scope:

This document is focused on the security of the supply chain versus the business management aspects of the supply chain. This document takes a comprehensive view about what providers should do in order to be considered a Trusted Technology Provider that "builds with integrity". This includes practices that providers incorporate in their own internal product lifecycle processes, that portion of product development that is "in-house" and over which they have more direct operational control. Additionally, it includes the provider's supply chain security practices that need to be followed when incorporating third-party hardware or software components, or when depending on external manufacturing and delivery or supportive services.

The document makes a distinction between provider and supplier. Suppliers are those upstream vendors who supply components or solutions (software or hardware) to providers or integrators. Providers are those vendors who supply COTS ICT products directly to the downstream integrator or acquirer.

The guidelines, requirements, and recommendations included in this document should be widely adopted by providers and their suppliers regardless of size and will provide benefits throughout the industry.

For this version of the O-TTPS, the following elements are considered out of scope:

- This document does not focus on guidelines, requirements, and recommendations for the acquirer; the OTTF is considering addressing this area in a separate, complementary publication, such as a Guide.

In the meantime, an acquirer does have a role to play in assuring that the products and components they procure are built with integrity. One of the ways that the acquirer can do that is to require their providers, suppliers, and integrators to be Trusted Technology Providers. Another way is to not knowingly support the "grey market", realizing that if an acquirer elects to receive hardware or software support from grey market suppliers, it is at their own risk and generally outside of the influence of the legitimate provider.

This document is not meant to be comprehensive as to all practices that a provider should follow when building software or hardware; for a more comprehensive set of foundational best practices that a provider could implement to produce good quality products, readers can refer to the O-TTPF Guide.

- This version does not apply to the operation or hosting infrastructure of online services, but it can apply to COTS ICT products in as far as they are utilized by those services.

This document complements existing standards covering product security functionality and product information assurance, such as ISO/IEC 15408 (Common Criteria).

Conformance

The Open Group has developed and maintains conformance criteria, assessment procedures, and a Certification Policy and Program for the O-TTPS as a useful tool for all constituents with an interest in supply chain security.

The conformance requirements and assessment procedures are available in the O-TTPS, Part 2: Assessment Procedures for the O-TTPS.

Certification provides formal recognition of conformance to the O-TTPS, which allows:

- Providers and practitioners to make and substantiate clear claims of conformance to the O-TTPS

- Acquirers to specify and successfully procure from providers who conform to the O-TTPS

Future Directions

The OTTF intends to address possible additional threats and risks with best practice requirements and recommendations in a future version.

The OTTF intends to offer additional guidance for different classes of Trusted Technology Providers seeking certification against this document.