
MITRE has released a cloud-based prototype platform called Risk Model Manager for its new System of Trust (SoT) framework that defines and quantifies risks and cybersecurity concerns for the supply chain.
This enables organizations to assess supply chain risk and security, as well as to view, edit, and customize the SoT framework content, or export it for use as a subset framework. SoT framework concept first debuted at the 2022 RSA Conference (RSAC), and it will officially announce the RMM prototype platform next month at RSAC 2023 in San Francisco.
Aftermath Solarwinds and Log4j attacks, Software supply chain risk and security received a loud wake-up call after high-profile attacks and the dangers of threat actors compromising vendors’ software and then in turn compromising customers’ software installations. MITRE’s SoT, a framework for providing a sort of standard way to evaluate suppliers, service providers, and supplies that can be used by cybersecurity teams as well across the business for assessing a vendor or a software product.
The SoT framework, which is hosted on AWS, is centered around 14 top-level risk areas related to suppliers, service providers, and supplies, including the financial stability and cybersecurity practices of the supplier, as well as risk of counterfeit and compromise to products. These risk categories are then used to evaluate a supplier or product during the acquisition process, digging into detailed questions on how a supplier tracks and ensures the security of third-party software components used in their product.
There are some 40 organizations currently involved in shaping the SoT platform, which now includes some 660 specific supply chain categories and risk factors. MITRE is gathering input to flesh out the tool from businesses with supply chains, supply chain security vendors, and standards groups that touch some elements of supply chain operations.
The members of the SoT community are Microsoft, BlackBerry, CISA, Cisco, Dell Technologies, Intel, Mastercard, NASA, Raytheon, Schneider Electric, Siemens, and The Open Group.
SoT is yet another project by MITRE that builds a reference framework for the cybersecurity industry: its wildly popular ATT&CK framework. SoT provides a wider lens of risk than just cybersecurity — factoring in financial, quality, and integrity risk as well.
Each risk item in the RMM is scored using data measurements that are then applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier, MITRE plans to offer RMM as an open-source tool when it’s fully built.