Anatomy of an O-TTPS Third-Party Assessment

A Quick Step Guide

13 October 2020

Have you ever wondered what would be involved in a third-party assessment against the Open Trusted Technology Provider™ Standard (O-TTPS)? Here is a brief outline that may answer your questions.

What is the Open Trusted Technology Provider Standard (O-TTPS)?

The Open Group's Open Trusted Technology Provider™ Standard (O-TTPS) is a set of requirements and recommendations covering technology development and supply chain security, aimed at addressing the risk of tainted and counterfeit products. It is comprised of 23 areas of recommendations and requirements; however, only the requirements are assessed. It has also been adopted as ISO 20243, so the two standards are technically equivalent.

What brings an organization to decide that they require an O-TTPS Assessment?

As with most assessments, the need typically originates with the customers. More and more, government organizations and companies with large government contracts require suppliers to show that they have adequately addressed supply chain risk management. Although there are many guidelines, there are very few certification programs. Certification to the O-TTPS can be used to provide evidence of adherence to supply chain security best practices.

Some organizations are brought to certification because a customer has specifically asked for third-party certification. Other organizations are asked to perform separate self-assessments of their supply chain security procedures for many of their customers. These organizations have opted to point to a single third-party certification as a more efficient alternative to these numerous self-assessments.  

How do I prepare for an assessment?

The first step towards certification would be to examine the standard and ensure that your organization's supply chain security practices cover the relevant requirements. It can take some time to establish processes to address supply chain risk management. Contact a recognized assessor once you have determined that you are ready to begin third party assessment of your supply chain security procedures.

Where do we begin?

Discuss the O-TTPS assessment process and documentation requirements with your third-party assessor and scope out the number of products or product lines to be included in the assessment. They can help you fill in the Conformance Statement and the Implementation Selection Criteria Application (ISCA) document. If you have been though an assessment before, or feel confident that you understand the requirements, you can skip this step.

How do I apply for certification?

You must submit the ISCA and Conformance Statement directly to the Open Group. The Open Group requires that you identify the lab that will be performing the assessment at this time. Once they have accepted your ISCA, you can begin filling in the Certification Package Document (CPD).

What do I need to provide for the assessment?

You prepare the CPD and assemble the evidence. Two types of evidence are required: process evidence and implementation evidence. Process evidence consists of policy and procedure documents that show that you have a process that addresses the requirement. Implementation evidence consists of artifacts that show that the process is being followed.  

The effort to prepare the document and assemble the evidence can take three to eight months.

How long will the assessment take?

O-TTPS assessors examine the CPD and the evidence. The assessor may have questions or may require additional information. The assessment can be as quick as a couple of weeks, or may take up to three months, depending on the number of questions and the time it takes to respond with additional evidence.

Once complete, the assessed package is sent to you for review. This is typically a very quick review, since the document indicates that all requirements have passed. The assessor then sends the assessed CPD to the Open Group for certification and the evidence is archived.

How long before certification?

The Open Group Certifier may have questions for you and for the assessor. Once these are answered to the Open Group's satisfaction, your product is added to the Certification Register. This typically takes two weeks.

Once posted to the Open Group's Certification Register, the certification remains valid for three years. 

Learn more on our O-TTPS assessment services.

 

 

Teresa MacArthur,
Common Criteria Lab Manager

 

Teresa MacArthur has been a recognized assessor for the O-TTPS since 2013 and has earned the Open Group's designation of Master Certified Trusted Technology Practitioner. She has been the lead assessor for more than half of the Third-Party Assessed certifications listed on the O-TTPS Certification Register. She currently resides in Stockholm, Sweden where she is a Common Criteria Lab Manager at Intertek.