, requirements, and recommendations that address
specific threats to the integrity of hardware and software COTS ICT products throughout the
product life cycle. This initial release of the Standard addresses threats related to maliciously
tainted and counterfeit products.
The provider’s product life cycle includes the work it does designing and developing products,
as well as the supply chain aspects of that life cycle, collectively extending through the
following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal.
While this Standard cannot fully address threats that originate wholly outside any span of control
of the provider – for example, a counterfeiter producing a fake printed circuit board assembly
that has no original linkage to the Original Equipment Manufacturer (OEM) – the practices
detailed in the Standard will provide some level of mitigation. An example of such a practice
would be the use of security labeling techniques in legitimate products.
The two major threats that acquirers face today in their COTS ICT procurements, as addressed in
this Standard, are defined as:
1. Maliciously tainted product – the product is produced by the provider and is acquired
through a provider’s authorized channel, but has been tampered with maliciously.
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 1
© ISO/IEC 2015 – All rights reserved

2. Counterfeit product – the product is produced other than by, or for, the provider, or is
supplied to the provider by other than a provider’s authorized channel and is presented as
being legitimate even though it is not.
Note: All instances, within this standard, of the use of the words: taint, tainted, tainting, refer
to maliciously taint, maliciously tainted, and maliciously tainting, respectively.
Trusted Technology Providers manage their product life cycle, including their extended supply
chains, through the application of defined, monitored, and validated best practices. The product’s
integrity is strengthened when providers and suppliers follow the requirements and
recommendations specified in this Standard. The industry consensus reflected here and in the
Open Trusted Technology Provider Framework (O-TTPF) draws from the following areas that
are integral to product integrity: product development/engineering, secure
development/engineering, and supply chain security. Additionally, product integrity and supply
chain security are enhanced by following practices among suppliers, trading partners, providers,
and, when appropriate, acquiring customers to preserve the product’s intended configuration.
This Standard is focused on the security of the supply chain versus the business management
aspects of the supply chain. This Standard takes a comprehensive view about what providers
should do in order to be considered a Trusted Technology Provider that “builds with integrity”.
This includes practices that providers incorporate in their own internal product life cycle
processes, that portion of product development that is “in-house” and over which they have more
direct operational control. Additionally, it includes the provider’s supply chain security practices
that need to be followed when incorporating third-party hardware or software components, or
when depending on external manufacturing and delivery or supportive services.
The Standard makes a distinction between provider and supplier. Suppliers are those upstream
vendors who supply components or solutions (software or hardware) to providers or integrators.
Providers are those vendors who supply COTS ICT products directly to the downstream
integrator or acquirer.
Ideally, the guidelines, requirements, and recommendations included in this Standard will be
widely adopted by providers and their suppliers regardless of size and will provide benefits
throughout the industry.
For this version of the Standard, the following elements are considered out of scope:
 This Standard does not focus on guidelines, requirements, and recommendations for the
acquirer. The Forum is considering addressing this area in subsequent versions of the
Standard. In the meantime, an acquirer does have a role to play in assuring that the
products and components they procure are built with integrity. One of the ways that the
acquirer can do that is to require their providers, suppliers, and integrators to be Trusted
Technology Providers. Another way is to not knowingly support the “grey market”,
realizing that if an acquirer elects to receive hardware or software support from grey
market suppliers, it is at their own risk and generally outside of the influence of the
legitimate provider.
 This Standard is not meant to be comprehensive as to all practices that a provider should
follow when building software or hardware. For a more comprehensive set of foundational
2 Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

best practices that a provider could implement to produce good quality products, readers
can refer to the O-TTPF White Paper.
 This version of the Standard does not apply to the operation or hosting infrastructure of
on-line services, but can apply to COTS ICT products in as far as they are utilized by
those services.
This Standard complements existing standards covering product security functionality and
product information assurance, such as ISO/IEC 15408 (Common Criteria).
1.3 Conformance
The OTTF intends to develop conformance criteria and create an Accreditation Policy and
Program for the Open Trusted Technology Provider Standard (O-TTPS) as a useful tool for all
constituents with an interest in supply chain security. Without the associated conformance
criteria and an Accreditation Program, there is no assurance that an organization has
implemented practices according to the O-TTPS.
Accreditation will provide formal recognition of conformance to the O-TTPS, which allows:
 Providers and practitioners to make and substantiate clear claims of conformance to the
Standard
 Acquirers to specify and successfully procure from providers who conform to the
Standard
Conformance assessment is the act of determining the conformance of an implementation to a
specification, or the adherence of a business operation to a best practice or process definition.
There are many techniques for assessing such conformance, including the use of a standardized
test method, quality assessment by industry experts or third-party test laboratories, and vendors’
claims of conformance made within a defined legal framework.
The O-TTPS accreditation process, conformance criteria, conformance assessment, policies,
parties, and their roles will be defined and approved after the publication of Version 1.0 of this
Standard.
1.4 Terminology
This section provides a set of terms and their definitions, which should be used when describing
and interpreting the Standard requirements and recommendations specified in Chapter 4 of this
Standard. These terms are aligned with ISO/IEC Directives, Part 2 (Annex H).
Shall Indicates an absolute, mandatory requirement of the Standard that has to be
implemented in order to conform to the Standard and from which no
deviation is permitted. Do not use “must” as an alternative for “shall”. (This
will avoid any confusion between the requirements of a document and
external statutory obligations.)
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 3
© ISO/IEC 2015 – All rights reserved

Shall not Indicates an absolute preclusion of the Standard, and if implemented would
represent a non-conformity with the Standard. Do not use “may not” instead
of “shall not” to express a prohibition.
Should Indicates a recommendation among several possibilities that is particularly
suitable, without mentioning or excluding others, or that a certain course of
action is preferred but not necessarily required.
Should not Indicates a practice explicitly recommended not to be implemented, or that a
certain possibility or course of action is deprecated but not prohibited. To
conform to the Standard, an acceptable justification must be presented if the
requirement is implemented.
May Indicates an optional requirement to be implemented at the discretion of the
practitioner. Do not use “can” instead of “may” in this context.
Can Used for statements of possibility and capability, whether material, physical,
or causal.
1.5 Future Directions
The OTTF intends to address possible additional threats and risks with best practice
requirements and recommendations in future Standard releases. The OTTF also intends to
provide conformance criteria and an O-TTPS Accreditation Program.
4 Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

2 Business Context and Overview
This chapter describes the typical business environment, the business rationale, the context of
Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT), and an
overview of the Open Trusted Technology Provider Framework (O-TTPF) and this Open
Trusted Technology Provider Standard (O-TTPS).
2.1 Business Environment Summary
Globalization is inherent in the business environment. The rapid pace of globalization has
brought both benefits and risks to customers of COTS ICT products. Globalization is an
essential factor in the ability to build, deliver, and support feature-rich COTS ICT hardware and
software, and the economies of scale resulting from globalization are a significant benefit. In
fact, in today’s market COTS ICT products could not exist without global development – the
global production environment is essential to the technology industry.
As cyber attacks increase in sophistication, stealth, and severity, global governments and larger
enterprises have also begun to take a more comprehensive approach to risk management as it
applies to product integrity and supply chain security. In addition to enhancing information
security by improving security practices across the enterprise, governments and enterprises have
begun inquiring about the practices COTS ICT vendors use to protect the integrity of their
products and services as they are developed and moved through the global supply chain. First,
one needs to understand the extent of the global supply chain by looking at an operational
scenario.
2.1.1 Operational Scenario
Figure 1 provides one example of how the various constituents in COTS ICT product supply
chains ideally would interact. These constituents may not always have a role to play in every
scenario. They are all included to provide a more complete picture.
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 5
© ISO/IEC 2015 – All rights reserved

Integrator Standards Body
Customer/Acquirer
Will seek business partners who meet
Will seek ways of achieving
Demands certificate as
Trusted Technology Provider
market up-take/ integrity
evidence of conformance
requirements
of standards
to standards
Business  Partners
Standards
Process
Alliance
Accreditation
Process
Business Partners
Component
CertiCertiffiicacatitionon//
Suppliers
Provider
Accreditation Body
May be hardware, software,
Will seek business partners who can meet Must be independent &
global, open source - or not
Trusted Technology Provider requirements vendor/technology-neutral
- multiple supplier layers
Figure 1: Constituents
Table 1 describes the roles of these constituents in this Standard.
Table 1: O-TTPS Constituents and their Roles
Constituent Role Played
Customer Synonymous with acquirer.
Acquirer Acquires or procures a product or service from a supplier, provider, or
integrator.
Procures and integrates components, products, and services to create solutions
that meet the customer’s requirements.
Downstream customer or integrator.
System Integrator Provides services and solutions to customers. Typically used on large projects
that deal with multiple providers.
Engages in competitive tendering processes with acquirers.
Has alliances with providers and acquirers.
Deals with the incorporation of technologies that could be component
technologies as sub-assemblies or component technologies incorporated into
assemblies. These assemblies could be hardware assemblies, software
assemblies, or combinations of hardware and software.
Vendor Synonymous with provider.
6 Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

Constituent Role Played
Provider Builds products, either entirely in-house, or including software and/or hardware
components from suppliers.
Has alliances with: acquirers, integrators, suppliers (for software or hardware
components), and business partners, including distribution channel partners.
May also utilize Open Source software components in development of their
products.
May engage in the standards process with standards bodies.
Engages in the certification/accreditation process with certification/accreditation
bodies.
Requests that their suppliers follow the O-TTPS and have been accredited as
Trusted Technology Providers.
Builds products that may be the subject of certification.
Develops products and manages the supply chain to provide acquirers and
integrators with trustworthy products.
Supplier Supplies components typically as a business partner to providers. May be
required to prove that their products meet certain criteria through certification or
through vendor test and documentation procedures.
Has business partnerships with providers.
May also be a provider in its own right.
Standards Body Develops technical specifications that establish some of the criteria for
certification.
Engages in the standards process with providers, customers, and integrators.
Has alliances with certification/accreditation bodies.
Certification/ Provides certification and/or testing services, especially those involved with
Accreditation Body conformance certification and/or testing.
Has alliances with standards bodies.
Engages in the certification/accreditation process with vendors.
2.2 Business Rationale
The following sections provide the business rationale for the Standard by presenting the business
drivers and benefits. Section 2.3 provides more context on what this Standard can and cannot
reasonably cover.
2.2.1 Business Drivers
Both acquirers and providers understand the need for globalization and wish to gain visibility
into the risks inherent in global sourcing for product development and manufacturing.
Governments and commercial consumers have expressed specific interest in understanding the
risks and learning how providers manage those risks by asking the providers the following
questions:
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 7
© ISO/IEC 2015 – All rights reserved

 What potential security risks may be inherited from supply chains, both for software and
hardware, and how does the Original Equipment Manufacturer (OEM) assess and manage
these risks?
 What supply chain security practices can mitigate potential risks of significant supply
chain attacks?
 What are the risks to confidentiality, integrity, and availability of a customer’s
environment or critical infrastructure as a result of procurement by customers of
counterfeit components and products?
 What software or technology development or engineering practices can help reduce
product integrity risks?
 How is product integrity and risk managed through the adoption of industry best practices
and assurance programs?
Because COTS ICT products are used extensively in both private industry and government
acquisition, an alignment of interests exists between enterprise customers and government
customers. There is a shared business value in understanding the factors that contribute to the
integrity of COTS ICT products and supply chain security, identifying those practices that can
improve product integrity and supply chain security, accrediting providers who follow those best
practices, and knowing how to identify trustworthy products that were built by Trusted
Technology Providers.
2.2.2 Objectives and Benefits
The technology supply chain continues to become more globalized, segmented, and specialized.
All commercial and government acquirers, integrators, software developers, hardware providers,
and manufacturers are members of the global technology supply chain. Consequently, every
member of this global community has a responsibility to ensure the security of the end-to-end
technology supply chain. The Open Group Trusted Technology Forum (OTTF) is intended to
facilitate the evolution of the O-TTPF (Framework) and O-TTPF-related Standards to allow
compliant providers to address the ever-changing supply chain landscape and new threats as they
emerge.
The OTTF also intends to provide an accreditation program that will allow providers who meet
the O-TTPS requirements and recommendations to become accredited and acknowledged on a
public accreditation registry, so that customers from industry and government can buy from
those Trusted Technology Providers with increased confidence.
The Forum’s work is intended to benefit:
 Providers: Providers who adopt these practices will be better able to identify and mitigate
security risks throughout the development, sourcing, and maintenance of COTS ICT
products. They will be able to take advantage of a market differentiator associated with
Trusted Technology Provider status, and to more readily identify Trusted Technology
Providers for their own supplier and business partner relationships.
 Suppliers: Suppliers who follow these best practice requirements and recommendations
can also achieve Trusted Technology Provider status and will be able to take advantage of
8 Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserved

a market differentiator associated with having that status, which could result in better and
more frequent business partnerships among Trusted Technology Providers and integrators.
 Integrators: Integrators will be able to buy products and components (hardware and
software) from Trusted Technology Providers and suppliers enabling that part of their
integration work that is based on out-sourcing and partnerships, to be more secure and
trustworthy. In addition, integrators who follow the O-TTPS and are Trusted Technology
Providers will realize the same benefits as the providers (above).
 Acquirers: Acquirers will be able to consider a provider’s adherence to the O-TTPS as
one element of their own comprehensive commercial technology procurement and risk
management strategy.
 Marketplace at Large: Over time, widespread use of and/or reference to the OTTF’s
work products will help realize security enhancements throughout the global information
infrastructure in a manner that promotes trust, accountability, and global innovation.
By working together, the members of the OTTF have brought to the table their own best
practices and have created a composite set of best practice requirements and recommendations to
be codified in this and future Standards. The OTTF work is notable in representing consensus for
commercially reasonable best practices from industry in addressing the threats in focus. Once the
Standards have been approved and published they will be available for large and small
organizations throughout the world, to reference and incorporate into their practices with the
intent of raising the bar for all providers and component suppliers. This, in and of itself, would
be a major benefit for global providers and customers, including governments.
2.3 Recognizing the COTS ICT Context
It is important in defining this Standard of best practice requirements and recommendations, to
outline the COTS ICT context and limitations. Identifying self-imposed and practical limitations
enables businesses to focus upon making improvements in those critical areas that will help to
deliver the practical improvements at the heart of this Standard. Clearly stating such limitations
is essential to avoiding effort not focused on tangible improvements; for example:
 Addressing unsolvable problems
 Allowing scope to creep beyond succinctly constructed problem statements
Equally important to optimizing this Standard is limiting focus to those supply chain risks that
are specifically associated with a targeted supply chain attack. There is a clear difference
between the variety of supply chain business risks (e.g., a supplier going out of business or
selling a bad product) and those risks associated with a targeted supply chain attack (e.g.,
someone maliciously corrupting a component within a product being sold). Two of the principal
targeted attack areas relate to tainted and counterfeit products. Suppliers and customers should
rightly be concerned about these areas and they are discussed in Chapter 3 of this Standard. A
focus on best practices in these risk areas is likely to lead to the critical improvements that both
buyers and sellers want, and an improved global market encompassing trustworthy suppliers and
trustworthy products.
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 9
© ISO/IEC 2015 – All rights reserved

Many other business risks are of concern but do not represent targeted attacks on the supply
chain and are thus not a focus area of these best practices. One such area is the risk pertaining to
a poor quality product. In the case of software and hardware, product defects include unintended
mistakes in coding or unintended mistakes in design. The cost of having to apply multiple
patches to address software defects is in some cases a “hidden cost” and may affect both a
system’s overall cost and effectiveness. Providers, too, have a vested interest in reducing
unintended defects since they may damage their brand and add business costs via creating and
testing patches. However, the nature of software and hardware development is as follows:
 It is impossible to verify that a component or product is free from all defects.
 Some defects are “security vulnerabilities”; i.e., defects may be exploited by
knowledgeable users to bypass security mechanisms.
 Once security vulnerabilities are exploited there may be a compromise in the
confidentiality, integrity, or availability of systems containing the component or product.
This is true for any software or hardware component, including government developed and
COTS ICT.
However important the area of “vulnerabilities” is to both buyers and sellers, it is a risk of
buying any product. While vulnerabilities can never be completely eradicated, this Standard does
provide best practice requirements that will help to limit them, including a set of best practice
requirements specifically related to vulnerability analysis and response.
Another property inherent in the use of COTS software and hardware requires that consumers
(acquirers) understand that COTS products are intended to meet the needs of a specific
commercial market segment. Whether a software or hardware product is “fit-for-purpose”,
including “fit for the security threats it will face”, is a business and system design decision that
must be understood by the customer, since COTS by definition is not “special-purpose, custom
design”. Thus, “determination of fitness-for-purpose” is not part of the scope of the best
practices in this Standard.
Lastly, even though “tainting” is rightly a focus area of this Standard, there are limitations of
best practices in ameliorating certain tainting risks. Chief among these is the problem of a
malicious yet fully authorized insider deliberately corrupting or tainting product; that is, putting
in unintended functionality (e.g., a backdoor allowing bad actor access) or corrupting
functionality (e.g., rendering access controls by-passable under some conditions). It is, in short,
impossible to completely prevent a fully authorized insider from changing code in a way that is
undetectable, even if you know where to look for the corrupt code.
The practices described here
may be applied to mitigate risks introduced by both malicious insiders and outsiders.
Recognizing these COTS ICT realities and given the continual improvement in vulnerability
analysis tools and techniques, this Standard does identify best practice requirements and
recommendations in those areas of risk. If followed in conjunction with the other best practice
requirements identified in the Standard, they will help to reduce the possibility of malicious code
being introduced as the product progresses throughout its life cycle and measurably further the
For support of this premise, see the 2007 Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD
Software. It is not currently a solvable problem, or even a problem for which there are acceptable mitigation techniques.
10 Open Group Standard (2014)
© ISO/IEC 2015 – All rights reserve
...