The trustworthiness and security of supply chains has been a top concern ever since the high-profile attacks to SolarWinds and Log4j took place, but there is no single, agreed-on way to define or measure it. To that end, MITRE is presenting a prototype framework that defines and quantifies risks and supply chain security concerns, including software.
System of Trust (SoT) is a proposed methodology for evaluating suppliers, supplies, and service providers. It offers a comprehensive, consistent, and repeatable process that can be used by cybersecurity teams and across an organization for assessing a supplier or product.
“With today’s increased focus on the need for trustworthy supply chains, trustworthy partners, and trusted systems globally, a reliable path to an actionable understanding of the risks that can impact trustworthiness is essential.”
MITRE System of Trust
How the Supply Chain Security System of Trust (SoT) Framework Works
According to official documentation, the SoT framework is organized into categories that include suppliers, supplies, and services. It covers 12 top-level decisional risk areas, with 76 risk sub-areas addressed by over 400 detailed questions.
Each risk is scored using data measurements that are applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier against the specific risk categories, allowing organizations to quantify and analyze a software supplier’s trustworthiness.
The findings can be used by agencies and enterprises to make choices during the full life cycle of their acquisition activities. For example, whether to purchase from a particular entity, and whether to purchase a specific item/part number from that entity.
The ultimate goal of the System of Trust is to organize and integrate existing capabilities that don’t usually work together, to ensure full vetting of software as well as service provider offerings.
Sample questions include:
- Does a supplier make use of a standard service bill of materials—a list of all the serviceable parts needed to maintain an asset while it’s in operation?
- Is the supplier using high assurance and integrity capabilities to track where software “supplies/components” came from, who crafted them, and whether it is verified that they have been through the expected assurance and validation steps necessary to address the risk of malicious taint?
In addition, the framework draws upon numerous validated data repositories to advance a probabilistic risk assessment of the trustworthiness of a product, service, or supplier.
The SoT will make its official public debut at the RSA Conference (RSAC) in San Francisco, where Robert A. Martin, Sr. Software and Supply Chain Assurance Principal Engineer at MITRE will present it to gather community support and insight.
The project has been receiving feedback for months and will continue to be tried in pilots and real-world applications. The author expects the SoT framework to become the generally accepted framework for supply chain security.
MITRE has been successful at similar endeavors before, by heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, creating the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.
Extra tool or additional workload?
A common refrain with new supply chain security initiatives, or regulations in general, is an increase in repetitive requests and inquiries by auditors and/or customers. Compliance officers might find themselves answering the same questions shown in their valid security certifications (i.e. SOC 2, ISO 270001, PCI, etc.), or having to provide details on “how” the controls are implemented, or having to fill out new forms.
While utterly important for organizations to assess their suppliers, risk assessments are usually painful and inefficient for both sides.
The good news is most parts of this process can be automated and integrated into the procurement and acquisition process. Questionnaire response solutions like Beacon by ThirdPartyTrust eliminate repetition, decrease friction, and increase oversight and control, by centralizing security documentation in one repository that customers and auditors can review with a self-service approach.
This approach makes it easier to respond to security requests, as compliance officers can customize, review, and update any previous response, as opposed to starting from scratch on every risk assessment. According to ThirdPartyTrust customers, this can reduce the workload of answering security requests by up to 95%, helping teams answer unlimited requests.
Is responding to security reviews slowing you down?
If your business spends hours each week responding to vendor risk assessment requests, we can help you reduce the time spent answering questionnaires in order to close deals faster.
Learn how to automate the most common questionnaire responses, how to quickly share results of SIG Lite, pen tests, etc., and how to simplify the entire process from NDA to close.
