|
|
The tension between seeking the broadest, most inclusive capabilities and resourcing versus servicing needs that are tailored to prioritized requirements, has motivated much of the approach to implementing SoT.
A comprehensive and holistic “body of knowledge (BoK)” describing every supply chain risk from suppliers, supplies, and services available to an organization is unworkable. Instead, a more narrowly defined, yet highly relevant, set of supply chain risks can be effectively evaluated to guide operational choices, activities, and decisions. This enables the SoT to scale and be used in a variety of different industries, organizations, and types of supply chain domains.
SoT hosts this BoK in an automation platform that enables organizations to develop sub-sets of the most relevant of these resources as profiles that can be used to perform assessments in a standardized and consistent fashion — thereby creating opportunities for comparable discussions and assessments of supply chain security issues internally and with external partners.
Interacting with SoT BoK Content
SoT BoK content is developed in a managed data store that can be actively trimmed to an appropriate subset. That subset can be used as the basis of the evaluations and assessments driving decisions and choices. Until now, no known content management capabilities fit the needs for active BoK curation, tailoring, and assessment that could be shared and synchronized appropriately for separate deployments by a variety of organizations.
This challenge resulted in the development of the “Risk Model Manager (RMM)” — a cloud-native capability that provides the core underpinnings for developing a sharable supply chain risk taxonomy that is grounded in industry and government best practices, open-source components, cloud-native services, standards, and policy. The RMM was specifically developed to allow for for active tailoring of the BoK into profiled sub-sets for use in assessment activities. While the current instantiations of the RMM are native to Amazon Web Services (AWS) environments, the architecture, and components of the RMM technical platform can form the basis of versions usable in other cloud or non-cloud container environments.
In order to support assessments that leverage subsets of the supplier, supplies, and services risks, each risk must include knowledge of its contribution to a risk scoring approach as well a scoring method that can adjust weighting to differing sets of risks in each profile. Additionally, each must support tailoring of those weights as part of the profile creation. We envision a variety of profiles created over time and plan to roll them into the baseline SoT BoK so that all RMM deployments can leverage them and, if they so choose, to share back for community use.
Finally, to foster broad adoption and understanding of how the SoT functions, MITRE will be providing a functional copy of the SoT RMM capability for public usage on the SoT website. Since evaluating products and services for specific risks can quickly become sensitive, the version of RMM provided will only allow for viewing the SoT BoK and selecting or creating a profile of the BoK. A spreadsheet export capability will provide a mechanism for downloading the resultant sub-set of the SoT BoK for evaluation on an organization’s systems where they can protect the assessment appropriately.
The current SoT BoK starts with the three (3) top-level aspects of trust — suppliers, supplies, and services — as shown in Table 1.
Table 1. Supply Chain Security
| Risk Category | Definition |
|---|---|
| Supplier | Risks related to characteristics of a supplier of products or services, including their supply chain, that may potentially impact consumers of those products or services. |
| Supplies | Risks related to characteristics of supplies (products), including their supply chain provenance and pedigree, that may potentially impact consumers of those products. |
| Services | Risks related to characteristics of services, including their supply chain provenance and pedigree, that may potentially impact consumers of those services. |
These have seven (7), three (3), and four (4) risk categories covering each of them respectively. For suppliers, the top categories of risks are as shown in Table 2 below.
Table 2. Top-Level Risk Categories for Suppliers
| Risk Category | Definition |
|---|---|
| External Influences | Risks related to characteristics of a supplier that affect its potential to be negatively influenced by external motivations or allegiances. In a nation-state context this is typically an issue of foreign influences and in the commercial context this would typically be a competitor’s influence on a supplier. |
| Financial Stability | Risks related to financial health and stability characteristics of a supplier that affect its potential ongoing existence, operation, integrity, growth, technological advancement, and consistent supply/service delivery. |
| Maliciousness | Risks related to characteristics of a supplier that can negatively impact its customers, clients, partners, or market through explicit intent, whether internally or externally driven, to violate legal/business norms or to cause harm. |
| Organizational Security | Risks related to characteristics of a supplier’s personnel, facilities, transport and cyber security capabilities, policies, and practices that affects its potential to resist malicious actions and their impacts on their customers. |
| Organizational Stature | Risks related to geographical, geopolitical, structural, or operational characteristics of a supplier that affect its potential to operate in an efficacious and resilient manner. |
| Quality Culture | Risks related to characteristics of a supplier’s ability to reliably deliver quality supply item(s) and/or service(s). |
| Susceptibility | Risks related to characteristics of a supplier (industry sector, location, customers, etc.) including proactive management of such risks that affect the likelihood of them being targeted, compromised, or otherwise adversely affected by malicious actors causing risk to their customers. |
The top categories for supplies and services are shown in Tables 3 and 4 below.
Table 3. Top-Level Risk Categories for Supplies
| Risk Category | Definition |
|---|---|
| Counterfeit | Risks related to the authenticity of supplies (products) or services. |
| Hygiene | Risks affecting the ability of supplies (products) or services to perform as expected. This involves characteristics related to quality, security, resilience, etc. |
| Malicious Taint | Risks related to the integrity of supplies (products) or services. |
Table 4. Top-Level Risk Categories for Services
| Risk Category | Definition |
|---|---|
| Integrity of the Service Delivered | Risks related to the service being delivered unaltered. |
| Quality of the Service Delivered | Risks related to the service being delivered as specified. |
| Reliability of the Service Delivered | Risks related to the service being delivered consistently. |
| Security of the Service Delivered | Risks related to the service being delivered as expected in the face of malicious action. |
Together with the elaborating sub-categories one level down, Figure 1 below illustrates the top of the SoT BoK.
Figure 1. SoT Trust Aspects and Top-Level Risk Categories
Beyond these top-level risk categories, the SoT BoK expands down to the specific risk factors that compose these concern categories. The organization of the taxonomy goes from the common to the specific. For example, the concern for counterfeits is common while the ways of identifying whether counterfeits are in your supply chain are specific to the type of supply item. Detecting counterfeit micro-electronics would have different risk measures than, for example, counterfeit software, handbags, or sushi, yet for those specific businesses that focus on each of these types of products, the need to identify and address their industry’s counterfeit items is critical to their businesses viability. Figure 2 below illustrates the fuller scope of the SoT BoK.
Figure 2. Illustration of the Breadth of Risks the SoT Areas will Encompass
Another dimension of SoT’s approach is to establish a broad understanding in the community regarding where information can be found to answer the various questions surrounding supply chain security risks. Some information about specific supply chain risks is readily available from government or other public sources. Examples include public filings, public information on sanctions, news stories on indictments and security issue publications. Other risk questions require access to non-public or proprietary information and can involve resourcing the information directly from the supplier or by assessing the service or item of supply directly.
The ICT SCRM Task Force’s Vendor Template is an example process that answers questions that could be collected directly from a supplier and used to answer SoT risk questions. There are additional risk questions that can be answered by looking at other sources, such as analyses of certifications and accreditations done on an organization, their workforce, facilities, and products. If, for example, an organization has been certified by a trusted 3rd party to have met one of these standards for security practices by their facilities, it would qualify as addressing SoT risk questions on that topic.
Finally, there will be restricted sources of information that could be used to gather insights on some supply chain risks. For government this may include law enforcement resources or information gathered by the intelligence community. In private industry it maybe information from past work with a supplier or service provider. SoT provides for the use of these types of sources as “general research.”
SoT is exploring a mechanism for conveying examples of all the above as part of the SoT BoK and making them accessible as assessment information sources within the RMM tool itself. SoT is also working to incrementally expand the lists of sources in collaboration with industry and those providing the certifications and information sources. Similar to MITRE’s established compatibility programs for initiatives like Common Vulnerabilities and Exposures (CVE®) and Common Weakness Enumeration (CWE™), the SoT program is establishing a process to allow organizations to share their adoption and use of the SoT taxonomy of risks. This will enable the community at-large to see where market offerings fit into the strategic landscape of supply chain security capabilities and needs.
SoT offers a consistent framework for identifying the scope and nature of issues requiring review and issues that have been addressed. This framework provides the insights necessary to construct the appropriate set of capabilities required to address individualized supply chain security needs.
Built both from the ground up using individual questions, and from the top down using supply chain risk taxonomies, the SoT initiative compiles a vast collection of past and current supply chain security documentation and work from around the world. It also includes previously identified questions to develop the set of SoT yes/no questions. This work includes collecting, correlating, and mapping 295 supply chain security-related policy, statutory, and regulatory issuances over a span of more than seventy years. These authorities shape and control the legal and governance framework within which acquisitions are conducted and define the transactional elements for what many in government need to do, or are precluded from doing, with respect to suppliers, supplies, and services. In addition, the SoT initiative is arranging unilateral nondisclosure agreements (NDAs) with a variety of industry organizations so they can comfortably share information that can be homogenized and incorporated into the SoT. Such agreements will help enable broad access by many other lines of commerce and areas of economic activity to the SoT and its larger supply chain security context.
Examples of items included in the SoT Knowledgebase includes various documents, individual supply chain security questions, supply chain risk taxonomies, legal concerns, and more.
Specific examples:
