An
introduction was provided by Dave Lounsbury, VP of The Open Group
Consortia Services, in which he stated that the DoD (AT&L)
contracted The Open Group to begin an Acquisition Cybersecurity (ACS)
Initiative to help government and commercial organizations to “build
with integrity and procure with confidence”. Dave provided an overview
of recent and future milestones to provide some context to the current
state of the Initiative.
Milestones:
- Stakeholder Kick-off Meeting, San Francisco,
January 7, 2010
- Business Scenario Workshop, The Open Group
Conference, Seattle, February 1, 2010
- Online Open Review of Trusted Technology
Provide Framework and Business Scenario, April/May 2010
- Finalize Change Recommendations, The Open Group
Conference, Boston, July 2010
- Publish
Trusted Technology Provide Framework and Business Scenario,
September 2010
- Agree long-term strategy recommendations for
Initiative, September 2010
- Compendium
of Best Practices and Technical Standards for Acquisition in
Cybersecurity, September 2010
- Evolution of Acquisition Compendium and
Initiative, October 2010 and further
Following
Dave Lounsbury’s introduction, the
Trusted Technology Provider Framework
was presented by Andras Szakal,
IBM, who has been working diligently to facilitate progress on this
document over the past several weeks.
The information below is extracted from the DRAFT Introduction to the
Trusted Technology Provider Framework Document – and is not for
re-distribution outside of the ACS Initiative participants at this time.
It is included here to give you a good idea of what the group is working
on. If you are interested in participating in this initiative and
accessing the Trusted Technology Framework Document in full, please
contact Sally Long at s.long@opengroup.org.
DRAFT
Introduction to the Trusted Technology Provider Framework
Industry
Best Practices for manufacturing technology products that facilitate
customer technology acquisition risk management practices
Background
Governments and large enterprises are cognizant
and appreciative of the benefits of globalization. At the same time,
they recognize their increasing reliance on commercial off-the-shelf
(COTS) information technology (IT) components (software and hardware) to
deliver mission-critical operations.
As cyber attacks increase in sophistication,
stealth, and severity, governments and larger enterprises have also
begun to take a more comprehensive approach to risk management and
product assurance. In
addition to enhancing information security by improving security
practices across the enterprise, governments and enterprises have begun
inquiring about the practices information technology vendors use to
protect the integrity of their products and services as they move
through the global supply chain.
Governments and commercial consumers have
expressed specific interest in understanding how vendors manage the
risks inherent in globalized product development and manufacturing
including:
- What potential integrity risk may be inherited
from supply chains, both for software and hardware, and how the
original equipment manufacturer (OEM) assesses and manages these
risks
- Practices that can mitigate potential risks of
significant supply-chain attacks
- Risks to confidentiality, integrity, and
availability to a customer's environment or critical infrastructure
as a result of procurement by customers of counterfeit components
and products
- What software or technology development or
engineering practices can help reduce product integrity risks
- How is product assurance and risk managed
through the adoption of industry best practices and recognized
international testing standards?
Commercial enterprise and government customers
share an interest in understanding what factors contribute to product
integrity and how to identify a trustworthy COTS product.
Determination of trusted status is impeded in part
due to the lack of (1) consistent terms; (2) uniformly agreed upon
supply-chain standards, practices, and approaches; and (3) comprehensive
common ways of thoroughly testing the performance and integrity of a
product in a way that keeps pace with innovation, investigates diversely
sourced components, and is applicable globally.
To address these challenges the US Department of
Defense (DoD) sponsored this project to promote an industry-wide effort
where vendors identify the current best practices and processes that
contribute to the secure and trusted development, manufacture, delivery,
and ongoing operation of commercial products.
This framework is intended to identify those best practices and
product assurance standards. From a common base it will be more feasible
for consumers to establish more effective acquisition and risk
management processes.
Through a collaborative effort, we envision
identifying best practices that when applied cohesively and
appropriately would translate into a level of assurance that could be
communicated to customers. This would benefit both the supplier and
buyer communities, as it would give suppliers accepted industry-common
targets for which to aim and allow buyers to more easily identify
products that meet secure, trusted development and manufacturing
criteria. Vendors investing in and attaining these practices and
processes would gain a deserved market differentiator. By establishing a
framework that defines the characteristics of product trustworthiness,
some of the current overlapping and redundant certification and
accreditation efforts might become streamlined, thereby reducing effort
and enabling government to take better advantage of current technology
from the commercial technology providers.
Purpose and
Objectives of the ACS Initiative
The purpose of this work group is to identify and
gain consensus on common processes, techniques, methods, product and
system testing procedures, and language to describe and guide product
development and supply-chain management practices that can mitigate
vulnerabilities which could lead to exploitation and malicious threats
to product integrity.
The objectives are to:
- Identify product
assurance practices that should be expected from all commercial
technology vendors based on the baseline best practices of leading
trusted commercial technology suppliers
- Help establish
expectations for global government and commercial customers when
seeking to identify a trusted technology supplier
- Leverage existing
globally recognized information assurance practices and standards;
for example, common criteria
- Share with
commercial technology consumers secure manufacturing and trustworthy
technology supplier best practices
- Harmonize language
used to describe best practices
If you
would like to participate in evolving this set of best practices and in
helping to shape how this set of best practices will be used to indicate
trustworthy products, please contact Sally Long at s.long@opengroup.org.
