The trustworthiness and security of supply chains has been a top concern ever since the high-profile attacks to SolarWinds and Log4j took place, but there is no single, agreed-on way to define or measure it. To that end, MITRE is presenting a prototype framework that defines and quantifies risks and supply chain security concerns, including software.
System of Trust (SoT) is a proposed methodology for evaluating suppliers, supplies, and service providers. It offers a comprehensive, consistent, and repeatable process that can be used by cybersecurity teams and across an organization for assessing a supplier or product.
According to official documentation, the SoT framework is organized into categories that include suppliers, supplies, and services. It covers 12 top-level decisional risk areas, with 76 risk sub-areas addressed by over 400 detailed questions.
Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier against the specific risk categories, allowing organizations to quantify and analyze a software supplier’s trustworthiness.
The findings can be used by agencies and enterprises to make choices during the full life cycle of their acquisition activities. For example, whether to purchase from a particular entity, and whether to purchase a specific item/part number from that entity.
The ultimate goal of the System of Trust is to organize and integrate existing capabilities that don’t usually work together, to ensure full vetting of software as well as service provider offerings.
Sample questions include:
In addition, the framework draws upon numerous validated data repositories to advance a probabilistic risk assessment of the trustworthiness of a product, service, or supplier.
The SoT will make its official public debut at the RSA Conference (RSAC) in San Francisco, where Robert A. Martin, Sr. Software and Supply Chain Assurance Principal Engineer at MITRE will present it to gather community support and insight.
The project has been receiving feedback for months and will continue to be tried in pilots and real-world applications. The author expects the SoT framework to become the generally accepted framework for supply chain security.
MITRE has been successful at similar endeavors before, by heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, creating the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.
A common refrain with new supply chain security initiatives, or regulations in general, is an increase in repetitive requests and inquiries by auditors and/or customers. Compliance officers might find themselves answering the same questions shown in their valid security certifications (i.e. SOC 2, ISO 270001, PCI, etc.), or having to provide details on “how” the controls are implemented, or having to fill out new forms.
While utterly important for organizations to assess their suppliers, risk assessments are usually painful and inefficient for both sides.
The good news is most parts of this process can be automated and integrated into the procurement and acquisition process. Questionnaire response solutions like Beacon by ThirdPartyTrust eliminate repetition, decrease friction, and increase oversight and control, by centralizing security documentation in one repository that customers and auditors can review with a self-service approach.
This approach makes it easier to respond to security requests, as compliance officers can customize, review, and update any previous response, as opposed to starting from scratch on every risk assessment. According to ThirdPartyTrust customers, this can reduce the workload of answering security requests by up to 95%, helping teams answer unlimited requests.
If your business spends hours each week responding to vendor risk assessment requests, we can help you reduce the time spent answering questionnaires in order to close deals faster.
Learn how to automate the most common questionnaire responses, how to quickly share results of SIG Lite, pen tests, etc., and how to simplify the entire process from NDA to close.
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|