The Open Group and the Executive Order on Improving the Nation’s Cybersecurity

John Linford, Security & OTTF Forum Director, The Open Group

Jim Hietala, VP, Business Development & Security, The Open Group

Andras Szakal, VP & CTO, The Open Group

On May 12, 2021, President Joe Biden issued the Executive Order on Improving the Nation’s Cybersecurity. This EO enumerates that “…the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.” The EO contains a significant level of detail regarding areas of improvement for federal IT systems, as well as policy responses to be implemented by the government in support of greater security for private and public IT systems. The EO mentions in some detail the shift to zero trust security as a part of what is needed to combat cyber threats, as well as increased reliance on enhanced supply chain security.

Zero trust security architecture has gained traction amongst large IT users as the optimal way to architect IT networks to combat today’s threat and to future-proof against new and emerging threats.

Supply chain security has advanced in importance among IT security initiatives as very large-scale, high impact attacks on IT hardware and software supply chains have transitioned from “possible threats” to actual attacks, such as the SolariGate attack earlier this year, which affected many large organizations.

Fortunately, The Open Group has two Forums actively devoted to enhancing and improving both cybersecurity and supply chain security: the Security Forum and the Open Trusted Technology Forum (OTTF).

The Security Forum is one of the longest-standing Forums of The Open Group, and the Open Trusted Technology Forum represents active collaboration between the private and public sectors. These Forums already have existing standards and supplementary materials to address multiple points of the recent EO and have active work streams focused on addressing additional topics raised within the EO.

The Open Trusted Technology Provider™ Standard (O-TTPS)

The Open Trusted Technology Provider™ Standard (O-TTPS) (also known as ISO/IEC 20243), maintained by the OTTF, is an international standard that provides a set of guidelines, recommendations and requirements that help assure against maliciously tainted and counterfeit products throughout commercial off-the-shelf (COTS) information and communication technology (ICT) product lifecycles.

The standard includes best practices throughout all phases of a product’s life cycle: design, sourcing, build, fulfillment, distribution, sustainment, and disposal, thus enhancing the integrity of COTS ICT products and the security of their global supply chains.

The O-TTPS differs from traditional cyber security standards in that it focuses on verification of the procedures used within the organization to maintain security and integrity of the supply chain, rather than on testing of individual products or systems. The O-TTPS certification program is one of the first of its kind in providing certification for conforming to standards for product integrity coupled with supply chain security.

Organizations adhering to the O-TTPS focus on consistently and continuously following the best practices and products they detail in the certification process, ensuring that ICT providers identify and mitigate security risks throughout the development, sourcing, and maintenance of COTS ICT products. In turn, this means acquirers can consider a provider’s adherence to the O-TTPS as one element of their own comprehensive commercial technology procurement and risk management strategy.

The OTTF is currently in the process of updating the O-TTPS to enhance the standard for the current needs of industry while ensuring that already-certified organizations do not need to undergo costly adjustments to meet new or dramatically altered requirements.

Quantitative Risk Analysis

For far too many years, cyber risk analysis has been qualitative in nature, making it impossible to consistently discuss and manage cybersecurity risk. Fortunately, the Open FAIR™ standard and certification program of The Open Group, maintained by the Security Forum, provides a ready and widely accepted way to define, discuss, and analyze cyber risk.

The Open FAIR Body of Knowledge includes both The Open Group Risk Taxonomy Standard and The Open Group Risk Analysis Standard, providing risk analysts with a framework, taxonomy, and analysis process that ensures they can consistently discuss cyber risk and provide decision-makers with valuable and defensible information for managing it. After all, “You can’t effectively and consistently manage what you can’t measure, and you can’t measure what you haven’t defined.” Open FAIR provides both the consistent definitions and the consistent measurement method.

Open FAIR measures cyber risk in economic terms, meaning that losses are estimated in units of currency per time period. This allows organizations to effectively consider the best approaches for defending against or mitigating the impact of cyber risks – they can compare solutions and determine the most cost-effective way to adequately reduce identified risk.

The Security Forum recently published new versions of the Open FAIR standards and is now actively working to update the certification program to incorporate these changes.

There are also many supplementary publications that both new and experienced risk analysts can use to understand Open FAIR and how Open FAIR fits within other risk assessment frameworks.

Zero Trust Architecture

Formally hosted by the Security Forum but in collaboration with The Open Group Architecture Forum, the Zero Trust Architecture (ZTA) Working Group is focused on creating an ecosystem of interested end-user and vendor organizations, publishing vendor- and technology-neutral standards, and creating business guidance for industry participants.

The overarching nature of Zero Trust has resulted in its key drivers being on both the end user side and the supply side, and an overwhelming interest in Zero Trust coupled with a lack of clarity on what it means, standards around it, and how it should be approached.

Zero Trust reflects a transition from the traditional approach of perimeter-based security to a security operating model that is business-enabling and data-centric. However, traditional, perimeter-based approaches are unable to support the requirements of the Digital Age, including drivers such as modern rates of change, the transition to cloud environments, and the disruption brought about by Digital Evolution.

The ZTA Working Group has already published its first document: the Zero Trust Core Principles White Paper. This document describes the key aspects of Zero Trust, including providing industry standard definitions for both Zero Trust and ZTAs and explaining the key drivers, requirements, and capabilities behind implementing Zero Trust. The document also defines an initial set of Zero Trust Core Principles, leveraging previous work by the Jericho Forum™ to influence their content and structure.

The ZTA Working Group is now actively working on its Zero Trust Landscape Guide. This document will contain the results of an annual industry survey for end users (CISOs, Chief Security Architectures, etc.), and product/offering vendors/owners. The survey results will be complemented by research from the ZTA Working Group, incorporating the views of analysts, academia, and other standards organizations. The ZTA Working Group intends to update this document annually, allowing for analysis of longitudinal changes in perspectives and understanding.

Moreover, work has also already begun on an initial, conceptual Zero Trust Reference Model. The Reference Model will be a higher-level document focused more on strategic direction and conceptual guidance and will allow for reference implementations to be contributed. These reference implementations will aid in the creation of the Zero Trust Reference Architecture.

This project will utilize The Open Group Snapshot process, publishing regular updates as progress is made and soliciting input from both Members and non-Members of The Open Group to ensure the Zero Trust Reference Model and eventual Zero Trust Reference Architecture meet industry requirements and desires.

This project will also aim to develop complementary documents in order to aid those implementing Zero Trust. Among these are a Business Guide, which will be intended for senior and C-level executives and enterprise architects, that explains what Zero Trust is, its impact on business, and the reasoning for implementing it, as well as a Practitioners Guide, which will be intended for those implementing Zero Trust, that provides a process framework and develops an ontology for Zero Trust.

The Open Group is pleased that cybersecurity is being taken seriously by the current administration, and we fully support the goals and direction of the Executive Order. We hope that our work on zero trust security can help to inform both the public sector and private organizations as to best practices for deploying zero trust. In the area of supply chain security, our Open Trusted Technology Provider Standard and Certification Program is available and fit for purpose as a means to immediately “raise the floor” on this important area of cybersecurity and to improve the cybersecurity posture of public and private IT organizations both in the US and around the world in the short term.