The Open Group Open Trusted Technology Forum (OTTF) is pleased to announce the publication of Version 1.2 of the Open Trusted Technology Provider™ Standard (O-TTPS). The movement from Version 1.1.1 to Version 1.2 represents a deliberate review of the O-TTPS to ensure the requirements in it remain up to date and reflect learnings from industry and government.
The Open Group announced the formation of the OTTF in late 2010 as a global standards initiative that would provide a collaborative, open environment for technology companies, customers, government, and supplier organizations to create and promote guidelines for manufacturing, sourcing, and integrating trusted, secure technologies. This public-private partnership led to the creation of the O-TTPS, which was originally published in 2013. In 2015, the O-TTPS was approved by ISO/IEC 20243:2015, and in 2018, the OTTF updated the O-TTPS to Version 1.1.1, which became equivalent to ISO/IEC 20243:2018.
O-TTPS Certification has been embraced by organizations including Seagate Technology and IBM as well as the NASA SEWP (Solutions for Enterprise-Wide Procurement) GWAC (Government-Wide Acquisition Contract), which maintains an ISO 20243 webpage identifying all SEWP contract holders that have an O-TTPS certification. The Open Group maintains the full O-TTPS Certification Register.
In updating the O-TTPS to Version 1.2, the OTTF considered every single requirement present in the O-TTPS and debated whether any changes were required. In multiple instances, this resulted in recommendations becoming mandatory requirements. The OTTF also identified several requirements that were separated into multiple, more-detailed requirements.
The OTTF worked with organizations that have earned an O-TTPS certification to ensure the changes implemented are practicable and effective at enhancing an organization’s supply chain security and with O-TTPS Recognized Assessors and The Open Group Certification Authority to ensure changes to the Standards can be effectively incorporated in the O-TTPS Certification program and assessments.
At time of publishing the O-TTPS Version 1.2, the O-TTPS Certification Program has not yet been updated to support the new standard, but this work is ongoing. The OTTF and The Open Group Certification Authority will continue to work together on these updates and will ensure implications are clearly communicated both for new certifications and for organizations completing re-certification. They have also prepared answers to a few anticipated questions regarding updates to the O-TTPS and implications for the O-TTPS Certification Program.
What is the difference between Version 1.1.1 and Version 1.2 of the O-TTPS?
- The O-TTPS Version 1.2, a standard of The Open Group, represents a minor update to the Standards to reflect the experience of organizations that have earned a certification and evolution of industry best practices. Several requirements were clarified in the update, and multiple requirements that were previously recommendations became mandatory, following a comprehensive review of every requirement by the OTTF
What are the enhancements contained in Version 1.2?
- Version 1.2 contains minor clarifications, refinements, and improvements to the existing requirements and the addition of several new requirements. This ensures that the Standards incorporate current best practices for providers of COTS ICT to mitigate the risk of maliciously tainted and counterfeit products, meaning that organizations certifying against Version 1.2 can implement state-of-the-art practices to stay ahead of adversaries. In addition, Part 2 of the O-TTPS includes new and refined examples of evidence that organizations can use while preparing for certification
What are the implications for organizations currently certified against Version 1.1.1?
- Organizations currently certified against Version 1.1.1 of the O-TTPS do not need to re-certify immediately against Version 1.2; their current certification will remain valid throughout their current certification period, as specified in the O-TTPS Certification Policy
- When re-certifying, the organization must conform to the latest published version of the O-TTPS at the time of application for re-certification, or if this version was recently published, the organization may instead demonstrate conformance to the version of the O-TTPS in effect six (6) months prior to the re-certification date
- At the time of re-certification, if the O-TTPS Certification Program is not yet aligned to Version 1.2 of the O-TTPS, organizations will complete re-certification against Version 1.1.1
How will I know when the O-TTPS Certification Program is ready to receive applications to complete (re-)certification against Version 1.2?
- The Certification Authority will release a statement announcing when new submissions against Version 1.2 will be accepted
- The Certification Authority will inform organizations currently certified against Version 1.1.1 of the timeline for completing re-certification and when/whether they will be required to complete re-certification against Version 1.2
Am I able to complete (re-)certification against Version 1.2 even if I do not need to?
- Yes, as soon as certification is available for Version 1.2, organizations may certify or re-certify to this version (and will be required to six months after the availability of Version 1.2 certification), to demonstrate that they have adopted the most current industry best practices
Does the existence of Version 1.2 discredit Version 1.1.1?
- No, Version 1.2 does not discredit certifications completed against Version 1.1.1; these certifications remain valid and credible until the certification expiry date
The OTTF will be hosting a Supply Chain Security Roundtable Event on Nov. 1 and 2 in conjunction with The Open Group Houston Summit, which is Oct. 30 – Nov. 2 in Houston, Texas. The Supply Chain Security Roundtable Event will focus on identifying further areas for enhancing the O-TTPS. For more details, please contact The Open Group Security and OTTF Forum Director John Linford at j.linford@opengroup.org.
Author: John Linford, Forum Director, The Open Group, Security & Open Trusted Technology (OTTF)
