The ACS Initiative, through their Trusted Technology Provider Framework, is identifying best practices that when applied cohesively and appropriately will translate into a level of assurance that can be communicated to customers. This will benefit both the supplier and buyer communities, as it will give suppliers accepted industry-common targets for which to aim and allow buyers to more easily identify products that meet secure, trusted development and manufacturing criteria. Vendors investing in and attaining these practices and processes would gain a deserved market differentiator. By establishing a framework that defines the characteristics of product trustworthiness, some of the current overlapping and redundant certification and accreditation efforts might become streamlined, thereby reducing effort and enabling government to take better advantage of current technology from the commercial technology providers.
The ACS Initiative is also working on conformance criteria and the beginnings of an accreditation program that would identify trusted technology providers and the products to which they effectively apply the best practices.
Dave Lounsbury, VP Collaboration Services, The Open Group, gave an introductory presentation. He emphasized the importance of industry working with government in order to attain achievable objectives in the delivery of trusted technology. Emphasizing the importance of working together from top down and bottom up – rather than working strictly from a top-down regulatory perspective and running the risk of non-attainability.
Each participant introduced themselves. There were representatives from: DoD, MIC Business Solutions, NSA, IBM, Lockheed Martin, Microsoft, SEI, RSA/EMC, CA Technologies, LynuxWorks, Boeing, The MITRE Corporation, Cisco Systems Inc., and The Open Group.
Ken Hong Fong gave an update on the DoD, Federal Security, and Supply-Chain activities and why the ACS Initiative work is significant. He provided some great background on the ACS Initiative to set the stage: The effort had its start at a round-table discussion at The Open Group’s San Francisco office, in July of 2008, which was initiated by the then Under Secretary of Defense, Dr. James Finley. During that meeting, attended by about 15 organizations from both government and industry, a number of pain-points, related to how difficult and costly the DoD acquisition process was, highlighted the fact that large suppliers and integrators were about the only types of organizations that could afford to participate in it.
Out of that meeting came the idea to try an alternative approach, instead of working from a top-down approach – that is, the government dictating what conformance criteria needed to be met – they would try working with the suppliers to define the criteria. The Open Group continued to work with the DoD, interfacing with Ms. Kristen Baldwin and Mr. Ken Hong to capture and vet their objectives, until September of 2009.
Subsequently, The Open Group held a kick-off meeting at their office in San Francisco on January 7th. From that meeting, they drafted a Strawman set of best practices for a good commercial product, which has evolved to become the Trusted Technology Provider Framework, which the participants are in the process of reviewing.
Ken Hong Fong tied the beginning of the effort to where we are in our thinking by offering the following thoughts:
Another theme that came out of the beginning discussions was that innovation is taking place very quickly and it’s coming out of the certification programs. But because it takes so long to make it through the process – certify, procure, tailor, etc. – the product ends up being close to the edge of its lifecycle.
He said that maybe COTs are more important and prevalent than we realized. For example, COTS are underneath many weapons systems and many command and control systems, many airplanes, and many of their ad hoc networks. So, we need to work with industry to determine how they/we build trustworthy products – trustworthy COTS.
Ken went on to say all vendors think they have the methodology to build good commercial products. Assuming that’s the case, then it makes a lot of sense for the vendors to come together through this initiative and define the methodology as a best practice.
He also stressed that globalization is important, that it is the way of the world; we just need to make sure that the supply chain is trustworthy and the COTS are trustworthy. And so we need a way of defining these common practices sufficiently so they are confirmable – so that the government and commercial vendors can “Buy with Confidence”. This won’t just benefit government, it will benefit vendors because they can demand the same of their subcontractors.
He noted that we are not really trying to change commercial processes in all cases, but rather we are trying to work with vendors to understand the practices that go into producing a good commercial product; practices that we could certify and expose so that all vendors can follow those best practices as well.
He emphasized that if we are successful, all vendors, in the US and throughout the world, will be applying these practices to a product in a traceable fashion. Practices need to be traceable to a particular product line. So you can buy the product because you know it’s been built following best practices.
Also, if we are to be successful, we need to be cautious that we don’t establish a ream of paperwork. We have to leverage existing processes. We don’t want this to be so burdensome and costly that no vendors follow it, but we want it to be rigorous enough that it means something.
Along with providing the Trusted Technology Provider Framework, the ACS Initiative is also providing conformance criteria for applying the best practices and looking at Certification of Trusted Products and Accreditation of Organizations who develop their products using the best practices defined in the Framework.
The Open Group has 20 years of experience in providing Certification and Accreditation Programs, and James De Raeve, VP of Certification for The Open Group provided an overview of what The Open Group has to offer in that area, and how The Open Group will work with the ACS Initiative, with the government, and the vendors, to define a certification or accreditation program that meets their needs.
Discussion on the Certification Program among the participants followed.
Through the Q&A, the group arrived at a better understanding of what was involved in the certification program definition and development – and a better appreciation that The Open Group can define and develop something that meets their specific needs.
The group discussed some of the possibilities for structuring the program, but it was felt that first they need to come to closure on the best practices, and then draft the conformance criteria.
Andras Sakal from IBM, provided an overview of the Trusted Technology Provider Framework.
The categories of best practices listed below are considered most effective in protecting customers from assuming unacceptable levels of product security risk. These categories identify fundamental areas within the development and manufacturing process where risk management and assurance have the greatest impact on the quality and integrity of a commercially available (COTS) technology product. These categories and practices are anticipated to evolve as new methods and techniques are identified and adopted by technology suppliers:
- Product Engineering/Development Method
- Secure Engineering/Development Method
- Supply Chain Management Method
- Product Evaluation Method
A discussion, feedback, and recommendations on best practices session was led by the co-chairs of the initiative: Larry Wagoner, NSA and Andras Szakal, IBM. The group proceeded with a substantive review of Section 3.1: Product/Development Method.
The group felt that we were in general headed in the right direction, but needed to work on specific refinements.
Kristen cautioned against going exclusively down the path of process best practices and felt it was important to tie it to product certification, because that is what it really comes down to.
Ken re-iterated that conformance to the best practices needs to be tied to the products they procure to really make it valuable.
It was also agreed that certification or accreditation needs to be within reach of those that may not be as mature as the big companies, those that may only have one really good product to sell – certification should still be attainable for them.