The O-TTPF is a Standard for Providing Trustworthy Products and Recognizing Trusted Technology Providers in a Global Supply Chain – Best Practices in Secure Development, Manufacturing, and Supply Chain Integrity.
The first Framework sessions of the week offered an Overview of the Review and Approval Process. There was good discussion on the review process, allowing a better understanding of the milestones and procedural requirements that the Forum must meet prior to approval and publication.
The Draft Framework Timeline was presented for discussion and to determine what next steps are needed to meet the OTTF’s target date of publication in Q4 of this year.
There were multiple Framework development sessions throughout the three-day OTTF meeting. The review and feedback sessions focused primarily on revisions to the first three areas of the Framework Best Practices in Product/Engineering Development, Secure/Engineering Development, and Supply Chain Integrity. There were important discussions and some proposed re-drafting of the Product Evaluation Section.
For non-members, the O-TTPF White Paper on which the O-TTPF Best Practices are based is freely available and can be downloaded from The Open Group Bookstore.
For members only – and not for distribution outside The Open Group membership at this point – the current version of the O-TTPF Best Practices can be downloaded.
Accreditation Program Development
The OTTF is developing an accreditation program that will accredit Trusted Technology Providers who conform to the Best Practices in Product/Engineering Development, Secure/Engineering Development, Supply Chain Integrity, and Product Evaluation. The Forum plans to have that program defined, approved, and piloted in Q1-Q2 of 2012.
There was in-depth discussion and consensus building on the accreditation principles.
Global Outreach-related activities from the Austin Conference are summarized below:
This was an excellent session which resulted in an increased understanding of what the OTTF hopes to achieve from an international perspective and what the Forum needs to do illustrate their perspective and scope in order to harmonize with and achieve broader acceptance from existing global communities.
- US Government Requirements: The OTTF met over lunch for a round table discussion with Susan Alexander, Chief Strategist, Information Assurance Directorate, NSA, to learn more about the US Government challenges in the area of supply chain integrity so that the OTTF can better address them in the O-TTPF Best Practices and Accreditation Program. Andras Szakal, Chair of the OTTF, provided an OTTF Overview and Edna Conway, Vice-Chair of the OTTF, facilitated some good questions on the focus of O-TTPF as it relates to some of those government requirements. Susan Alexander acknowledged the need for supply chain integrity and the importance of industry-government partnerships and asked to remain informed as the OTTF continues to progress. There were closing remarks from Allen Brown, President & CEO of The Open Group, in which he applauded the hard work of the OTTF members, highlighting in particular the outreach work of the members and the staff to India, Japan, US, and UK governments, and the planned outreach to additional countries, stressing the importance of achieving global buy-in for this very relevant secure development and supply-chain integrity best practice.
- The OTTF also met with David Martin and Dr. Ian Levy from the UK, CESG, as a planned follow-on to the round table discussion held at the London Open Group Conference in May 2011, in which Dr. Levy also participated. The objective was to take advantage of their subject matter expertise in product evaluation and draw on their UK and global perspectives to engage in honest dialog around the following topics: the challenges in creating a global O-TTPF standard for secure development and supply chain integrity, what would make the Forum’s work more successful in achieving global market adoption from COTS providers and their suppliers, and how best to harmonize our efforts with Common Criteria as appropriate.
Committee and Work Stream Updates
The OTTF has several committees and work streams, each dedicated to driving the Forum objectives in their specific area of focus. Included below are some of the highlights from the Austin sessions.
Chair: Andras Szakal, IBM and Vice Chair: Edna Conway, Cisco
The Steering Committee discussion and updates occurred throughout the three-day meeting as the SC provided direction to the rest of the groups. From a forward-looking perspective the following upcoming events will involve SC direction and planning:
- September 27-29: International Common Criteria Conference, Kuala Lumpur, Malaysia
- October 24-25: OTTF presence at The Open Group Taiwan Conference
- November 16–18: Open Group government vertical meeting in Washington DC, to include participation from the following Forums and managed consortia: the OTTF, the Security Forum, DirecNet, and FACE.
Chairs: Kim Gibbons, Cisco and Jim Hietala, The Open Group
Jim Hietala provided the Marketing Committee update, including their work in event planning, video testimonials, podcasts, blogs, and planned press releases. The group also discussed the importance of working with the Outreach and Acquisition Work Stream to develop collateral with vetted and approved messaging.
Jim noted there was a significant amount of work on the new Open Group web site, which has a new presentation paradigm/view that groups content in subject areas. Members and non-members can access the site here and follow the trusted technology links in the left-hand navigation bar.
Some of the recent past marketing and promotional efforts are included in the Market Adoption section.
Trusted Technology Provider Framework Work Stream
Chairs: Steve Lipner, Microsoft and Andras Szakal, IBM
Since the O-TTPF development was such a large focus of the meetings in Austin, it has already been covered above in a separate section.
Standards Harmonization Work Stream
Chairs: Karen Richter, IDA, Don Davidson, DOD/CIO, and Laura Kuiper, Cisco
Karen Richter’s Standards Harmonization presentation demonstrated the great effort from this group, which has produced a landscape of the various standardization efforts. Based on their landscape research, they have identified that no one standard covers the breadth of the O-TTPF and there does not seem to be any standard with the same breadth and depth and as far along as the OTTF with respect to supply-chain, but they have identified those standards groups that have some overlap with the OTTF, and have prioritized those to indicate which ones would benefit most from a harmonization and liaison relationship.
Global Outreach and Acquisition (GOA) Work Stream
Chairs: Dan Reddy, EMC and Joanne Woytek, NASA
Dan Reddy and Joanne Woytek presented their thoughts on what the GOA needs to achieve in order to be successful in their outreach to multiple countries as they gain support for the global O-TTPF Best Practice and Accreditation Program. The group has provided some excellent interim deliverables as guidelines to the outreach process. They believe what they need now is to work with the marketing team to create the correct messaging and slide decks to be used in web conferences and face-to-face meetings with the countries of highest priority and to complete the leader assignments for the various countries and government agencies.
There were multiple instances in Austin of communicating the OTTF Mission and Vision and promoting the value of the O-TTPF and they are summarized below:
Edna Conway participated in The Open Group track on the Future of Secure Computing – in the year 2030. She presented and participated in a panel discussion along with Susan Alexander. Edna gave a very thought-provoking presentation on the current global supply chain – and what it may look like in 2030, based on trends she sees today. Edna also stressed the importance of industry-government partnerships, and sited the OTTF as an example of one of those important partnerships that is working on the security and integrity of the global supply chain by developing together a set of supply chain best practices.
- Video Testimonials were provided by Edna Conway (Cisco), Adras Szakal (IBM), and Terry Blevins (Mitre), and were filmed and edited by Graham Bird, previously from The Open Group in the VP of Marketing role.
- A Podcast with Dana Farber and participation from Steve Lipner (Microsoft), Josh Brickman (CA), Andras Szakal (IBM), and Dave Lounsbury from The Open Group was recorded at the Austin Conference and should be available soon.
- The Learning Lab provided an opportunity to meet in small groups with conference attendees who wanted to learn more about the OTTF. Dan Reddy (EMC), Andras Szakal (IBM), and Sally Long from The Open Group were on-hand at the Learning Lab to talk about the OTTF. There was a constant stream of interested parties and the discussions were informative, lively, and engaging.
Next Steps within the Framework Work Stream are as follows:
- Consider additional web conference sessions on top of the current weekly sessions.
- Assign tasks to complete the context-setting sections at the beginning of the framework document – this task should utilize existing background material from the White Paper and other Forum material.
- Consider an interim deliverable such as a Snapshot or similar to provide governments, global industry constituents, and other standards organizations with an indication of where the best practices and accreditation program are headed.
Accreditation Program Development
The principles will be refined, completed, and agreed by Q4 of 2012. They will be progressed within the Accreditation Policy in the Framework Work Stream and reviewed by the Steering Committee.
The OTTF will follow up with Susan Alexander to provide additional updates as they become available including a two-pager that the OTTF is drafting which will offer a crisp message of their objectives from an international perspective, what the O-TTPF covers and what it does not, and how we plan to harmonize with Common Criteria as appropriate.
The OTTF will follow up with Dr. Ian Levy and David Martin with additional information including the two-pager described above. There are additional actions and next steps for follow-on with CESG that can be found under the OTTF Committee and Work Stream Updates.
Committee and Work Stream Updates
The Output and Next Steps for each of the Work Streams and Committees can be found in the OTTF Austin Actions document (available to members only), which includes all of the major actions and next steps from the Austin Conference meetings.
For next steps please refer to the upcoming events under the SC Committee and to the marketing and outreach actions captured in the OTTF Austin Actions document (available to members only).