|
INTERNATIONAL ISO/IEC
STANDARD 20243-1
Second edition
2023-11
Information technology — Open
TM
Trusted Technology Provider
Standard (O-TTPS) —
Part 1:
Requirements and recommendations
for mitigating maliciously tainted and
counterfeit products
Reference number
© ISO/IEC 2023
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: [email protected]
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved
Contents Page
Foreword . iv
Preface . vi
Trademarks . viii
Introduction . ix
1 Scope . 1
1.1 Conformance . 2
1.2 Future Directions . 2
2 Normative references . 2
3 Terms and definitions . 2
4 Business Context and Overview. 9
4.1 Business Environment Summary . 9
4.1.1 Operational Scenario . 9
4.2 Business Rationale . 11
4.2.1 Business Drivers . 11
4.2.2 Objectives and Benefits . 12
4.3 Recognizing the COTS ICT Context . 13
4.4 Overview . 14
4.4.1 O-TTPF Overview . 14
4.4.2 O-TTPS Overview . 15
4.4.3 Relationship with Other Standards . 15
5 O-TTPS – Tainted and Counterfeit Risks . 16
6 O-TTPS – Requirements for Addressing the Risks of Tainted and Counterfeit Products . 17
6.1 Technology Development . 18
6.1.1 PD: Product Development/Engineering Method . 19
6.1.2 SE: Secure Development/Engineering Method . 21
6.2 Supply Chain Security . 24
6.2.1 SC: Supply Chain Security Method . 24
Bibliography . 31
© ISO/IEC 2023 – All rights reserved iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed
for the different types of document should be noted (see www.iso.org/directives or
/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had
not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html. In the IEC, see /understanding-standards.
This document was prepared by The Open Group [as Open Trusted Technology Provider Standard
(O-TTPS) V1.2, Part 1: Requirements and Recommendations] and drafted in accordance with its editorial
rules. It was adopted, under the JTC 1 PAS procedure, by Joint Technical Committee ISO/IEC JTC 1,
Information technology.
This second edition cancels and replaces the first edition (ISO/IEC 20243-1:2018), which has been
technically revised.
The main changes are as follows:
— Wording was changed throughout the document, including in beginning materials, attribute
definitions and requirements, as necessary to improve clarity and/or concision.
— The definition of “component” has been clarified to include both hardware and software.
— A definition for “security-critical” has been added.
— PD_DES.01 has become a mandatory requirement.
— PD_CFM.04 has become a mandatory requirement.
— The attribute definition of PD_QAT has been clarified.
— The attribute definition of PD_PSM has been clarified.
iv © ISO/IEC 2023 – All rights reserved
— The SE_VAR requirements have been largely reworked and reorganized, with a new mandatory
requirement being added and several existing requirements becoming mandatory.
— SE_PPR.02 has become a mandatory requirement.
— SE_PPR.04 has become a mandatory requirement.
— SC_RSM.05 has become a mandatory requirement.
— SC_ACC.04 has become a mandatory requirement.
— SC_ESS.02 has become a mandatory requirement.
— SC_ESS.03 has become a mandatory requirement.
— SC_ESS.04 has been completely rewritten and has become a mandatory requirement.
— SC_BPS.02 has become a mandatory requirement.
— The SE_STH requirements have been largely reworked and reorganized, with a new requirement
being added and an existing requirement becoming mandatory.
— SC_CTM.02 has been heavily revised and has become a mandatory requirement.
— SC_MAL.02 has been heavily revised and has become a mandatory requirement
A list of all parts in the ISO/IEC 20243 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
/national-committees.
© ISO/IEC 2023 – All rights reserved v
Preface
The Open Group
The Open Group is a global consortium that enables the achievement of business objectives through
technology standards. With more than 870 member organizations, we have a diverse membership that
spans all sectors of the technology community – customers, systems and solutions suppliers, tool
vendors, integrators and consultants, as well as academics and researchers.
The mission of The Open Group is to drive the creation of Boundaryless Information Flow™ achieved by:
— Working with customers to capture, understand, and address current and emerging requirements,
establish policies, and share best practices
— Working with suppliers, consortia, and standards bodies to develop consensus and facilitate
interoperability, to evolve and integrate specifications and open source technologies
— Offering a comprehensive set of services to enhance the operational efficiency of consortia
— Developing and operating the industry’s premier certification service and encouraging procurement
of certified products
Further information on The Open Group is available at www.opengroup.org.
The Open Group publishes a wide range of technical documentation, most of which is focused on
development of Standards and Guides, but which also includes white papers, technical studies,
certification and testing documentation, and business titles. Full details and a catalog are available at
www.opengroup.org/library.
This Document
The Open Group Open Trusted Technology Forum (OTTF) is a global initiative that invites industry,
government, and other interested participants to work together to evolve the O-TTPS and other OTTF
deliverables.
This document is Part 1 of the Open Trusted Technology Provider Standard (O-TTPS). It has been
developed by the OTTF and approved by The Open Group, through The Open Group Company Review
process. There are two distinct elements that should be understood with respect to this document: the
O-TTPF (Framework) and the O-TTPS (Standard).
The O-TTPF (Framework): The O-TTPF is an evolving compendium of organizational guidelines and
best practices relating to the integrity of Commercial Off-The-Shelf (COTS) Information and
Communications Technology (ICT) products and the security of the supply chain throughout the entire
product lifecycle.
An early version of the O-TTPF was published as a White Paper in February 2011, revised in November
2015, and has since been updated and published as a Guide in September 2021. The O-TTPF serves as the
basis for the O-TTPS, future updates, and additional standards. The content of the O-TTPF is the result of
industry collaboration and research as to those commonly used commercially reasonable practices that
increase product integrity and supply chain security. The members of the OTTF will continue to
collaborate with industry and governments and update the O-TTPF as the threat landscape changes and
industry practices evolve.
vi © ISO/IEC 2023 – All rights reserved
The O-TTPS (Standard): The O-TTPS is an open standard containing a set of guidelines that when
properly adhered to have been shown to enhance the security of the global supply chain and the integrity
of COTS ICT products. Part 1 of the O-TTPS (this document) provides a set of guidelines, requirements,
and recommendations that help assure against maliciously tainted and counterfeit products throughout
the COTS ICT product lifecycle encompassing the following phases: design, sourcing, build, fulfillment,
distribution, sustainment, and disposal.
The O-TTPS, Part 2: Assessment Procedures for the O-TTPS provides assessment procedures that may be
used to demonstrate conformance with the requirements provided in Clause 6 of this document.
Using the guidelines documented in the O-TTPF as a basis, the OTTF is taking a phased approach and
staging O-TTPS releases over time. This staging will consist of standards that focus on mitigating specific
COTS ICT risks from emerging threats. As threats change or market needs evolve, the OTTF intends to
update the O-TTPS by releasing addenda to address specific threats or market needs.
The O-TTPS is aimed at enhancing the integrity of COTS ICT products and helping customers to manage
sourcing risk. The authors recognize the value that it can bring to governments and commercial
customers worldwide, particularly those who adopt procurement and sourcing strategies that reward
those vendor
...