|
INTERNATIONAL ISO/IEC
STANDARD 20243-2
Second edition
2023-11
Information technology — Open
TM
Trusted Technology Provider
Standard (O-TTPS) —
Part 2:
Assessment procedures for the O-TTPS
Reference number
© ISO/IEC 2023
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: [email protected]
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved
Contents Page
Foreword . iv
Preface . vi
Trademarks . viii
Introduction . ix
1 Scope . 1
1.1 Conformance . 1
1.2 Future Directions . 1
2 Normative references . 1
3 Terms and definitions . 2
4 General Concepts . 3
4.1 The O-TTPS . 3
4.2 Assessment Concepts: Relevance of Scope of Assessment and Selected Representative
Products . 4
4.3 Relevance of IT Technology Provider Categories in the Supply Chain . 4
5 Assessment Requirements . 5
5.1 General Requirements for Assessor Activities . 5
5.1.1 General Requirements for Evidence of Conformance . 5
6 Assessor Activities for O-TTPS Requirements . 8
6.1 PD_DES: Software/Firmware/Hardware Design Process . 9
6.2 PD_CFM: Configuration Management . 10
6.3 PD_MPP: Well-Defined Development/Engineering Method Process and Practices . 14
6.4 PD_QAT: Quality and Test Management . 14
6.5 PD_PSM: Product Sustainment Management . 16
6.6 SE_TAM: Threat Analysis and Mitigation . 18
6.7 SE_VAR: Vulnerability Analysis and Response . 20
6.8 SE_PPR: Product Patching and Remediation . 23
6.9 SE_SEP: Secure Engineering Practices . 25
6.10 SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape . 26
6.11 SC_RSM: Risk Management . 28
6.12 SC_PHS: Physical Security . 30
6.13 SC_ACC: Access Controls . 31
6.14 SC_ESS: Employee and Supplier Security and Integrity . 34
6.15 SC_BPS: Business Partner Security . 36
6.16 SC_STR: Supply Chain Security Training . 37
6.17 SC_ISS: Information Systems Security . 38
6.18 SC_TTC: Trusted Technology Components . 38
6.19 SC_STH: Secure Transmission and Handling . 40
6.20 SC_OSH: Open Source Handling . 42
6.21 SC_CTM: Counterfeit Mitigation . 44
6.22 SC_MAL: Malware Detection . 46
Annex A ASSESSMENT GUIDANCE . 48
Annex B ASSESSMENT REPORT TEMPLATE . 49
Bibliography . 50
© ISO/IEC 2023 – All rights reserved iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed
for the different types of document should be noted (see www.iso.org/directives or
/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had
not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html. In the IEC, see /understanding-standards.
This document was prepared by The Open Group [as Open Trusted Technology Provider Standard
(O-TTPS) V1.2, Part 2: Assessment Procedures for the O-TTPS] and drafted in accordance with its
editorial rules. It was adopted, under the JTC 1 PAS procedure, by Joint Technical Committee
ISO/IEC JTC 1, Information technology.
This second edition cancels and replaces the first edition (ISO/IEC 20243-2:2018), which has been
technically revised.
The main changes are as follows:
— Wording has been changed throughout the document, including in introductory materials, attribute
definitions and requirements, as necessary to improve clarity and/or concision.
— The definition of “component” has been clarified to include both hardware and software.
— A definition for “security-critical” has been added.
— PD_DES.01 has become a mandatory requirement.
— PD_CFM.04 has become a mandatory requirement.
— The attribute definition of PD_QAT has been clarified.
— The attribute definition of PD_PSM has been clarified.
iv © ISO/IEC 2023 – All rights reserved
— The SE_VAR requirements have been largely reworked and reorganized, with a new mandatory
requirement being added and several existing requirements becoming mandatory.
— SE_PPR.02 has become a mandatory requirement.
— SE_PPR.04 has become a mandatory requirement.
— SC_RSM.05 has become a mandatory requirement.
— SC_ACC.04 has become a mandatory requirement.
— SC_ESS.02 has become a mandatory requirement.
— SC_ESS.03 has become a mandatory requirement.
— SC_ESS.04 has been completely rewritten and has become a mandatory requirement.
— SC_BPS.02 has become a mandatory requirement.
— The SE_STH requirements have been largely reworked and reorganized, with a new requirement
being added and an existing requirement becoming mandatory.
— SC_CTM.02 has been revised heavily and has become a mandatory requirement.
— SC_MAL.02 has been heavily revised and has become a mandatory requirement.
A list of all parts in the ISO/IEC 20243 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
/national-committees.
© ISO/IEC 2023 – All rights reserved v
Preface
The Open Group
The Open Group is a global consortium that enables the achievement of business objectives through
technology standards. With more than 870 member organizations, we have a diverse membership that
spans all sectors of the technology community – customers, systems and solutions suppliers, tool
vendors, integrators and consultants, as well as academics and researchers.
The mission of The Open Group is to drive the creation of Boundaryless Information Flow™ achieved by:
— Working with customers to capture, understand, and address current and emerging requirements,
establish policies, and share best practices
— Working with suppliers, consortia, and standards bodies to develop consensus and facilitate
interoperability, to evolve and integrate specifications and open source technologies
— Offering a comprehensive set of services to enhance the operational efficiency of consortia
— Developing and operating the industry’s premier certification service and encouraging procurement
of certified products
Further information on The Open Group is available at www.opengroup.org.
The Open Group publishes a wide range of technical documentation, most of which is focused on
development of Standards and Guides, but which also includes white papers, technical studies,
certification and testing documentation, and business titles. Full details and a catalog are available at
www.opengroup.org/library.
This Document
The Open Group Open Trusted Technology Forum (OTTF) is a global initiative that invites industry,
government, and other interested participants to work together to evolve the O-TTPS and other OTTF
deliverables.
This document is Part 2 of the Open Trusted Technology Provider Standard (O-TTPS). It has been
developed by the OTTF and approved by The Open Group, through The Open Group Company Review
process. There are two distinct elements that should be understood with respect to this document: the
O-TTPF (Framework) and the O-TTPS (Standard).
The O-TTPF (Framework): The O-TTPF is an evolving compendium of organizational guidelines and
best practices relating to the integrity of Commercial Off-The-Shelf (COTS) Information and
Communications Technology (ICT) products and the security of the supply chain throughout the entire
product lifecycle.
An early version of the O-TTPF was published as a White Paper in February 2011, revised in November
2015, and has since been updated and published as a Guide in September 2021 (see Referenced
Documents). The O-TTPF serves as the basis for the O-TTPS, future updates, and additional standards.
The
...