The term "supply chain integrity" has been very hot in the IT community recently particularly in light of some very visible and painful instances of attacks.    

One result of these issues has been the recent creation of the Trusted Technology Forum (TTF).  The Open Group, one of those "standards" development organizations has spearheaded its creation.     CA Technologies is a founding member and I'm proud to represent us on the Steering Committee.   I've been interviewed a couple of times about my thoughts on the topic and I'd like to expand on them a bit here.

First off, the TTF will not be a replacement for the Common Criteria.   Common Criteria (CC) evaluations are just one of the many best practices that the Trusted Technology Provider Accreditation program will expect vendors to include in their product certification plans (if applicable). 

The idea is to create a list of the best of the best; the companies that follow the best practices and use secure development methods to minimize risk.  This will include holding our suppliers accountable to the same standards we hold for ourselves.   This "Good Housekeeping Seal of Approval" for technology vendors will give assurance to acquiring governments and companies that the risk is substantially lower if they buy from these vendors.     The TTF will ultimately create such a program but the Open Group will not certify companies.  It will be the initial certifying authority and there will be an opportunity for existing labs (FIPS and CC labs come to mind) to become TTF certifiers.

There is a lot of work remaining to get to the point where we'll see companies on this list. The Framework will be published in February,   and we expect that  in six months the conformance criteria will be ready.     The specifications and accreditation authority will follow from there.

The Steering Committee had the pleasure of briefing Howard Schmidt, the Cyber-Security coordinator  for President Obama, at the White House recently along with several of his senior staff.  When asked when he needed this type of certification, the response was "yesterday."  One of the staff asked why we were basing this on private sector standards and why the government wasn't figuring it out.  A valid question.  The view is that industry will adhere to standard procedures of transparency, ensure there is a level playing field and that the criteria is technology and vendor neutral and it meets the broadly varying needs of the customer.