MITRE's System of Trust (SoT)
System of Trust (SoT) logo of interlocked building blocks

Supply Chain Security


SoT Body of Knowledge

The tension between seeking the broadest, most inclusive capabilities and resourcing versus servicing needs that are tailored to prioritized requirements, has motivated much of the approach to implementing SoT.

A comprehensive and holistic “body of knowledge (BoK)” describing every supply chain risk from suppliers, supplies, and services available to an organization is unworkable. Instead, a more narrowly defined, yet highly relevant, set of supply chain risks can be effectively evaluated to guide operational choices, activities, and decisions. This enables the SoT to scale and be used in a variety of different industries, organizations, and types of supply chain domains.

SoT hosts this BoK in an automation platform that enables organizations to develop sub-sets of the most relevant of these resources as profiles that can be used to perform assessments in a standardized and consistent fashion — thereby creating opportunities for comparable discussions and assessments of supply chain security issues internally and with external partners.

Interacting with SoT BoK Content

SoT BoK content is developed in a managed data store that can be actively trimmed to an appropriate subset. That subset can be used as the basis of the evaluations and assessments driving decisions and choices. Until now, no known content management capabilities fit the needs for active BoK curation, tailoring, and assessment that could be shared and synchronized appropriately for separate deployments by a variety of organizations.

This challenge resulted in the development of the “Risk Model Manager (RMM)” — a cloud-native capability that provides the core underpinnings for developing a sharable supply chain risk taxonomy that is grounded in industry and government best practices, open-source components, cloud-native services, standards, and policy. The RMM was specifically developed to allow for active tailoring of the BoK into profiled sub-sets for use in assessment activities. While the current instantiations of the RMM are native to Amazon Web Services (AWS) environments, the architecture, and components of the RMM technical platform can form the basis of versions usable in other cloud or non-cloud container environments.

In order to support assessments that leverage subsets of the supplier, supplies, and services risks, each risk must include knowledge of its contribution to a risk scoring approach as well a scoring method that can adjust weighting to differing sets of risks in each profile. Additionally, each must support tailoring of those weights as part of the profile creation. We envision a variety of profiles created over time and plan to roll them into the baseline SoT BoK so that all RMM deployments can leverage them and, if they so choose, to share back for community use.

Finally, to foster broad adoption and understanding of how the SoT functions, MITRE will be providing a functional copy of the SoT RMM capability for public usage on the SoT website. Since evaluating products and services for specific risks can quickly become sensitive, the version of RMM provided will only allow for viewing the SoT BoK and selecting or creating a profile of the BoK. A spreadsheet export capability will provide a mechanism for downloading the resultant sub-set of the SoT BoK for evaluation on an organization’s systems where they can protect the assessment appropriately.

SoT BoK Overview

The current SoT BoK starts with the three (3) top-level aspects of trust — supplier risks, supply risks, and service risks — as shown in Table 1.

Table 1. Supply Chain Security

Risk Category Definition
Supplier Risks Risks related to characteristics of a supplier of supplies (products) or services, including their supply chain, that may potentially impact consumers of those supplies (products) or services.
Supply Risks Risks related to characteristics of a supply (product), including their supply chain provenance and pedigree, that may potentially impact consumers of that supply (product).
Service Risks Risks related to characteristics of a service, including their supply chain provenance and pedigree, that may potentially impact consumers of that service.

These have seven (7), three (3), and four (4) risk categories covering each of them respectively. For suppliers, the top categories of risks are as shown in Table 2 below.

Table 2. Top-Level Risk Categories for Suppliers

Risk Category Definition
Supplier Financial Stability Risks Risks related to characteristics of a supplier of supplies (products) or services, including their supply chain, that may potentially impact consumers of those supplies (products) or services.
Supplier Organizational Security Risks Risks related to characteristics of a supplier’s personnel, facilities, transport, and cyber security capabilities, policies, and practices that affect the potential to resist and withstand malicious actions and the impact on customers.
Supplier Susceptibility Risks related to characteristics of a supplier that affect the likelihood of them being targeted, compromised or otherwise adversely affected by malicious actors.
Supplier Quality Culture Risks Risks related to characteristics of a supplier’s ability to reliably deliver appropriate quality supplies (products) and/or services.
Supplier Organizational Effectiveness Risks Risks related to geographical, geopolitical, structural or operational characteristics of a supplier that affect its potential to operate in an efficacious and resilient manner.
Supplier Ethical Risks Risks related to characteristics of a supplier that could negatively impact its customers, clients, partners, or market through explicit intent, whether internally or externally driven, to violate legal/business norms or to cause harm.
Supplier External Influences Risks related to characteristics of a supplier that make it susceptible to negative influence by external motivations or allegiances. In a nation-state context this is typically an issue of foreign influences and in the commercial context this would typically be a competitor’s influence on a supplier.

The top categories for supplies and services are shown in Tables 3 and 4 below.

Table 3. Top-Level Risk Categories for Supplies

Risk Category Definition
Supply Malicious Taint Risks related to the integrity of a supply (product) introduced through explicit intent, whether internally or externally driven, to violate legal/business norms to cause harm.
Supply Counterfeit Risks related to the authenticity of a supply (product) introduced through explicit intent, whether internally or externally driven, to violate legal/business norms.
Supply Hygiene Risks Risks affecting the ability of a supply (product) to perform as expected. This involves characteristics related to establishing and maintaining the quality, security, resilience, etc., of the supply (product).
Supply Availability Risks Risks related to the availability of a supply (product) or it's sub-components/raw materials.

Table 4. Top-Level Risk Categories for Services

Risk Category Definition
Service Quality Risks Risks related to the quality of a service delivered.
Service Resilience Risks Risks related to the resilience of a service delivered.
Service Security Risks Risks related to the security of a service delivered.
Service Integrity Risks Risks related to the integrity of a service delivered.

Together with the elaborating sub-categories one level down, Figure 1 below illustrates the top of the SoT BoK.

System of Trust (SoT) taxonomy chart showing SoT trust aspects and top-level risk categories

Figure 1. SoT Trust Aspects and Top-Level Risk Categories

Beyond these top-level risk categories, the SoT BoK expands down to the specific risk factors that compose these concern categories. The organization of the taxonomy goes from the common to the specific. For example, the concern for counterfeits is common while the ways of identifying whether counterfeits are in your supply chain are specific to the type of supply item. Detecting counterfeit micro-electronics would have different risk measures than, for example, counterfeit software, handbags, or sushi, yet for those specific businesses that focus on each of these types of products, the need to identify and address their industry’s counterfeit items is critical to their businesses viability. Figure 2 below illustrates the fuller scope of the SoT BoK.

System of Trust (SoT) illustration of the breadth of risks the SoT areas will encompass

(Click to enlarge)

Figure 2. Illustration of the Breadth of Risks the SoT Areas will Encompass

Awareness of Information Sources for Supply Chain Security Insights

Another dimension of SoT’s approach is to establish a broad understanding in the community regarding where information can be found to answer the various questions surrounding supply chain security risks. Some information about specific supply chain risks is readily available from government or other public sources. Examples include public filings, public information on sanctions, news stories on indictments and security issue publications. Other risk questions require access to non-public or proprietary information and can involve resourcing the information directly from the supplier or by assessing the service or item of supply directly.

The ICT SCRM Task Force’s Vendor Template is an example process that answers questions that could be collected directly from a supplier and used to answer SoT risk questions. There are additional risk questions that can be answered by looking at other sources, such as analyses of certifications and accreditations done on an organization, their workforce, facilities, and products. If, for example, an organization has been certified by a trusted 3rd party to have met one of these standards for security practices by their facilities, it would qualify as addressing SoT risk questions on that topic.

Finally, there will be restricted sources of information that could be used to gather insights on some supply chain risks. For government this may include law enforcement resources or information gathered by the intelligence community. In private industry it maybe information from past work with a supplier or service provider. SoT provides for the use of these types of sources as “general research.”

Enabling Collaboration by Extending Access to BoK Content

SoT is exploring a mechanism for conveying examples of all the above as part of the SoT BoK and making them accessible as assessment information sources within the RMM tool itself. SoT is also working to incrementally expand the lists of sources in collaboration with industry and those providing the certifications and information sources. Similar to MITRE’s established compatibility programs for initiatives like Common Vulnerabilities and Exposures (CVE®) and Common Weakness Enumeration (CWE™), the SoT program is establishing a process to allow organizations to share their adoption and use of the SoT taxonomy of risks. This will enable the community at-large to see where market offerings fit into the strategic landscape of supply chain security capabilities and needs.

SoT offers a consistent framework for identifying the scope and nature of issues requiring review and issues that have been addressed. This framework provides the insights necessary to construct the appropriate set of capabilities required to address individualized supply chain security needs.

BoK Sources

Built both from the ground up using individual questions, and from the top down using supply chain risk taxonomies, the SoT initiative compiles a vast collection of past and current supply chain security documentation and work from around the world. It also includes previously identified questions to develop the set of SoT yes/no questions. This work includes collecting, correlating, and mapping 295 supply chain security-related policy, statutory, and regulatory issuances over a span of more than seventy years. These authorities shape and control the legal and governance framework within which acquisitions are conducted and define the transactional elements for what many in government need to do, or are precluded from doing, with respect to suppliers, supplies, and services. In addition, the SoT initiative is arranging unilateral nondisclosure agreements (NDAs) with a variety of industry organizations so they can comfortably share information that can be homogenized and incorporated into the SoT. Such agreements will help enable broad access by many other lines of commerce and areas of economic activity to the SoT and its larger supply chain security context.

Examples of items included in the SoT Knowledgebase includes various documents, individual supply chain security questions, supply chain risk taxonomies, legal concerns, and more.

Specific examples: