By David Lounsbury, The Open Group
On Tuesday, March 27, I had the honor of testifying on behalf of The Open Group Trusted Technology Forum to the House Energy and Commerce Oversight and Investigations Subcommittee at their congressional hearing on IT supply chain security. The hearing focused on these major supply chain issues:
- The key risks associated with supply chains used by federal agencies to procure IT equipment, software or services
- The extent to which selected national security-related agencies have addressed IT supply chain risks
- The extent to which national security-related federal agencies have determined that their telecommunications networks contain foreign-developed equipment, software or services
- The extent to which private industry has addressed IT supply chain risks
This was the first time that an Open Group employee has testified in front of Congress, and the invitation was a testament to The Open Group’s work as a vendor-neutral certification authority business for over 20 years as well as the traction that The Open Group Trusted Technology Forum (OTTF) has made over the past year.
- That this problem is both widespread and critical – both government agencies and many private companies are struggling to address global supply chain vulnerabilities
- There is a clear need for collaboration and standards, as well as a need to bring transparency on conformance to such standards at all links in the supply chain.
- The most critical issues are tainted code / malware and counterfeit products in the supply chain – exactly the focus areas of OTTF
We launched OTTF in December 2010 with the objective of reducing risks to IT products that can be introduced through vulnerable supply chain and development processes. Our goal has been to help the technology industry build with integrity and enable customer organizations and governments to buy with confidence. We have worked closely with the U.S. government throughout the process of developing the Open Trusted Technology Provider Standard (O-TTPS). The U.S. Department of Defense (DoD) was a founding member of the forum, and the impetus for the forum came out of a collaborative initiative between the DoD and industry verticals looking into cybersecurity for acquisitions. I was very gratified that the DoD witness singled out The Open Group’s efforts on OTTF and highlighted their participation in the forum.
Recognizing that a secure global supply chain is important to all governments, one of OTTF’s main objectives is to outreach to other governments around the world in much the same way they have with the U.S. To that end, forum members plan to extend an invitation to participate in the development of the standard and planned accreditation program for trusted technology providers, which will include governments, providers, integrators and component suppliers from around the world. To preview OTTF’s work, you can download the current draft of the Open-Trusted Technology Provider Standard (Snapshot).
The subcommittee already had a strong background on OTTF’s mission and its current initiatives and was very interested to hear what global procurement strategies and best practices OTTF is planning to include in the O-TTPS and how these best practices could be applied within the U.S. government to ensure the security of supply chain both nationally and globally. The subcommittee noted Open Group’s previous work with international standards such as International Standardization for Organization (ISO) as encouraging, illustrating that the global supply chain is taking a step in the right direction under the stewardship of The Open Group.
Overall, the hearing was very positive, and the whole experience validated the work that OTTF has produced thus far. We anticipate that the standard will have a significant impact on how organizations procure large commercial off-the-shelf information and communication technology over the next few years across the global supply chain and are excited to see governments take an active interest in securing the global supply chain.