MITRE's System of Trust (SoT)
System of Trust (SoT) logo of interlocked building blocks

Supply Chain Security


System of Trust Framework

With the introduction and adoption of the SoT vocabulary and concepts, the nature of interactions with others regarding supply chain security will simplify, become teachable, and become more efficient while at the same time the processes and practices surrounding day-to-day supply chain assurance work will be more consistent, automatable, and supported by evidence. We believe SoT is the foundation needed for understanding supply chain risks and that it will be the key to securing robust and resilient supply chains, trustworthy partners, and trusted components and systems that are globally manufactured.

The SoT Framework is aimed at defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service providers. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology — for evaluating suppliers, supplies, and service providers alike — that is based on MITRE’s decades of supply chain security experience, deep insights into the complex challenges facing the procurement community of interest, and the community’s broad knowledge of the supply chain as shown in literature and relevant standards organizations.


The SoT Framework builds a basis of trust by identifying the three main trust aspects of supply chain security—suppliers, supplies, and services—then identifying and addressing the 14 top-level decisional risk areas under them (see figure 1) associated with trust that agencies and enterprises must evaluate and make choices about during the full life cycle of their acquisition activities. Leveraging the full breadth and depth of our expertise, industry efforts, and government research, the SoT Framework drills down into these 14 top-level risk areas and investigates as many as 200 risk sub-areas by addressing over 2,200 detailed questions.

In addition, the framework draws upon numerous validated data repositories to advance a probabilistic risk assessment of the trustworthiness of a product, service, or supplier. SoT guides the user through a series of questions that refine the specific risks and sub-risks for their specific use cases and user environments. SoT can also leverage predefined profiles for a specific use case or user environment. The result of these assessments are scored for trustworthiness.

Figure 1 shows a high-level depiction of the SoT framework:

System of Trust chart showing key risk areas for suppliers, supplies/components, and services

Figure 1. System of Trust, showing key risk areas for suppliers, supplies/components, and services

SoT Framework Components

The four overarching components of the SoT Framework, which are accessed using SoT’s Risk Model Manager web app (currently in beta), are summarized below. Follow the links for detailed information on each component.

Body of Knowledge (BoK) – The SoT BoK includes all predefined profiles and the entire set of yes/no questions used in SoT assessments. The profiles or questions that are utilized depends upon the selection(s) of the user. Information sources will be provided for each risk, when known, to help the user determine whether the risk is present or not. Other useful information may be added over time.

Assessment – Each SoT assessment begins by selecting a predefined profile or with a few scoping questions that will narrow down the SoT content to something appropriate to the product, service, or supplier in question. This subset is then aligned to the assessing organization’s assessment focus, resources, available time, and legal authorities, and to its present acquisition challenge. During the evaluation process, subject-specific questions are posed to establish the presence or absence of individual aspects of concern and to align with best practices from government and industry.

Scoring – Risks are scored using a set of contextually driven, tailorable, weighted measurements that are used as inputs into a scoring algorithm. The scoring results are then used to identify supplier strengths and weaknesses against the applicable risk categories, enabling an acquirer to analyze and evaluate one or more suppliers’ relative “trustworthiness” for supplying components or services.

Customization – The ability to customize SoT has been carefully designed to ensure optimal usability. As noted above, the SoT can be customized for specific use cases and user environments during the assessment and risk scoring activities.

Risk Model Manager (RMM)

SoT content will be accessed using the RMM web app, which is currently in beta and has been successfully demonstrated in the SoT Pilots. RMM is a cloud-native capability that provides the core underpinnings for developing a sharable supply chain risk taxonomy that is grounded in industry and government best practices, open-source components, cloud-native services, standards, and policy. The RMM was specifically developed to allow for active tailoring of the BoK into profiled sub-sets for use in assessment activities. While the current instantiations of the RMM are native to Amazon Web Services (AWS) environments, the architecture, and components of the RMM technical platform can form the basis of versions usable in other cloud or non-cloud container environments.

Once available, RMM will support:

  1. Viewing SoT content.
  2. Building/editing SoT content.
  3. Tailoring the scope of SoT content to be used and its scoring weights.
  4. Conducting an assessment.
  5. Exporting SoT content (as a spreadsheet for viewing, for a tailored sub-set of SoT, and for assessment elsewhere).

MITRE intends to provide a functional copy of the SoT RMM capability for public usage on the SoT website as a way to foster broad adoption and understanding of how the SoT functions. Since evaluating products and services for specific risks can quickly become sensitive, the version of RMM provided will only allow for viewing the SoT BoK and selecting or creating a profile of the BoK. A spreadsheet export capability will provide a mechanism for downloading the resultant sub-set of the SoT BoK for evaluation on an organization’s systems where they can protect the assessment appropriately.

Learn More

For more information, please contact us.