At RSA Conference 2022, MITRE unveild its new “System of Trust,” a framework to provide a comprehensive, community-driven, knowledge base of supply chain security risks and a customizable, security-risk assessment process for use by any organization within the supply chain ecosystem.
High-level depiction of the SoT framework
For the first time, there’s a free and open platform that will help companies identify, discuss, and quantify the risks in major supply chains and with suppliers—including the security concerns posed by software.
“MITRE serves as a trusted adviser to governments and organizations to evaluate the potential risks and vulnerabilities in their systems,” said Robert Martin, senior principal software and supply chain assurance engineer at MITRE. “Now we’re taking what we’ve put into practice for ourselves and our sponsors and making it available to the greater cyber community to help all organizations speak the same language when analyzing cyber and other supply chain threats.”
U.S. supply chains are being stressed and critical shortages are impacting communities across the country, but vital consumer products are not the only vulnerability. Hackers present massive threats, as the costly SolarWinds and Log4j cyberattacks made clear. System of Trust provides a proactive approach to identify and mitigate threats—before they happen.
“At MITRE, we are committed to solving problems for a safer world—ensuring that everyone has access to appropriate risk management tools,” said Wen Masters, vice president, cyber technologies, MITRE. “For over 50 years, MITRE has provided free cyber resources to keep our communities safe. The System of Trust framework continues our progress in that endeavor, allowing for a more secure supply chain so that goods and services can be delivered even in threatened and contested environments.”
The System of Trust includes 14 risk areas that organizations should evaluate during their acquisition and day-to-day activities, and it drills down with more than 2,200 specific supply chain security risk questions, assessing how well each supplier identifies and addresses the integrity and security of software, hardware, services, and the organizations that supply them. Each risk is scored and ranked to identify suppliers’ strengths and weaknesses. The framework provides a common vocabulary of supply chain security risks that can be understood across suppliers, supplies, and services, reducing communication barriers and the potential for misunderstanding.
“System of Trust identifies risks and encourages decision making using a data-driven approach,” added Masters. “MITRE works to bring innovation and data together for the public good, and we’re excited to see how the cyber community utilizes System of Trust to take risk mitigation to the next level.”