Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This release of the Standard addresses threats related to maliciously tainted and counterfeit products. The provider's product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider ? for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) ? the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products.

Technologies de l'information — Norme de fournisseur de technologie de confiance ouverte (O-TTPS) — Partie 1: Exigences et recommandations pour l'atténuation des produits contrefaits et malicieusement contaminés

General Information

Status
Published
Publication Date
23-Nov-2023
Current Stage
6060 - International Standard published
Start Date
24-Nov-2023
Due Date
11-Jan-2025
Completion Date
24-Nov-2023
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 20243-1:2023 - Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products Released:24. 11. 2023
English language
31 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


INTERNATIONAL ISO/IEC
STANDARD 20243-1
Second edition
2023-11
Information technology — Open
TM
Trusted Technology Provider
Standard (O-TTPS) —
Part 1:
Requirements and recommendations
for mitigating maliciously tainted and
counterfeit products
Reference number
© ISO/IEC 2023
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved

Contents Page
Foreword . iv
Preface . vi
Trademarks . viii
Introduction . ix
1 Scope . 1
1.1 Conformance . 2
1.2 Future Directions . 2
2 Normative references . 2
3 Terms and definitions . 2
4 Business Context and Overview. 9
4.1 Business Environment Summary . 9
4.1.1 Operational Scenario . 9
4.2 Business Rationale . 11
4.2.1 Business Drivers . 11
4.2.2 Objectives and Benefits . 12
4.3 Recognizing the COTS ICT Context . 13
4.4 Overview . 14
4.4.1 O-TTPF Overview . 14
4.4.2 O-TTPS Overview . 15
4.4.3 Relationship with Other Standards . 15
5 O-TTPS – Tainted and Counterfeit Risks . 16
6 O-TTPS – Requirements for Addressing the Risks of Tainted and Counterfeit Products . 17
6.1 Technology Development . 18
6.1.1 PD: Product Development/Engineering Method . 19
6.1.2 SE: Secure Development/Engineering Method . 21
6.2 Supply Chain Security . 24
6.2.1 SC: Supply Chain Security Method . 24
Bibliography . 31

© ISO/IEC 2023 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed
for the different types of document should be noted (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had
not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by The Open Group [as Open Trusted Technology Provider Standard
(O-TTPS) V1.2, Part 1: Requirements and Recommendations] and drafted in accordance with its editorial
rules. It was adopted, under the JTC 1 PAS procedure, by Joint Technical Committee ISO/IEC JTC 1,
Information technology.
This second edition cancels and replaces the first edition (ISO/IEC 20243-1:2018), which has been
technically revised.
The main changes are as follows:
— Wording was changed throughout the document, including in beginning materials, attribute
definitions and requirements, as necessary to improve clarity and/or concision.
— The definition of “component” has been clarified to include both hardware and software.
— A definition for “security-critical” has been added.
— PD_DES.01 has become a mandatory requirement.
— PD_CFM.04 has become a mandatory requirement.
— The attribute definition of PD_QAT has been clarified.
— The attribute definition of PD_PSM has been clarified.
iv © ISO/IEC 2023 – All rights reserved

— The SE_VAR requirements have been largely reworked and reorganized, with a new mandatory
requirement being added and several existing requirements becoming mandatory.
— SE_PPR.02 has become a mandatory requirement.
— SE_PPR.04 has become a mandatory requirement.
— SC_RSM.05 has become a mandatory requirement.
— SC_ACC.04 has become a mandatory requirement.
— SC_ESS.02 has become a mandatory requirement.
— SC_ESS.03 has become a mandatory requirement.
— SC_ESS.04 has been completely rewritten and has become a mandatory requirement.
— SC_BPS.02 has become a mandatory requirement.
— The SE_STH requirements have been largely reworked and reorganized, with a new requirement
being added and an existing requirement becoming mandatory.
— SC_CTM.02 has been heavily revised and has become a mandatory requirement.
— SC_MAL.02 has been heavily revised and has become a mandatory requirement
A list of all parts in the ISO/IEC 20243 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
© ISO/IEC 2023 – All rights reserved v

Preface
The Open Group
The Open Group is a global consortium that enables the achievement of business objectives through
technology standards. With more than 870 member organizations, we have a diverse membership that
spans all sectors of the technology community – customers, systems and solutions suppliers, tool
vendors, integrators and consultants, as well as academics and researchers.
The mission of The Open Group is to drive the creation of Boundaryless Information Flow™ achieved by:
— Working with customers to capture, understand, and address current and emerging requirements,
establish policies, and share best practices
— Working with suppliers, consortia, and standards bodies to develop consensus and facilitate
interoperability, to evolve and integrate specifications and open source technologies
— Offering a comprehensive set of services to enhance the operational efficiency of consortia
— Developing and operating the industry’s premier certification service and encouraging procurement
of certified products
Further information on The Open Group is available at www.opengroup.org.
The Open Group publishes a wide range of technical documentation, most of which is focused on
development of Standards and Guides, but which also includes white papers, technical studies,
certification and testing documentation, and business titles. Full details and a catalog are available at
www.opengroup.org/library.
This Document
The Open Group Open Trusted Technology Forum (OTTF) is a global initiative that invites industry,
government, and other interested participants to work together to evolve the O-TTPS and other OTTF
deliverables.
This document is Part 1 of the Open Trusted Technology Provider Standard (O-TTPS). It has been
developed by the OTTF and approved by The Open Group, through The Open Group Company Review
process. There are two distinct elements that should be understood with respect to this document: the
O-TTPF (Framework) and the O-TTPS (Standard).
The O-TTPF (Framework): The O-TTPF is an evolving compendium of organizational guidelines and
best practices relating to the integrity of Commercial Off-The-Shelf (COTS) Information and
Communications Technology (ICT) products and the security of the supply chain throughout the entire
product lifecycle.
An early version of the O-TTPF was published as a White Paper in February 2011, revised in November
2015, and has since been updated and published as a Guide in September 2021. The O-TTPF serves as the
basis for the O-TTPS, future updates, and additional standards. The content of the O-TTPF is the result of
industry collaboration and research as to those commonly used commercially reasonable practices that
increase product integrity and supply chain security. The members of the OTTF will continue to
collaborate with industry and governments and update the O-TTPF as the threat landscape changes and
industry practices evolve.
vi © ISO/IEC 2023 – All rights reserved

The O-TTPS (Standard): The O-TTPS is an open standard containing a set of guidelines that when
properly adhered to have been shown to enhance the security of the global supply chain and the integrity
of COTS ICT products. Part 1 of the O-TTPS (this document) provides a set of guidelines, requirements,
and recommendations that help assure against maliciously tainted and counterfeit products throughout
the COTS ICT product lifecycle encompassing the following phases: design, sourcing, build, fulfillment,
distribution, sustainment, and disposal.
The O-TTPS, Part 2: Assessment Procedures for the O-TTPS provides assessment procedures that may be
used to demonstrate conformance with the requirements provided in Clause 6 of this document.
Using the guidelines documented in the O-TTPF as a basis, the OTTF is taking a phased approach and
staging O-TTPS releases over time. This staging will consist of standards that focus on mitigating specific
COTS ICT risks from emerging threats. As threats change or market needs evolve, the OTTF intends to
update the O-TTPS by releasing addenda to address specific threats or market needs.
The O-TTPS is aimed at enhancing the integrity of COTS ICT products and helping customers to manage
sourcing risk. The authors recognize the value that it can bring to governments and commercial
customers worldwide, particularly those who adopt procurement and sourcing strategies that reward
those vendor
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.