The ACS Initiative sessions were focused on reviewing and building consensus for their Trusted Technology Provider Framework. The Framework identifies best practices that when applied cohesively and appropriately will translate into a level of assurance that can be communicated to customers. This will benefit both the supplier and buyer communities, as it will give suppliers accepted industry-common targets for which to aim and allow buyers to more easily identify products that meet secure, trusted development and manufacturing criteria. Vendors investing in and attaining these practices and processes would gain a deserved market differentiator. By establishing a framework that defines the characteristics of product trustworthiness, some of the current overlapping and redundant certification and accreditation efforts might become streamlined, thereby reducing effort and enabling government to take better advantage of current technology from the commercial technology providers.
The ACS Initiative is also working on conformance criteria for the best practices and the beginnings of a certification/accreditation program that will identify trusted technology providers and the products to which they effectively apply the best practices.
Dave Lounsbury, The Open Group, provided a presentation and facilitated discussion on formalizing the Initiative, which thus far has been open to all free-of-charge, and membership terms. Since the Initiative participants will soon be submitting the Trusted Technology Provider Framework to The Open Group’s Formal Review and Approval Process, and since they expect to evolve the best practices and create a certification/accreditation program for the best practices, the participants recognize that it needs to move to more formal governance and a more formal group structure.
Dave described the open standards process, which will be used for the formal review and approval of the Framework and eventually for the conformance criteria and certification program. The Open Group standards process can be found here.
The idea of starting a new Forum under The Open Group was proposed to the group and supported by the participants. This level of commitment will demonstrate the seriousness of the group’s objective to the government, providing a more compelling reason for them to continue to support or endorse the Initiative’s efforts going forward.
Dave Lounsbury emphasized the importance of formation under an organization such as The Open Group, which is a Voluntary Consensus Standards Body according to the National Technical Transfer Act and OMB Circular A-119, assuring that governance processes will embody the following attributes: openness, balance of interest, due process, an appeals process, and consensus.
Ken Hong Fong presented on market uptake, outreach, and support. He cited some very compelling reasons for working with The Open Group in this effort, stating that: they are open and vendor-neutral, publish their proceedings and standards, have formal proven review and approval processes, are accessible to all companies, are a global organization, and they have the legal infrastructure to assure participants are protected in their collaboration activities.
There was discussion around the fact that the government and vendors are really looking for something different from the traditional certification, which typically is too slow and costly. They need something faster – noting that the level of conformance is dependent on the application and the risk assessment. Ken said not everything should go through Common Criteria – there are some things that should – but not everything. One of the goals is to be harmonizing with NIAP. Larry Wagoner, NSA, co-chair of the group, and Ken took an action to talk with the NIAP folks and said they will have a couple of slides on the outcome for The Open Group’s next conference.
Ken relayed that there is also a great deal of interest from the ISO Ad Hoc group. He said he has counterparts in NII-CIO working that and Ken will take the action to harmonize with them, noting though that theirs has a slightly different thrust. The ACS Initiative participants are concerned that typically ISO takes too long to come to fruition.
The ISO Ad Hoc group has asked us to present on the ACS Initiative on July 26 with a short 1-2 page presentations. Ken asked for volunteers; Andras Szakal agreed to present. The ISO Ad Hoc working group is sponsored by NII and Nadya Bartol is the international raporteur – the guided pen taking down all inputs from industry. They have actually done some good things. We don’t want to be orthogonal, we don’t want to duplicate, and we don’t want to run at their pace.
The Initiative participants feel we need to stay connected with NII because other parts of their companies are connected to it and the left hand/right hand need to know what each is doing. Ken said they have working groups in the Federal CIA Council that are very interested in what’s happening here, because they are very interested in finding avenues into federal acquisition.
Jim Hietala, VP and Security Director, The Open Group, gave a brief introduction to the draft Business Scenario, a document that captures the drivers behind a certification/accreditation program for Trusted Technology Providers and asked that people review it and provide comments over the next several weeks.
The group continued to discuss feedback and recommendations on the Trusted Technology Framework Provider, facilitated by co-chairs Andras Szakal, IBM and Larry Wagoner, NSA. They carried out a section-by-section review of the Framework.
The participants discussed the fact that we need to move quickly if we want to get something solid to hand off to the government. Ken said the government is interested, but they need to know that the companies are committed and that we have something solid to show them. The group felt that a final draft, in a state that is ready to be submitted to the formal review and approval process, would probably be substantial enough to show the government. The group is hopeful that this final draft will lead quickly to broader awareness and support from the government and from additional vendors for this effort.