MITRE's System of Trust (SoT)
System of Trust (SoT) logo of interlocked building blocks

Supply Chain Security


System of Trust Framework

With the introduction and adoption of the SoT vocabulary and concepts, the nature of interactions with others regarding supply chain security will simplify, become teachable, and become more efficient while at the same time the processes and practices surrounding day-to-day supply chain assurance work will be more consistent, automatable, and supported by evidence. We believe SoT is the foundation needed for understanding supply chain risks and that it will be the key to securing robust and resilient supply chains, trustworthy partners, and trusted components and systems that are globally manufactured.

The SoT Framework is aimed at defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service providers. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology — for evaluating suppliers, supplies, and service providers alike — that is based on MITRE’s decades of supply chain security experience, deep insights into the complex challenges facing the procurement community of interest, and the community’s broad knowledge of the supply chain as shown in literature and relevant standards organizations.


The SoT Framework builds a basis of trust by identifying the three main trust aspects of supply chain security—suppliers, supplies, and services—then identifying and addressing the 14 top-level decisional risk areas under them (see figure 1) associated with trust that agencies and enterprises must evaluate and make choices about during the full life cycle of their acquisition activities. Leveraging the full breadth and depth of our expertise, industry efforts, and government research, the SoT Framework drills down into these 14 top-level risk areas and investigates over 200 risk sub-areas by addressing a combination of over 1,200 risk factors and detailed risk measurement questions.

In addition, the framework draws upon numerous validated data repositories to advance a probabilistic risk assessment of the trustworthiness of a product, service, or supplier. SoT guides the user through a series of questions that refine the specific risks and sub-risks for their specific use cases and user environments. SoT can also leverage predefined profiles for a specific use case or user environment. The result of these assessments are scored for trustworthiness.

Figure 1 shows a high-level depiction of the SoT framework:

System of Trust chart showing key risk areas for suppliers, supplies/components, and services

Figure 1. System of Trust, showing key risk areas for suppliers, supplies/components, and services

SoT Framework Components

The four overarching components of the SoT Framework, which are accessed using SoT’s Risk Model Manager web app (currently in beta), are summarized below. Follow the links for detailed information on each component.

Body of Knowledge (BoK) – The SoT BoK includes all predefined profiles and the entire set of yes/no questions used in SoT assessments. The profiles or questions that are utilized depends upon the selection(s) of the user. Information sources will be provided for each risk, when known, to help the user determine whether the risk is present or not. Other useful information may be added over time.

Assessment – Each SoT assessment begins by selecting a predefined profile or with a few scoping questions that will narrow down the SoT content to something appropriate to the product, service, or supplier in question. This subset is then aligned to the assessing organization’s assessment focus, resources, available time, and legal authorities, and to its present acquisition challenge. During the evaluation process, subject-specific questions are posed to establish the presence or absence of individual aspects of concern and to align with best practices from government and industry.

Scoring – Risks are scored using a set of contextually driven, tailorable, weighted measurements that are used as inputs into a scoring algorithm. The scoring results are then used to identify supplier strengths and weaknesses against the applicable risk categories, enabling an acquirer to analyze and evaluate one or more suppliers’ relative “trustworthiness” for supplying components or services.

Customization – The ability to customize SoT has been carefully designed to ensure optimal usability. As noted above, the SoT can be customized for specific use cases and user environments during the assessment and risk scoring activities.

Learn More

For more information, please contact us.