The document discusses the importance of establishing standards for security and reliability in technology supply chains. The Open Group Trusted Technology Forum is developing an accreditation process to help buyers ensure technology providers adhere to best practices. Panelists at a conference discussed progress made in developing the standards and accreditation program, with a draft specification expected soon. The goal is to provide confidence to technology buyers that accredited providers have secure engineering and supply chain practices.

1. Industry Moves to Fill Gap for Building Trusted Supply Chain
Technology Accreditation
Transcript of a BriefingsDirect podcast from The Open Group Conference on The Open Group
Trusted Technology Forum and setting standards for security and reliability.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group
Dana Gardner: Hi. This is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're
listening to BriefingsDirect.
Today, we present a sponsored podcast discussion in conjunction with The Open
Group Conference in Austin, Texas, the week of July 18, 2011.
We've assembled a distinguished panel to update us on The Open Group Trusted
Technology Forum, also known as the OTTF, and an accreditation process to
help technology acquirers and buyers safely conduct global procurement and
supply chain commerce. [Disclosure: The Open Group is a Sponsor of BriefingsDirect podcasts.]
We'll examine how the security risk for many companies and organizations has only grown, even
as these companies form essential partnerships and integral supplier relationships. So, how can
all the players in a technology ecosystem gain assurances that the other participants are adhering
to best practices and taking the proper precautions?
Here to help us better understand how established standard best practices and an associated
accreditation approach can help make supply chains stronger and safer is our panel.
We're here with Dave Lounsbury, the Chief Technical Officer at The Open Group. Welcome
back, Dave.
Dave Lounsbury: Hello Dana. How are you?
Gardner: Great. We are also here with Steve Lipner, Senior Director of Security Engineering
Strategy in the Trustworthy Computing Security at Microsoft. Welcome back, Steve.
Steve Lipner: Hi, Dana. Glad to be here.
Gardner: We're here also with Joshua Brickman, Director of the Federal Certification Program
Office at CA Technologies. Welcome, Joshua.
Joshua Brickman: Thanks for having me.
Gardner: And, we're here too with Andras Szakal. He's the Vice President and CTO of IBM’s
Federal Software Group. Welcome back, Andras.

2. Andras Szakal: Thank you very much, Dana. I appreciate it.
Gardner: Dave, let's start with you. We've heard so much lately about "hacktivism," break-ins,
and people being compromised. These are some very prominent big companies, both public and
private. How important is it that we start to engage more with things like the OTTF?
No backup plan
Lounsbury: Dana, a great quote coming out of this week’s conference was that we have moved
the entire world’s economy to being dependent on the Internet, without a backup plan. Anyone
who looks at the world economy will see, not only are we dependent on it for exchange of value
in many cases, but even information about how our daily lives are run, traffic,
health information, and things like that.
It's becoming increasingly vitally important that we understand all the aspects of
what it means to have trust in the chain of components that deliver that connectivity
to us, not just as technologists, but as people who live in the world.
Gardner: Steve Lipner, your thoughts on how this problem seems to be only getting
worse?
Lipner: Well, the attackers are becoming more determined and more visible across the Internet
ecosystem. Vendors have stepped up to improve the security of their product offerings, but
customers are concerned. A lot of what we're doing in The Open Group and in the OTTF is about
trying to give them additional confidence of what vendors are doing, as well as inform vendors
what they should be doing.
Gardner: Joshua Brickman, this is obviously a big topic and a very large and complex area.
From your perspective, what is it that the OTTF is good at? What is it focused on? What should
we be looking to it for in terms of benefit in this overall security issue?
Brickman: One of the things that I really like about this group is that you have all of the leaders,
everybody who is important in this space, working together with one common goal.
Today, we had a discussion where one of the things we were thinking about is,
whether there's a 100 percent fail-safe solution to cyber? And there really isn't.
There is just a bar that you can set, and the question is how much do you want to
make the attackers spend, before they can get over that bar? What we're going to
try to do is establish that level, and working together, I feel very encouraged that
we are getting there, so far.
Gardner: Andras, we are not just trying to set the bar, but we're also trying to enforce, or at least
have clarity into, what other players in an ecosystem are doing. So that accreditation process
seems to be essential.

3. Szakal: We're going to develop a standard, or are in the process of developing a specification and
ultimately an accreditation program, that will validate suppliers and providers against that
standard.
It's focused on building trust into a technology provider organization through this
accreditation program, facilitated through either one of several different delivery
mechanisms that we are working on. We're looking for this to become a global
program, with global partners, as we move forward.
Gardner: It seems as if almost anyone is a potential target, and when someone
decides to target you, you do seem to suffer. We've seen things with Booz Allen,
RSA, and consumer organizations like Sony. Is this something that almost
everyone needs to be more focused on? Are we at the point now where there is no
such thing as turning back, Dave Lounsbury?
Global effort
Lounsbury: I think there is, and we have talked about this before. Any electronic or
information system now is really built on components and software that are delivered from all
around the globe. We have software that’s developed in one continent, hardware that’s developed
in another, integrated in a third, and used globally.
So, we really do need to have the kinds of global standards and
engagement that Andras has referred to, so that there is that one bar for
all to clear in order to be considered as a provider of trusted components.
Gardner: As we've seen, there is a weak link in any chain, and the hackers or the cyber
criminals or the state sponsored organizations will look for those weak links. That’s really where
we need to focus.
Lounsbury: I would agree with that. In fact, some of the other outcomes of this week’s
conference have been the change in these attacks, from just nuisance attacks, to ones that are
focused on monetization of cyber crimes and exfiltration of data. So the spectrum of threats is
increasing a lot. More sophisticated attackers are looking for narrower and narrower attack
vectors each time. So we really do need to look across the spectrum of how this IT technology
gets produced in order to address it.
Gardner: Steve Lipner, it certainly seems that the technology supply chain is essential. If there
is weakness there, then it's difficult for the people who deploy those technologies to cover their
bases. It seems that focusing on the technology providers, the ecosystems that support them, is a
really necessary first step to taking this to a larger, either public or private, buyer side value.

4. Lipner: The tagline we have used for The Open Group TTF is "Build with Integrity, Buy with
Confidence." We certainly understand that customers want to have confidence in the hardware
and software of the IT products that they buy. We believe that it’s up to the suppliers, working
together with other members of the IT community, to identify best practices and then articulate
them, so that organizations up and down the supply chain will know what they
ought to be doing to ensure that customer confidence.
Gardner: Let's take a step back and get a little bit of a sense of where this
process that you are all involved with is. I know you're all on working groups and
in other ways involved in moving this forward, but it's been about six months
now since The OTTF was developed initially, and there was a white paper to
explain that.
Perhaps, one of you will volunteer to give us sort of a state of affairs where things are,. Then,
we'd also like to hear an update about what's been going on here in Austin. Anyone?
Szakal: Well, as the chair, I have the responsibility of keeping track of our milestones, so I'll take
that one.
A, we completed the white paper earlier this year, in the first quarter. The white paper was
visionary in nature, and it was obviously designed to help our constituents understand the goals
of the OTTF.
However, in order to actually make this a normative specification and design a program, around
which you would have conformance and be able to measure suppliers’ conformity to that
specification, we have to develop a specification with normative language.
First draft
We're finishing that up as we speak and we are going to have a first draft here within the next
month. We're looking to have that entire specification go through company review in the fourth
quarter of this year.
Simultaneously, we'll be working on the accreditation policy and conformance criteria and
evidence requirements necessary to actually have an accreditation program, while continuing to
liaise with other evaluation schemes that are interested in partnering with us. In a global
international environment, that’s very important, because there exist more than one of these
regimes that we will have to exist, coexist, and partner with.
Over the next year, we'll have completed the accreditation program and have begun testing of the
process, probably having to make some adjustments along the way. We're looking at sometime
within the first half of 2012 for having a completed program to begin ramping up.

5. Gardner: Is there an update on the public sector's, or in the U.S., the federal government’s, role
in this? Are they active? Are they leading? How would you characterize the public role or where
you would like to see that go?
Szakal: The forum itself continues to liaise with the government and all of our constituents. As
you know, we have several government members that are part of the TTF and they are just as
important as any of the other members. We continue to provide update to many of the
governments that we are working with globally to ensure they understand the goals of the TTF
and how they can provide value synergistically with what we are doing, as we would to them.
Gardner: I'll throw this back out to the panel? How about the activities this week at the
conference? What have been the progress or insights that you can point to from that?
Brickman: We've been meeting for the first couple of days and we have made tremendous
progress on wrapping up our framework and getting it ready for the first review.
We've also been meeting with several government officials. I can’t say who they are, but what’s
been good about it is that they're very positive on the work that we're doing, they support what
we are doing and want to continue this discussion.
It’s very much a partnership, and we do feel like it’s not just an industry-led project, where we
have participation from folks who could very much be the consumers of this initiative.
Gardner: Clearly, there are a lot of stakeholders around the world, across both the public and
private domains.
Dave Lounsbury, what’s possible? What would we gain if this is done correctly? How would we
tangibly look to improvements? I know that’s hard with security. It’s hard to point out what
doesn’t happen, which is usually the result of proper planning, but how would you characterize
the value of doing this all correctly say a year or two from now?
Awareness of security
Lounsbury: One of the trends we'll see is that people are increasingly going to be making
decisions about what technology to produce and who to partner with, based on more awareness
of security.
A very clear possible outcome is that there will be a set of simple guidelines and ones that can be
implemented by a broad spectrum of vendors, where a consumer can look and say, "These folks
have followed good practices. They have baked secure engineering, secure design, and secure
supply chain processes into their thing, and therefore I am more comfortable in dealing with
them as a partner."
Of course, what the means is that, not only do you end up with more confidence in your supply
chain and the components for getting to that supply chain, but also it takes a little bit of work off

6. your plate. You don’t have to invest as much in evaluating your vendors, because you can use
commonly available and widely understood sort of best practices.
From the vendor perspective, it’s helpful because we're already seeing places where a company,
like a financial services company, will go to a vendor and say, "We need to evaluate you. Here’s
our checklist." Of course, the vendor would have to deal with many different checklists in order
to close the business, and this will give them some common starting point.
Of course, everybody is going to customize and build on top of what that minimum bar is,
depending on what kind of business they're in. But at least it gives everybody a common starting
point, a common reference point, some common vocabulary for how they are going to talk about
how they do those assessments and make those purchasing decisions.
Gardner: Steve Lipner, do you think that this is going to find its way into a lot of RFPs,
beginning a sales process, looking to have a major checkbox around these issues? Is that sort of
how you see this unfolding?
Lipner: If we achieve the sort of success that we are aiming for and anticipating, you'll see
requirements for the TTF, not only in RFPs, but also potentially in government policy documents
around the world, basically aiming to increase the trust of broad collections of products that
countries and companies use.
Gardner: Joshua Brickman, I have to imagine that this is a living type of an activity that you
never really finish. There’s always something new to be done, a type of threat that’s evolving that
needs to be reacted to. Would the TTF over time take on a larger role? Do you see it expanding
into larger set of requirements, even as it adjusts to the contemporary landscape?
Brickman: That’s possible. I think that we are going to try to get something achievable out there
in a timeframe that’s useful and see what sticks.
One of the things that will happen is that as companies start to go out and test this, as with any
other standard, the 1.0 standard will evolve to something that will become more germane, and as
Steve said, will hopefully be adopted worldwide.
Agile and useful
It’s absolutely possible. It could grow. I don’t think anybody wants it to become a behemoth. We
want it to be agile, useful, and certainly something readable and achievable for companies that
are not multinational billion dollar companies, but also companies that are just out there trying to
sell their piece of the pie into the space. That’s ultimately the goal of all of us, to make sure that
this is a reasonable achievement.
Lounsbury: Dana, I'd like to expand on what Joshua just said. This is another thing that has
come out of our meetings this week. We've heard a number of times that governments, of course,

7. feel the need to protect their infrastructure and their economies, but also have a realization that
because of the rapid evolution of technology and the rapid evolution of security threats that it’s
hard for them to keep up. It’s not really the right vehicle.
There really is a strong preference. The U.S. strategy on this is to let industry take the lead. One
of the reasons for that is the fact that industry can evolve, in fact must evolve, at the pace of the
commercial marketplace. Otherwise, they wouldn’t be in business.
So, we really do want to get that first stake in the ground and get this working, as Joshua said.
But there is some expectation that, over time, the industry will drive the evolution of security
practices and security policies, like the ones OTTF is developing at the pace of commercial
market, so that governments won’t have to do that kind of regulation which may not keep up.
Gardner: Andras, any thoughts from your perspective on this ability to keep up in terms of
market forces? How do you see the dynamic nature of this being able to be proactive instead of
reactive?
Szakal: One of our goals is to ensure that the viability of the specification itself, the best
practices, are updated periodically. We're talking about potentially yearly. And to include new
techniques and the application of potentially new technologies to ensure that providers are
implementing the best practices for development engineering, secure engineering, and supply
chain integrity.
It's going to be very important for us to continue to evolve these best practices over a period of
time and not allow them to fall into a state of static disrepair.
I'm very enthusiastic, because many of the members are very much in agreement that this is
something that needs to be happening in order to actually raise the bar on the industry, as we
move forward, and help the entire industry adopt the practices and then move forward in our
journey to secure our critical infrastructure.
Gardner: Given that this has the potential of being a fairly rapidly evolving standard that may
start really appearing in RFPs and be impactful for real world business success, how should
enterprises get involved from the buy side? How should suppliers get involved from the sell side,
given that this is seemingly a market driven, private enterprise driven activity?
I'll throw this out to the crowd. What's the responsibility from the buyers and the sellers to keep
this active and to keep themselves up-to-date?
Lounsbury: Let me take the first stab at this. The reason we've been able to make the progress
we have is that we've got the expertise in security from all of these major corporations and
government agencies participating in the TTF. The best way to maintain that currency and
maintain that drive is for people who have a problem, if you're on the buy side or expertise from
either side, to come in and participate.

8. Hands-on awareness
You have got the hands-on awareness of the market, and bringing that in and adding that
knowledge of what is needed to the specification and helping move its evolution along is
absolutely the best thing to do.
That’s our steady state, and of course the way to get started on that is to go and look at the
materials. The white paper is out there. I expect we will be doing snapshots of early versions of
this that would be available, so people can take a look at those. Or, come to an Open Group
Conference and learn about what we are doing.
Gardner: Anyone else have a reaction to that? I'm curious. Given that we are looking to the
private sector and market forces to be the drivers of this, will they also be the drivers in terms of
enforcement? Is this voluntary? One would hope that market forces reward those who seek
accreditation and demonstrate adhesion to the standard, and that those who don't would suffer. Or
is there a potential for more teeth and more enforcement? Again, I'll throw this out to the panel at
large.
Szakal: As vendors, we'd would like to see minimal regulation and that's simply the nature of the
beast. In order for us to conduct our business and lower the cost of market entry, I think that's
important.
I think it's important that we provide leadership within the industry to ensure that we're following
the best practices to ensure the integrity of the products that we provide. It's through that industry
leadership that we will avoid potential damaging regulations across different regional
environments.
We certainly wouldn't want to see different regulations pop-up in different places globally. It
makes for very messy technology insertion opportunity for us. We're hoping that by actually
getting engaged and providing some self-regulation, we won't see additional government or
international regulation.
Lipner: One of the things that my experience has taught me is that customers are very aware
these days of security, product integrity, and the importance of suppliers paying attention to those
issues. Having a robust program like the TTF and the certifications that it envisions will give
customers confidence, and they will pay attention to that. That will change their behavior in the
market even without formal regulations.
Gardner: Joshua Brickman, any thoughts on the self-regulation benefits? If that doesn’t work, is
it self-correcting? Is there a natural approach that if this doesn’t work at first, that a couple of
highly publicized incidents and corporations that suffer for not regulating themselves properly,
would ride that ship, so to speak?

9. Brickman: First of all, industry setting the standard is an idea that has been thrown around a
while, and I think that it's great to see us finally doing it in this area, because we know our stuff
the best.
But as far as an incident indicating that it's not working, I don’t think so. We're going to try to set
up a standard, whereby we're providing public information about what our products do and what
we do as far as best practices. At the end of the day the acquiring agency, or whatever, is going to
have to make decisions, and they're going to make intelligent decisions, based upon looking at
folks that choose to go through this and folks that choose not to go through it.
It will continue
The bad news that continues to come out is going to continue to happen. The only thing that
they'll be able to do is to look to the companies that are the experts in this to try to help them
with that, and they are going to get some of that with the companies that go through these
evaluations. There's no question about it.
At the end of the day, this accreditation program is going to shake out the products and
companies that really do follow best practices for secure engineering and supply chain best
practices.
Gardner: What should we expect next? As we heard, there has been a lot of activity here in
Austin at the conference. We've got that white paper. We're working towards more mature
definitions and approaching certification and accreditation types of activities. What's next? What
milestone should we look to? Andras, this is for you.
Szakal: Around November, we're going to be going through company review of the specification
and we'll be publishing that in the fourth quarter.
We'll also be liaising with our government and international partners during that time and we'll
also be looking forward to several upcoming conferences within The Open Group where we
conduct those activities. We're going to solicit some of our partners to be speaking during those
events on our behalf.
As we move into 2012, we'll be working on the accreditation program, specifically the
conformance criteria and the accreditation policy, and liaising again with some of our
international partners on this particular issue. Hopefully we will, if all things go well and
according to plan, come out of 2012 with a viable program.
Gardner: Dave Lounsbury, any further thoughts about next steps, what people should be
looking for, or even where they should go for more information?
Lounsbury: Andras has covered it well. Of course, you can always learn more by going to
www.opengroup.org and looking on our website for information about the OTTF. You can find

10. drafts of all the documents that have been made public so far, and there will be our white paper
and, of course, more information about how to become involved.
Gardner: Very good. We've been getting an update about The Open Group Trusted Technology
Forum, OTTF, and seeing how this can have a major impact from a private sector perspective
and perhaps head off issues about lack of trust and lack of clarity in a complex evolving
technology ecosystem environment.
I'd like to thank our guests. We've been joined by Dave Lounsbury, Chief Technical Officer at
The Open Group. Thank you, sir.
Lounsbury: Thank you, Dana.
Gardner: Steve Lipner, the Senior Director of Security Engineering Strategy in the Trustworthy
Computing Security Group at Microsoft. Thank you, Steve.
Lipner: Thanks, Dana.
Gardner: Joshua Brickman, who is the Director of the Federal Certification Program Office in
CA Technologies, has also joined us. Thank you.
Brickman: I enjoyed it very much.
Gardner: And Andras Szakal, Vice President and CTO of IBM’s Federal Software Group.
Thank you, sir.
Szakal: It's my pleasure. Thank you very much, Dana.
Gardner: This discussion has come to you as a sponsored podcast in conjunction with The Open
Group Conference in Austin, Texas. We are here the week of July 18, 2011. I want to thank our
listeners as well.
This is Dana Gardner, Principal Analyst at Interarbor Solutions. Don’t forget to come back next
time.
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Sponsor: The Open Group
Transcript of a BriefingsDirect podcast from The Open Group Conference on The Open Group
Trusted Technology Forum and setting standards for security and reliability. Copyright
Interarbor Solutions, LLC, 2005-2011. All rights reserved.

11. You may also be interested in:
• Enterprise Architects Increasingly Leverage Advanced TOGAF9 for Innovation, Market
Response, and Governance Benefits
• Open Group Cloud Panel Forecasts Cloud s Spurring Useful Transition Phase for
Enterprise Architecture
• The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits
for Enterprises
• Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure
IT Products in Global Supply Chains