How does one measure the best product-related practices that may be in place in the world of Commercial Off-the-Shelf Technology (COTS)? Often specific versions of an Information and Communication Technology (ICT) product are certified by a third party “Lab” that can examine the state of that version in terms of meeting the security requirements for the identified scope. There are some process aspects of product evaluations that come into play such as one’s approach to handling a found vulnerability with a version of software. The advantage of the product version approach is that if one is acquiring a specific version then one knows that it has been specifically reviewed and evaluated. However there are process gaps in product evaluations that are these days focusing less on secure engineering practices and not yet on supply chain security.
Last April The Open Trusted Technology Provider Standard created a consensus-based global measuring stick of good practices focused on the two threats of maliciously tainted and counterfeit products. This week with the announcement of The Open Trusted Technology Provider Accreditation Program the approach now includes a standard method of independent measurement of these good practices. An organization’s practices are assessed by a third part Lab but they are also by necessity associated with a specific set of actual COTS ICT products so the correlation is clear between the group that follows the security practices and the products that are a result of the group’s work. This can potentially satisfy the COTS ICT industry interest in following a “Measure Once” approach whereby previous applicable product certification evidence can now be counted as relevant product-related process evidence within the Accreditation Program.
The other difference with this model where organizational practices are evaluated is that the scope includes not only product development and secure engineering but has expanded to include a major focus on supply chain security. With this initiative The Open Group not only addressed a COTS ICT provider making their own products but also addressed counterfeit hardware or malicious software that may come from parts of the supply chain for the set of products. Examining security practices from a varied and complex supply chain it is harder to view only through the lens of a specific version of a product. Supply chain practitioners by their nature strive for consistent practices that scale across the range of suppliers and the diversity of components made by those suppliers.
This is the first accreditation process to incorporate supply chain security in a uniform measureable manner.
The combination of ingredients here in the Open Trusted Technology Provider Accreditation Program is promising:
- A clear practical global consensus based standard for organizational security practices as a measuring stick
- Focused on specific threats (taint and counterfeit) that are still emerging
- Identified repeatable processes in place in the organization
- Leverages product-related evidence as artifacts
- Conformance and accreditation leveraging qualified independent validation
- An approach that can be used by COTS ICT Providers, Component Suppliers and System Integrators
EMC has been part of this process of contributing to the Open Trusted Technology Provider Standard that is underneath this initiative and its new Accreditation program from the very beginning. We are encouraged by this latest accomplishment alongside of our public/private colleagues.
Join me for a lively discussion at the RSA Conference at a related session called “Measurement as a Key to Confidence: Providing Assurance”.