ISO IEC 20243-1-2023 PDF

Full title and description

Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products. This document (ISO/IEC 20243-1:2023, edition 2) provides requirements and recommended practices to reduce the risk of maliciously tainted and counterfeit commercial off‑the‑shelf (COTS) ICT products across a provider’s product life cycle, including design, sourcing, build, fulfillment, distribution, sustainment and disposal.

Abstract

ISO/IEC 20243-1:2023 (O-TTPS Part 1) contains guidelines, mandatory requirements and recommendations aimed at protecting the integrity of hardware and software COTS ICT products against malicious tainting and counterfeiting. The standard focuses on lifecycle activities performed by the provider and provides practical mitigations — for example supplier controls, secure build and delivery practices, traceability and labeling — while acknowledging that some counterfeit activity originating entirely outside a provider’s span of control may not be fully preventable.

General information

• Status: Published.
• Publication date: November 2023 (Edition 2).
• Publisher: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) / ISO/IEC JTC 1.
• ICS / categories: 13.310; 35.030.
• Edition / version: Edition 2 (2023).
• Number of pages: 31 (ISO listing; national publication formats may show different page counts such as 44 depending on formatting).

Scope

The standard specifies requirements and recommendations for mitigating the risks of maliciously tainted and counterfeit COTS ICT products throughout a provider’s product life cycle: design, sourcing, build, fulfillment, distribution, sustainment and disposal. It is aimed at practices a product/provider can reasonably control or influence (supplier selection and oversight, secure build processes, traceability and tamper‑evidence), while recognizing some counterfeit activity may originate beyond a provider’s control.

Key topics and requirements

• Supply‑chain risk management and supplier assessment, selection and monitoring.
• Secure design and development controls to reduce tainting opportunities.
• Secure build, packaging and provisioning practices to protect product integrity.
• Traceability, labeling and tamper‑evidence measures to detect and deter counterfeiting.
• Controls for sourcing, procurement and component verification (including counterfeit detection).
• Incident handling, reporting and corrective actions for tainting or counterfeit incidents.
• Documentation, records and evidence to support assessments and audits.
• Alignment with conformance/assessment procedures published in Part 2 of the series.

Typical use and users

This standard is used by ICT product providers (OEMs, ODMs, hardware and software vendors), supply‑chain and procurement teams, product security and quality assurance groups, third‑party assessors and certification bodies, and government or enterprise procurement officers who require demonstrable supply‑chain integrity controls. It is suitable for organizations seeking to reduce risk from tainted or counterfeit products and/or to demonstrate conformance to recognized O‑TTPS requirements.

Related standards

ISO/IEC 20243-1:2023 is part of the O‑TTPS series. The companion document ISO/IEC 20243-2:2023 defines assessment procedures for conformance to the O‑TTPS. Earlier editions (2018) of Part 1 and Part 2 were withdrawn and superseded by the 2023 editions. The standard also aligns conceptually with industry supply‑chain security guidance and conformance programs maintained by the Open Group and related ICT security standards in the ISO/IEC JTC 1 portfolio.

Keywords

O‑TTPS; Open Trusted Technology Provider; supply chain security; counterfeit; maliciously tainted; COTS ICT; product integrity; traceability; tamper‑evidence; conformance assessment; supplier assurance.

FAQ

Q: What is this standard?

A: ISO/IEC 20243-1:2023 is Part 1 of the Open Trusted Technology Provider™ Standard (O‑TTPS). It specifies requirements and recommendations for mitigating maliciously tainted and counterfeit COTS ICT products.

Q: What does it cover?

A: It covers lifecycle‑oriented controls and recommended practices (design, sourcing, build, fulfillment, distribution, sustainment and disposal) to reduce the risk of tainted or counterfeit products reaching customers, including supplier controls, secure build processes, traceability, labeling and incident handling.

Q: Who typically uses it?

A: ICT product manufacturers and suppliers (OEMs/ODMs), software vendors, procurement and supply‑chain teams, security and quality assurance groups, assessors and certification bodies, and contracting authorities that require supply‑chain integrity assurances.

Q: Is it current or superseded?

A: This document is current: Edition 2 was published in 2023 and supersedes the 2018 edition. The 2018 editions of Part 1 and Part 2 were withdrawn when the 2023 revisions were published.

Q: Is it part of a series?

A: Yes — it is Part 1 of the ISO/IEC 20243 (O‑TTPS) series. Part 2 (ISO/IEC 20243-2:2023) contains assessment procedures and conformance guidance.

Q: What are the key keywords?

A: Key keywords include O‑TTPS, Open Trusted Technology Provider, supply‑chain security, counterfeit, tainted products, COTS ICT, traceability, tamper‑evidence and conformance assessment.