MITRE has quietly released a cloud-based prototype platform for its new System of Trust (SoT) framework that defines and quantifies risks and cybersecurity concerns for the supply chain.
The so-called Risk Model Manager (RMM) platform is now available for organizations to assess supply chain risk and security, as well as to view, edit, and customize the SoT framework content, or export it for use as a subset framework. MITRE first debuted the SoT framework concept at the 2022 RSA Conference (RSAC), and it will officially announce the RMM prototype platform next month at RSAC 2023 in San Francisco.
Software supply chain risk and security received a loud wake-up call after high-profile attacks like SolarWinds and Log4j painfully punctuated the dangers of threat actors compromising vendors' software and then in turn compromising customers' software installations. There has been no common, agreed-upon way to define or measure these risks to date. Enter MITRE's SoT, a framework for providing a sort of standard way to evaluate suppliers, service providers, and supplies that can be used by cybersecurity teams as well across the business for assessing a vendor or a software product.
The SoT framework, which is a cloud-native app hosted on AWS, is centered around 14 top-level risk areas related to suppliers, service providers, and supplies, including the financial stability and cybersecurity practices of the supplier, as well as risk of counterfeit and compromise to products. These risk categories are then used to evaluate a supplier or product during the acquisition process, digging into detailed questions on how a supplier tracks and ensures the security of third-party software components used in their product, for example.
"The System of Trust is very appealing because it gives a structure that's more comprehensive, well laid-out, and explains what kinds of risks" you have in your supply chain, in detail, explains Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. That goes beyond traditional risk measurement and assessment tools, he notes.
There are some 40 organizations currently involved in shaping the SoT platform, which now includes some 660 specific supply chain categories and risk factors. MITRE is gathering input to flesh out the tool from businesses with supply chains, supply chain security vendors, and standards groups that touch some elements of supply chain operations. Among some of the big name members of the SoT community are Microsoft, BlackBerry, CISA, Cisco, Dell Technologies, Intel, Mastercard, NASA, Raytheon, Schneider Electric, Siemens, and The Open Group.
SoT is yet another project by MITRE that builds a reference framework for the cybersecurity industry: its wildly popular ATT&CK framework, for instance, maps the common steps threat groups use to infiltrate networks and breach systems, while its newer D3FEND model specifies a common way to define defensive capabilities and technologies. But SoT provides a wider lens of risk than just cybersecurity — factoring in financial, quality, and integrity risk as well, for example.
"The big thing they have here is they are doing what they have done with ATT&CK and D3FEND: provide a common language for everyone to use when we are talking about not only the position in the chain but the specific vulnerabilities or attack methods and defenses," says Curt Franklin, principal analyst for enterprise security management at Omdia.
Franklin says MITRE's pedigree with its other cybersecurity programs should help propel the SoT, but wide adoption likely will take time. "I can imagine some of the third-party risk assessment [vendors] building SoT into their products like they build FAIR [Factor Analysis of Information Risk] or ATT&CK into theirs," Franklin says. "I think the odds are good that [SoT] will be more widely adopted. I think the odds are just as good that it will take a while."
That's because there still are multiple ways to define and measure risk in cybersecurity, and no two models work together, he says. "It's very difficult to say how my risk posture compares to my peers in the industry. What something like this does is provide a particular framework for some common quantification of risk."
How SoT Works
Each risk item in the RMM is scored using data measurements that are then applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. That would allow a business to assess quantitatively the security risk of a software vendor or its product, for example.
One of the organizations closely working the project is Schneider Electric, whose vice president of supply chain security Cassie Crossley will join Martin in an RSAC 2023 session on SoT called "Creating the Standard for Supply Chain Risk — MITRE's System of Trust." Crossley says Schneider has multiple, comprehensive supply chain risk assessment processes currently in place across different parts of the company, and Schneider plans to provide input and feedback to the SoT based on its own requirements and metrics.
"We would want to work with those teams [across Schneider] to identify some areas where we can provide suggestions and also see how we can better align or sort of adopt more of the [SoT] framework," Crossley says. "I don't know yet if we will have a full, 'hey, we are 100% SoT.' But we would make our own processes and identify areas where we want to incorporate more of a structure" for supply chain risk assessment, she says.
For Schneider, supply chain risk and security issues apply both to its own products and ones it buys for internal use, including the "third and fourth parties we work with," she says. She sees SoT possibly helping with visibility into risks associated with "upstream" suppliers that aren't typically part of a supplier evaluation process.
"I think by using SOT, if it could become a common model for a lot, we can get those answers faster for those upstream" suppliers, she says, if an organization can ask vendors to map it to their upstream suppliers.
MITRE's Open Source Plan
Martin says the main challenges for SoT to become the go-to standard for supply chain assessments are enough bandwidth to expand the project as it catches on, as well as getting the word out to avoid duplication of effort. "I'm worried about people not being aware of this and off trying to solve something that overlaps. We are making sure people are aware" and can help contribute to SoT, he says.
MITRE plans to offer RMM as an open source tool when it's fully baked. For now, Martin says, organizations can use it to assist MITRE in fleshing out the tool itself or for their own internal use. "They can take it offline," he says, "and do an assessment against" the SoT.