{"id":514862,"date":"2024-11-05T14:32:05","date_gmt":"2024-11-05T14:32:05","guid":{"rendered":"https:\/\/pdfstandards.shop\/product\/uncategorized\/can-csa-iso-iec-2024316\/"},"modified":"2024-11-05T14:32:05","modified_gmt":"2024-11-05T14:32:05","slug":"can-csa-iso-iec-2024316","status":"publish","type":"product","link":"https:\/\/pdfstandards.shop\/product\/publishers\/csa\/can-csa-iso-iec-2024316\/","title":{"rendered":"CAN\/CSA-ISO\/IEC 20243:16"},"content":{"rendered":"

Preface<\/strong><\/p>\n

Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO\/IEC Joint Technical Committee 1 on Information Technology (ISO\/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T). <\/p>\n

For brevity, this Standard will be referred to as CAN\/CSA-ISO\/IEC 20243 throughout. <\/p>\n

At the time of publication, ISO\/IEC 20243:2015 is available from ISO and IEC in English only. CSA Group will publish the French version when it becomes available from ISO and IEC. <\/p>\n

Introduction<\/h4>\n

This chapter introduces this Standard – the Open Trusted Technology Provider Standard (OTTPS) – and the normative terminology that should be understood in relation to specific requirements and recommendations found in Chapter 4 of this document. <\/p>\n

1.1 Objectives <\/p>\n

The Open Trusted Technology Provider Standard (O-TTPS) is a set of guidelines, requirements, and recommendations that, when practically applied, create a business benefit in terms of reduced risk of acquiring maliciously tainted or counterfeit products for the technology acquirer. Documenting best practices that have been taken from the experience of mature industry providers, rigorously reviewed through a consensus process, and established as requirements and recommendations in this Standard, can provide significant advantage in establishing a basis to reduce risk. A commitment by technology providers, large and small, suppliers of hardware and software components, and integrators to adopt this Standard is a commitment to using specific methodologies to assure the integrity of their hardware or software Commercial Off-the-Shelf (COTS) Information and Communication Technology (ICT) products. This Standard is detailed and prescriptive enough to be useful in raising the bar for all providers and lends itself to an accreditation process to provide assurance that it is being followed in a meaningful and repeatable manner. <\/p>\n

1.2 Overview <\/p>\n

This Standard (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This initial release of the Standard addresses threats related to maliciously tainted and counterfeit products. <\/p>\n

The providers product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider – for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) – the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products. <\/p>\n

The two major threats that acquirers face today in their COTS ICT procurements, as addressed in this Standard, are defined as: <\/p>\n

1. Maliciously tainted product – the product is produced by the provider and is acquired through a providers authorized channel, but has been tampered with maliciously.
2. Counterfeit product – the product is produced other than by, or for, the provider, or is supplied to the provider by other than a providers authorized channel and is presented as being legitimate even though it is not. <\/p>\n

Note: All instances, within this standard, of the use of the words: taint, tainted, tainting, refer to maliciously taint, maliciously tainted, and maliciously tainting, respectively. <\/p>\n

Trusted Technology Providers manage their product life cycle, including their extended supply chains, through the application of defined, monitored, and validated best practices. The products integrity is strengthened when providers and suppliers follow the requirements and recommendations specified in this Standard. The industry consensus reflected here and in the Open Trusted Technology Provider Framework (O-TTPF) draws from the following areas that are integral to product integrity: product development\/engineering, secure development\/engineering, and supply chain security. Additionally, product integrity and supply chain security are enhanced by following practices among suppliers, trading partners, providers, and, when appropriate, acquiring customers to preserve the products intended configuration. <\/p>\n

This Standard is focused on the security of the supply chain versus the business management aspects of the supply chain. This Standard takes a comprehensive view about what providers should do in order to be considered a Trusted Technology Provider that builds with integrity. This includes practices that providers incorporate in their own internal product life cycle processes, that portion of product development that is in-house and over which they have more direct operational control. Additionally, it includes the providers supply chain security practices that need to be followed when incorporating third-party hardware or software components, or when depending on external manufacturing and delivery or supportive services. <\/p>\n

The Standard makes a distinction between provider and supplier. Suppliers are those upstream vendors who supply components or solutions (software or hardware) to providers or integrators. Providers are those vendors who supply COTS ICT products directly to the downstream integrator or acquirer. <\/p>\n

Ideally, the guidelines, requirements, and recommendations included in this Standard will be widely adopted by providers and their suppliers regardless of size and will provide benefits throughout the industry. <\/p>\n

For this version of the Standard, the following elements are considered out of scope: <\/p>\n