MITRE's System of Trust (SoT)
System of Trust (SoT) logo of interlocked building blocks

Supply Chain Security


SoT Assessment

SoT assessments are performed using the SoT Risk Model Manager web app prototype that allows users to view, organize, and tailor SoT content, or subset of the content, to an organization’s specific area(s) of concern.

Communicating Results of SoT Assessments

Communicating the findings from a supply chain assessment is something that calls for careful planning and detailed execution. While there are lots of risks to consider when investigating your supplier, the supplies they offer, and services being provided, the key to managing those risks is to understand which ones represent a showstopper if they manifested and which ones would have strong impacts to the organization. Reflecting the potential for impact in the scoring and weighting of the individual risks, as well as in the presentation of the findings from an assessment, is key to providing consistent, usable results that are supported by data. When the data is questionable or incomplete, the uncertainty in the findings must be clearly indicated as a part of the results.

Additionally, the 14 top-level risk areas in SoT are separate areas of risk (7 in suppliers, 3 in supplies, and 4 in services) that do not easily or usefully combine. A healthy and financially stable supplier that has great facilities, personnel, and cyber security does not offset or mitigate the risks to your organization if they consistently deliver tainted, counterfeit, or substandard goods. Results have shown that SoT assessments are best represented in a series of nested Kiviat diagrams (also referred to as radar charts or spider diagrams) with explanatory text that describes the evidence of risk.

As part of the assessment process, the SoT RMM capability supports capturing the information obtained to determine the absence or presence of each particular risk. Given the general lack of historical statistics for supply chain security risks SoT offers measures for the different risk factors so that a series of observations about different aspects of the risk can be substantiated or refuted. Collectively these measures can be used to convey whether the risk in question is present to a degree that requires mitigation or avoidance.

The scoring mechanisms in SoT support a running evaluation of the top-level and underlying risk categories that show the number of risks assessed out of the total in scope for the assessment. This gives a measure of the completeness of the assessment and the range of possible final scores, from lowest to highest, once the remaining risks are assessed.

Learn More

For more information, please contact us.