User:Jgb1128/Trusted Technology Forum

The Trusted Technology Forum (abbreviated as TTF) is a Forum established under the auspices of The Open Group. Its stated goal is “to promote the adoption of best practices for secure technology engineering and procurement strategies in order to establish a more trustworthy global technology supply chain. The Forum seeks to provide a "framework, guidelines" and related resources to help the technology and communications industries “build with integrity” by providing vendors, distributors and integrators commercially reasonable integrity practices. The guidelines are intended to:

  • Enable customers to buy with confidence
  • Identify procurement strategies to protect the consumer, thereby…
  • Supporting global innovation and promoting global adoption.[1]

The TTF’s ultimate objective is to develop a marked accreditation program, which will help companies identify secure technology providers and products in the global supply chain, enabling suppliers to build with integrity and customers to buy with confidence. The TTPF sets forth best practices, identified by a cross-industry forum which, if used by a technology vendor, may allow a government or commercial enterprise customer to consider the vendor's products as more secure and trusted. Governments and commercial organizations worldwide continue to voice concerns over the need to ensure the integrity of the world’s technology supply chains while maintaining a diverse range of technology options and preserving innovation. This is evidenced by the growing number of global customer initiatives aimed at understanding potential technology sourcing risks. There is general agreement on the need to adopt procurement and sourcing strategies for commercial products and services that promote market incentives for vendors who adopt trusted technology practices. These practices are aimed at enhancing the integrity of products and helping customers manage sourcing risk. The initial version of the TTPF was developed by The Open Group Acquisition Cyber Security (ACS) Initiative. ACS was founded by several major international technology (hardware and software) companies as well as aerospace vendors.[2]


The Open Group

edit

The Open Group is an international vendor- and technology-neutral consortium which leads the development of open, vendor-neutral IT standards & certifications, through sharing lessons learned & best practices among key industry peers, suppliers and customers. The Open Group's stated role is to provide guidance and an open environment in order to ensure interoperability and vendor neutrality.

History

edit

In 2009, the US Department of Defenseworked with The Open Group to establish the Acquisition Cybersecurity (ACS) Initiative, which in turn evolved from requirements identified at a Cybersecurity Roundtable in 2008.[3] The ACS was intended to help vendors identify the current best practices and processes that contribute to both the creation of trusted technology and the establishment of trust in technology supply chains. While the DoD was a catalyst for the exploratory work of the initiative, the TTF is now an industry-led, vendor and member driven initiative within The Open Group.

TTF and Other Standards Organizations

edit

The Open Group claims expertise in gaining consensus across standards bodies to develop and define new standards and evolve existing ones (they call this “standards harmonization”) . The Open Group states that they encourage the free exchange of information and best practices. While other consortia have looked at supply chain security and creating some assurance that companies can be trusted (for example the energy industry), the members of the TTF believe that best practices are needed in this area, starting with technology and communications companies. TTF’s focus is on secure engineering and supply chain integrity.

Glossary of Terms

edit

COTS: Commercial off-the-shelf products – commercially available products.

Development Method: Primarily software based (SDLC) development-based method. Applicable to all forms of software-based products.

Engineering Method: Method that is focused on manufacturing or development processes and practices for products with significant hardware-based technology components (chips, firmware, or systems, etc.).

Framework: A framework is used to define a set of structured processes and templates that facilitates solving a complex problem.

GA: Product General Availability.

HTSC2: High-Tech Supply Chain Security Consortia.

ITAC: IT Architect Certification – a certification program of The Open Group – used as example of an accreditation and certification program.

OSS: Open Source Software – software that is developed collaboratively using an open (visible) development process.

OEM: Original Equipment Manufacturer.

Supply Chain Attack (general): In general, a supply chain attack is an attempt to disrupt the creation of goods by subverting a commercial manufacturing, ordering, or distribution process.

Supply Chain Integrity: The manufacturing and/or development process performs its intended function in an unimpaired manner, free from deliberate or inadvertent manipulation. Extends NIST definition [NIST 800-12].

Technology Supply Chain Attack: A technology supply chain attack subverts the hardware, software, or configuration of a product, prior to customer delivery, for the purpose of introducing an exploitable vulnerability.

Technology Supply Chain: The manufacturing and/or development process used to produce and deliver hardware or software technology products and their configuration.

TTPF: Trusted Technology Provider Framework.

References

edit
  1. ^ "Trusted Technology Forum".
  2. ^ "Defense Department wants secure, global high-tech supply chain".
  3. ^ "Group aims to help secure the technology supply".

See Also

edit




Category:Computer security standards Category:Evaluation Category:Open Group standards Category:Data Security Category:Supply Chain Integrity