MITRE System of Trust Framework for Supply Chain Security

mitre system of trust

Supply chain security has been a top concern for risk management leaders ever since the high-profile attacks to SolarWinds and Log4j took place. While there's no one-size-fits-all way to identify, assess, and manage cyber risks in the supply chain, MITRE's System of Trust Framework offers a comprehensive, consistent, and repeatable methodology for evaluating suppliers, supplies, and service providers alike.

System of Trust (SoT) builds a basis of trust by identifying the three main trust aspects of supply chain security—suppliers, supplies, and services—then identifying and addressing the 14 top-level decisional risk areas under them that organizations must evaluate during the full life cycle of their acquisition activities.

“We believe SoT is the foundation needed for understanding supply chain risks and that it will be the key to securing robust and resilient supply chains, trustworthy partners, and trusted components and systems that are globally manufactured.”

MITRE

How the Supply Chain Security System of Trust (SoT) Framework Works

According to official documentation, the SoT framework is organized into categories that include suppliers, supplies, and services. It drills down into 14 top-level risk areas and investigates over 200 risk sub-areas by addressing a combination of over 1,200 risk factors and detailed risk measurement questions.

Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier against the specific risk categories, allowing organizations to quantify and analyze a software supplier’s trustworthiness.

The goal is to enable an organization acquiring software or services to make an informed decision about whether to purchase from a particular entity, and whether to purchase a specific item or part number from that entity.

Assessments begin with general scoping questions, followed by subject-specific questions about the presence (or absence) of important security best practices endorsed by both government and industry.

Questions are related to the supplier’s reliability from multiple angles, ranging from financial stability to organizational stature, external influence, and maliciousness, including organizational security.

Sample questions include:

  • Does a supplier make use of a standard service bill of materials—a list of all the serviceable parts needed to maintain an asset while it’s in operation? 
  • Is the supplier using high assurance and integrity capabilities to track where software “supplies/components” came from, who crafted them, and whether it is verified that they have been through the expected assurance and validation steps necessary to address the risk of malicious taint? 

In addition, the framework draws upon numerous validated data repositories to advance a probabilistic risk assessment of the trustworthiness of a product, service, or supplier.

While still in a prototype phase, MITRE SoT is a wide-ranging supply risk evaluation framework that covers both physical and digital threats. Combined with cyber risk management solutions for supply chain visibility, the framework intends to cover the software supply chain risk assessment in detail.

MITRE has been successful at similar endeavors before, by heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, creating the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.