About

Defining Supply Chain and Supply Chain Security

Today, supply chain and supply chain security topics have received unprecedented attention and coverage in our national discourse. These topics are discussed by many, but interpretations can differ in the minds of those involved in the discussion.

In these discussions, we must be clear about which aspects surrounding the concepts included in “supply chain” that we are addressing. For example:

• some will want to discuss the resilience of connected supply chains to disruptions from shortages of common elements, shared supply chain partners, transportation issues, or regional impacts
• others will be looking to map or illuminate the supply chains of a specific type of product
• some will gain awareness and management practices of the organization as well as mission risks caused from suppliers and the suppliers’ supply chains
• yet others will be focused on addressing domain specific supply chain risks (e.g., cyber-based capabilities, pharma, food stuffs, etc.)
• certain supply chain discussions will cover the acquisition and procurement activities to help organizations see and manage risks from supply chains
• then there are those that want to define and promote standards and norms for third-party risk management due diligence regarding suppliers, supplies, and service providers but also consider aspects covered in domains identified above.

All of these generally apply to the term “supply chain” while “supply chain security” focuses on the robustness, trustworthiness and resilience aspects of this broad topic.

Background

The MITRE Corporation has been engaged for decades supporting the national and homeland security communities on supply chain risk issues and working with national and international standards organizations to reduce risks in global supply chain security. We have also been deeply engaged in projects that specifically focus on supply chain security for Information Communications Technology (ICT), including the use of ICT in national security systems, cyber physicals systems, and IoT systems. These projects also include highly sensitive nuclear and intelligence systems and safety critical systems and the “trustworthiness” of vendors and products. With today’s increased focus on the need for robust and resilient supply chains, trustworthy partners, and trusted components and systems that are globally manufactured, a reliable path to an understanding of the risks that can impact trustworthiness is essential. This path must be broadly understood, shared, and usable at scale.

As a method for addressing these supply chain security challenges, MITRE developed and introduced the System of Trust (SoT™) Framework. This framework is aimed at defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service providers.

Most importantly, the framework offers a comprehensive, consistent, and repeatable methodology — for evaluating suppliers, supplies, and service providers alike — that is based on our decades of supply chain security experience, deep insights into the complex challenges facing the procurement community of interest, and a broad knowledge of the relevant shared thinking on this topic in literature and standards.

The Impetus for a System of Trust

Today, there is wide diversity across organizations and practitioners in identifying the list of risks and approaches to risk assessment and conveying results of such assessments. From among identified aspects of supply chain security, the MITRE SoT focuses on identifying and assessing the risks from your supplier, their supply items, and their service offerings. SoT is aimed at collecting, organizing, and sharing a common baseline of the supplier, supplies, and services risks that an organization may need to consider. This collection of identified risks can begin as something unworkably large, as shown in the left side of figure 1 below, highlighting the need for a methodology for selecting an operationally relevant sub-set of the body of knowledge of supply chain risks, as notionally illustrated on the right side of the figure. This sub-set of the overall SoT collection is called a profile. We envision many, reusable profiles to be developed as different common interest groupings of the risks are identified. An example of a SoT profile, for organizations that are "Highly Sensitive to Foreign Influence" of their supplier has been drafted for discussion. This clarity provided by SoT will empower organizations to conduct assessments in a practical, timely, and cost-efficient manner that focuses on the needs of the organization and allows for broad adoption, training, and automation.

Figure 1. How SoT Profiles Bring Clarity to Chaos

Goal of SoT

The goal of SoT is to offer a comprehensive and consistent methodology that can be tailored to meet industry and company needs to address supply chain security issues, leading to better traceability, reliability, and security of supply chains.

MITRE’s deep experience, as well as investigations and discussions with a broad set of stakeholders in government, industry, and academia, have led to the discovery of several key elements that will enable SoT’s goal, including:

1. Having a common taxonomy of supply chain risks for suppliers, supplies, and services
2. Creating consistent supply chain security assessments and risk discussions.
3. Informing data driven decisions about supply chain risks.
4. Supplying a broad understanding of the available sources for supply chain risk assessment information.
5. Supporting and promoting use of automation.
6. Providing for cost-efficient assessments.
7. Establishing pathways for broad adoption and training of supply chain security practices across diverse communities.
8. Through mapping SoT risks to specific clauses in standards, regulations, laws and policies provide a mapping between these instruments to provide insight about their relationships and enable the use of compliance to one or more of them to be used in the assessment of the specific risks in the System of Trust Body of Knowledge.

Learn More

Go to the SoT Framework.