Where was your hardware and software -- and everything that comprises it -- sourced, and is every piece of it secure?
To give technology consumers better answers to those questions, on Wednesday the Open Group -- a vendor-neutral and technology-neutral standards consortium -- announced the formation of Trusted Technology Forum (TTF), which aims to improve supply chain risk management and security.
Numerous private companies, as well as the Department of Defense, are founding members.
"If you are an entity purchasing hardware and software for mission-critical systems, you want to know that your supplier has reasonable practices as to how they build and maintain their products that addresses specific... supply chain risks," said Mary Ann Davidson, the chief security officer for Oracle, in a blog post.
"The supplier ought to be doing 'reasonable and prudent' practices to mitigate those risks and to be able to tell their buyers, 'here is what I did,'" she said. "Better industry practices related to supply chain risks with more transparency to buyers are both, in general, good things."
The forum's near-term goals are to promulgate supply chain best practices for reducing security risks, controlling and protecting engineering procedures, assessing individual technology providers, and safe procurement strategies. Its first release is slated to be the Trusted Technology Provider Framework (TTPF), a best practices framework designed to build on existing standards, such as Common Criteria.
According to Edna Conway, senior director of customer value chain management at Cisco, the forum and framework have the opportunity to create "a meaningful indicator of product assurance," meaning that customers would have greater guarantees about the products they purchase.
The TTF's founding members are Boeing, Carnegie Mellon SEI, CA Technologies, Cisco, HP, IBM, Kingdee, Microsoft, MITRE, NASA, Oracle, and the Department of Defense.