ISO/IEC 20243-1:2018

INTERNATIONAL ISO/IEC
STANDARD 20243-1
First edition
2018-02
Information technology — Open
TM
Trusted Technology Provider
Standard (O-TTPS) — Mitigating
maliciously tainted and counterfeit
products —
Part 1:
Requirements and recommendations
Technologies de l'information — Norme de fournisseur de technologie
de confiance ouverte (O-TTPS) — Atténuation des produits contrefaits
et malicieusement contaminés —
Partie 1: Exigences et recommandations
Reference number
©
ISO/IEC 2018
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

Contents
1 Introduction . 1
1.1 Objectives . 1
1.2 Overview . 1
1.3 Conformance . 3
1.4 Terminology . 3
1.5 Future Directions . 4
2 Business Context and Overview . 5
2.1 Business Environment Summary . 5
2.1.1 Operational Scenario . 5
2.2 Business Rationale . 7
2.2.1 Business Drivers . 7
2.2.2 Objectives and Benefits . 8
2.3 Recognizing the COTS ICT Context . 9
2.4 Overview . 10
2.4.1 O-TTPF Framework Overview . 11
2.4.2 Standard Overview . 11
2.4.3 Relationship with Other Standards . 11
3 O-TTPS – Tainted and Counterfeit Risks . 13
4 O-TTPS – Requirements for Addressing the Risks of Tainted and Counterfeit
Products . 15
4.1 Technology Development . 16
4.1.1 PD: Product Development/Engineering Method . 16
4.1.1.1 PD_DES: Software/Firmware/Hardware
Design Process . 16
4.1.1.2 PD_CFM: Configuration Management . 17
4.1.1.3 PD_MPP: Well-defined
Development/Engineering Method Process
and Practices . 17
4.1.1.4 PD_QAT: Quality and Test Management . 17
4.1.1.5 PD_PSM: Product Sustainment Management . 18
4.1.2 SE: Secure Development/Engineering Method . 18
4.1.2.1 SE_TAM: Threat Analysis and Mitigation . 18
4.1.2.2 SE_RTP: Run-time Protection Techniques . 19
4.1.2.3 SE_VAR: Vulnerability Analysis and
Response . 19
4.1.2.4 SE_PPR: Product Patching and Remediation . 20
4.1.2.5 SE_SEP: Secure Engineering Practices . 20
4.1.2.6 SE_MTL: Monitor and Assess the Impact of
Changes in the Threat Landscape . 20
4.2 Supply Chain Security . 21
4.2.1 SC: Supply Chain Security . 21
4.2.1.1 SC_RSM: Risk Management . 21
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 iii
© ISO/IEC 2018– All rights reserved

4.2.1.2 SC_PHS: Physical Security . 22
4.2.1.3 SC_ACC: Access Controls . 22
4.2.1.4 SC_ESS: Employee and Supplier Security
and Integrity . 23
4.2.1.5 SC_BPS: Business Partner Security . 23
4.2.1.6 SC_STR: Supply Chain Security Training . 24
4.2.1.7 SC_ISS: Information Systems Security . 24
4.2.1.8 SC_TTC: Trusted Technology Components . 24
4.2.1.9 SC_STH: Secure Transmission and Handling . 25
4.2.1.10 SC_OSH: Open Source Handling . 25
4.2.1.11 SC_CTM: Counterfeit Mitigation . 26
4.2.1.12 SC_MAL: Malware Detection . 26
List of Tables
Table 1: O-TTPS Constituents and their Roles . 6
Table 2: Threat Mapping . 14
List of Figures
Figure 1: Constituents . 6
Figure 2: Product Life Cycle – Categories and Activities . 15
iv Open Group Standard (2014)
© ISO/IEC 2018– All rights reserved

FOREWORD
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non‐governmental, in liaison with ISO and IEC, also
take part in the work. In the field of information technology, ISO and IEC have established a joint
technical committee, ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does
not constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the
following URL: www.iso.org/iso/foreword.html.
This document was prepared by The Open Group and was adopted, under the PAS procedure, by
Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by
national bodies of ISO and IEC.
This first edition of ISO/IEC 20243‐1 cancels and replaces ISO/IEC 20243:2015 of which it
constitutes a minor revision to change the reference number from 20243 to 20243‐1.
A list of all parts in the ISO 20243 series can be found on the ISO website.
© ISO/IEC 2018 – All rights reserved v

Preface
The Open Group
The Open Group is a global consortium that enables the achievement of business objectives
through IT standards. With more than 400 member organizations, The Open Group has a diverse
membership that spans all sectors of the IT community – customers, systems and solutions
suppliers, tool vendors, integrators, and consultants, as well as academics and researchers – to:
 Capture, understand, and address current and emerging requirements, and establish
policies and share best practices
 Facilitate interoperability, develop consensus, and evolve and integrate specifications and
open source technologies
 Offer a comprehensive set of services to enhance the operational efficiency of consortia
Further information on The Open Group is available at www.opengroup.org.
The Open Group publishes a wide range of technical documentation, most of which is focused on
development of Open Group Standards and Guides, but which also includes white papers,
technical studies, certification and testing documentation, and business titles. Full details and a
catalog are available at www.opengroup.org/bookstore.
Readers should note that updates – in the form of Corrigenda – may apply to any publication. This
information is published at www.opengroup.org/corrigenda.
This Document
The Open Group Trusted Technology Forum (OTTF or Forum) is a global initiative that invites
industry, government, and other interested participants to work together to evolve this Standard
and other OTTF deliverables.
This Standard is the Open Trusted Technology Provider Standard (O-TTPS). The Standard has
been developed by the OTTF and approved by The Open Group, through The Open Group
Company Review process. There are two distinct elements that should be understood with respect
to this Standard: The O-TTPF (Framework) and the O-TTPS (Standard).
The O-TTPF (Framework): The Framework is an evolving compendium of organizational
guidelines and best practices relating to the integrity of Commercial Off-the-Shelf (COTS)
Information and Communication Technology (ICT) products and the security of the supply chain
throughout the entire product life cycle. An early version of the Framework was published as a
White Paper in February 2011 (see Referenced Documents). The Framework serves as the basis
for this Standard, future updates, and additional standards. The content of the Framework is the
result of industry collaboration and research as to those commonly used commercially reasonable
practices that increase product integrity and supply chain security. The members of the OTTF will
continue to collaborate with industry and governments and update the Framework as the threat
landscape changes and industry practices evolve.
vi Open Group Standard (2014)
© ISO/IEC 2018– All rights reserved

The O-TTPS (Standard): The O-TTPS is an open standard containing a set of guidelines that
when properly adhered to have been shown to enhance the security of the global supply chain and
the integrity of COTS ICT products. This part 1 of the Standard provides a set of guidelines,
requirements, and recommendations that help assure against maliciously tainted and counterfeit
products throughout the COTS ICT product life cycle encompassing the following phases: design,
sourcing, build, fulfillment, distribution, sustainment, and disposal.
Part 2 of the O-TTPS Standard, Assessment Procedures for the O-TTPS and ISO/IEC 20243,,
provides assessment procedures that may be used to demonstrate conformance with the
requirements provided in Section 4 of this part of the Standard.
Using the guidelines documented in the Framework as a basis, the OTTF is taking a phased
approach and staging O-TTPS releases over time. This staging will consist of standards that focus
on mitigating specific COTS ICT risks from emerging threats. As threats change or market needs
evolve, the OTTF intends to update the O-TTPS (Standard) by releasing addenda to address
specific threats or market needs.
The Standard is aimed at enhancing the integrity of COTS ICT products and helping customers to
manage sourcing risk. The authors of this Standard recognize the value that it can bring to
governments and commercial customers worldwide, particularly those who adopt procurement
and sourcing strategies that reward those vendors who follow the O-TTPS best practice
requirements and recommendations.
Note: Any reference to “providers” is intended to refer to COTS ICT providers. The use of the
word “component” is intended to refer to either hardware or software components.
Intended Audience
This Standard is intended for organizations interested in helping the industry evolve to meet the
threats in the delivery of trustworthy COTS ICT products. It is intended to provide enough context
and information on business drivers to enable its audience to understand the value in adopting the
guidelines, requirements, and recommendations specified within. It also allows providers,
suppliers, and integrators to begin planning how to implement the Standard in their organizations.
Additionally, acquirers and customers can begin recommending the adoption of the Standard to
their providers and integrators.
™
Open Trusted Technology Provider Standard (O-TTPS), Version 1.1 vii
© ISO/IEC 2018– All rights reserved
...