MITRE System of Trust focuses on identifying, assessing supply chain security risks; delivers assessment techniques

Not-for-profit organization MITRE debuted its System of Trust framework to address supply chain security challenges, providing the foundation needed for understanding supply chain risks. The framework will be key to securing ‘robust and resilient’ supply chains, partners, components, and systems that are globally manufactured. It is also aimed at defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service providers.

Composed of a risk model manager and a community engagement group comprising 30 members, the System of Trust architecture aims to create a collaborative community and tools that can identify and counteract supply chain security risks before they materialize. Expanding from its free and open platform, the System of Trust leverages the expertise of researchers and organizations, the community will further develop the framework’s body of knowledge (BoK) and enhance supply chain security.

The System of Trust Framework is aimed at bringing an improved consistent, scalable, tailorable approach for discussing, measuring, and managing supply chain security risks for organizations across government and critical infrastructure providers by leveraging the MITRE framework and its initial prototype activities and tools. It is aimed at collecting, organizing, and sharing a common baseline of the supplier, supplies, and service risks that an organization may need to consider. It also empowers organizations to conduct assessments in a practical, timely, and cost-efficient manner that focuses on the needs of the organization and allows for broad adoption, training, and automation.

Using the System of Trust architecture, it will be possible for all supply chain enterprises to conduct thorough, consistent, and repeatable supply chain security risk assessments that are flexible, supported by evidence, and scalable. It also enables all organizations within the supply chain to have confidence in each other, service offerings, and the supplies being delivered. 

Most significantly, the framework gives a thorough, uniform, and repeatable process based on our decades of supply chain security experience for analyzing suppliers, goods, and service providers alike, with deep insights into the complex challenges facing the procurement community of interest, and a broad knowledge of the relevant shared thinking on this topic in literature and standards.

“As aligned to our whole-of-nation approach, the MITRE System of Trust community brings together not only major chip manufacturers and IT and OT companies but also representation from financial, energy, defense, and telecom industries, as well as from government and industry associations,” Yosry Barsoum, vice president and director, Center for Securing the Homeland at MITRE, said in a media statement. “We are helping all parts of the supply chain ecosystem better identify their risks and build their resiliency.”

“Identifying supply chain risks that come from supplies, suppliers, service providers, etc., is a complex challenge due to the complex nature of modern supply chains,” according to Wen Masters, vice president, cyber technologies at MITRE. “There is a need for a common depiction of the risks and for modeling and managing the risks. We are beginning to address this complex challenge with our System of Trust framework and with the community engagement group.”

The goal of the System of Trust is to offer a comprehensive and consistent methodology that can be tailored to meet industry and company needs to address supply chain security issues, leading to better traceability, reliability, and security of supply chains.

MITRE’s experience, investigations, and discussions with stakeholders in government, industry, and academia, have led to the discovery of several key elements that will enable the goal of the System of Trust. 

These elements include having a common taxonomy of supply chain risks for suppliers, supplies, and services, creating consistent supply chain security assessments and risk discussions, informing data-driven decisions about supply chain risks, and supplying a broad understanding of the available sources for supply chain risk assessment information. It also covers supporting and promoting the use of automation, providing for cost-efficient assessments, and establishing pathways for broad adoption and training of supply chain security practices across diverse communities.

The System of Trust Framework builds a basis of trust by identifying the three main trust aspects of supply chain security—suppliers, supplies, and services—then identifying and addressing the 13 top-level decisional risk areas under them, typically associated with trust that agencies and enterprises must evaluate and make choices about during the full life cycle of their acquisition activities. Leveraging the full breadth and depth of our expertise, industry efforts, and government research, the framework drills down into these 14 top-level risk areas and investigates over 200 risk sub-areas by addressing a combination of over 1,200 risk factors and detailed risk measurement questions.

In addition, the framework draws upon numerous validated data repositories to advance a probabilistic risk assessment of the trustworthiness of a product, service, or supplier. System of Trust guides the user through a series of questions that ‘refine’ the specific risks and sub-risks for their specific use cases and user environments. It can also leverage predefined profiles for a specific use case or user environment. The result of these assessments is scored for trustworthiness.

The four overarching components of the System of Trust Framework, which are accessed using its Risk Model Manager web app (currently in beta), include BoK, assessment, scoring, and customization. It allows for the repeatable utilization of a comprehensive and consistent BoK of risk concerns structured from top-level risk categories, to risk sub-categories, to specific risk factors, and down to explicit concrete risk measure questions, to address any specific organizational or localized areas of interest.

The risk model manager supports viewing System of Trust content, building/editing System of Trust content, tailoring the scope of the content to be used and its scoring weights, conducting an assessment, and exporting System of Trust content as a spreadsheet for viewing, for a tailored sub-set of System of Trust, and for assessment elsewhere.

When it comes to BoK, the System of Trust BoK includes all predefined profiles and the entire set of yes/no questions used in the System of Trust assessments. The profiles or questions that are utilized depending upon the selection(s) of the user. Information sources will be provided for each risk, when known, to help the user determine whether the risk is present or not. Other useful information may be added over time.

Each System of Trust assessment begins by selecting a predefined profile or with a few scoping questions that will narrow down the System of Trust content to something appropriate to the product, service, or supplier in question. The subset is then aligned to the assessing organization’s assessment focus, resources, available time, and legal authorities, and to its present acquisition challenge. During the evaluation process, subject-specific questions are posed to establish the presence or absence of individual aspects of concern and to align with best practices from the government and industry.

Risks are scored using a set of contextually driven, tailorable, weighted measurements that are used as inputs into a scoring algorithm. The scoring results are then used to identify supplier strengths and weaknesses against the applicable risk categories, enabling an acquirer to analyze and evaluate one or more suppliers’ relative ‘trustworthiness’ for supplying components or services.

Lastly, MITRE addressed the ability to customize the System of Trust which has been carefully designed to ensure optimal usability. It can also be customized for specific use cases and user environments during the assessment and risk-scoring activities. The ability to customize the System of Trust has also been designed to ensure optimal usability. Additionally, it can be customized for specific use cases and user environments during the assessment and risk-scoring activities.

In February, MITRE released its 2023 ATT&CK roadmap with key efforts planned for the year ahead ranging from ICS (industrial control systems) assets to more Linux and ATT&CKcon 4.0. In 2023, the focus will be on targeted growth and integration. The agency will work on maintaining framework stability as it builds out content and structure while expanding and increasing the scope of some of ATT&CK’s current platforms.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.