|
|
The ability to customize SoT is extremely important. Each SoT assessment begins by selecting a predefined profile or with a few scoping questions that will narrow down the SoT content to something appropriate to the product, service, or supplier in question. The interests of a specific assessment may focus on the supplier, a specific item, the legal authorities that the assessing organization is under, or a combination of elements. Users may tailor the SoT assessment process either by answering yes/no questions, or by selecting profiled subsets of an overarching risk map for investigation of each assessment. The results of this analysis can be the basis for a “trustworthiness” discussion with a supplier or a basis for mitigation requirements levied on the supplier to address supply chain risk. We envision a variety of profiles created over time and plan to roll them into the baseline SoT Body of Knowledge (BoK) so that users can reuse them and, if they so choose, share them for community use.
An example of a SoT profile, for organizations that are "Highly Sensitive to Foreign Influence" of their supplier has been drafted for discussion.
The SoT Risk Model Manager (RMM) cloud app prototype will allow an organization to tailor the SoT to just those select areas of concern an organization feels are the most useful for its decision making and will support tuning the weights and combinatorial mechanisms used to combine the individual answers into an overall trustworthiness finding. While the current instantiations of the RMM are native to Amazon Web Services (AWS) environments, the architecture, and components of the RMM technical platform can form the basis of versions usable in other cloud or non-cloud container environments. To foster broad adoption and understanding of how the SoT functions, MITRE will be providing a functional copy of the SoT RMM capability for public usage on the SoT website. Since evaluating products and services for specific risks can quickly become sensitive, the version of RMM provided will only allow for viewing the SoT BoK and selecting or creating a profile of the BoK. A spreadsheet export capability will provide a mechanism for downloading the resultant sub-set of the SoT BoK for evaluation on an organization’s systems where they can protect the assessment appropriately.
Visit the SoT Pilots for an example of how the SoT can be customized to specific use cases and user environments.
For more information, please contact us.
