ISO/IEC 20243-1:2023 信息技术 开放可信技术供应商标准（O-TTPS） 第1部分：减轻恶意污染和假冒产品的要求和建议

标准编号：ISO/IEC 20243-1:2023

中文名称：信息技术 开放可信技术供应商标准（O-TTPS） 第1部分：减轻恶意污染和假冒产品的要求和建议

英文名称：Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

发布日期：2023-11

标准范围

This document is focused on the security of the supply chain versus the business management aspects of the supply chain. This document takes a comprehensive view about what providers should do in order to be considered a Trusted Technology Provider that “builds with integrity”. This includes practices that providers incorporate in their own internal product lifecycle processes, that portion of product development that is “in-house” and over which they have more direct operational control. Additionally, it includes the provider’s supply chain security practices that need to be followed when incorporating third-party hardware or software components, or when depending on external manufacturing and delivery or supportive services.
The document makes a distinction between provider and supplier. Suppliers are those upstream vendors who supply components or solutions (software or hardware) to providers or integrators. Providers are those vendors who supply COTS ICT products directly to the downstream integrator or acquirer.
 The guidelines, requirements, and recommendations included in this document should be widely adopted by providers and their suppliers regardless of size and will provide benefits throughout the industry.
 For this version of the O-TTPS, the following elements are considered out of scope:
— This document does not focus on guidelines, requirements, and recommendations for the acquirer; the OTTF is considering addressing this area in a separate, complementary publication, such as a Guide. In the meantime, an acquirer does have a role to play in assuring that the products and components they procure are built with integrity. One of the ways that the acquirer can do that is to require their providers, suppliers, and integrators to be Trusted Technology Providers. Another way is to not knowingly support the “grey market”, realizing that if an acquirer elects to receive hardware or software support from grey market suppliers, it is at their own risk and generally outside of the influence of the legitimate provider. This document is not meant to be comprehensive as to all practices that a provider should follow when building software or hardware; for a more comprehensive set of foundational best practices that a provider could implement to produce good quality products, readers can refer to the O-TTPF Guide.
 — This version does not apply to the operation or hosting infrastructure of online services, but it can apply to COTS ICT products in as far as they are utilized by those services.
This document complements existing standards covering product security functionality and product information assurance, such as ISO/IEC 15408 (Common Criteria).

标准预览图