MITRE's System of Trust (SoT)
System of Trust (SoT) logo of interlocked building blocks

Supply Chain Security

 

News

Right-click and copy a URL to share an article. Send comments about this page to sot@mitre.org.

SoT Risk Model Manager (RMM) and Community Pages Added to Website

December 22, 2022 | Share this article

Two new pages have been added to the SoT website:

BACK TO TOP

MITRE’s SoT Is Topic of Cy Beat Podcast

November 8, 2022 | Share this article

MITRE’s SoT is one of the main topics of a November 3, 2022 podcast interview with MITRE Senior Software and Supply Chain Assurance Principal Engineer Robert A. Martin entitled “Supporting Security Innovation To Protect The World | A Conversation With Bob Martin @ The MITRE Corporation & Industrial Internet Consortium | Cy Beat Podcast With Deb Radcliff” on the Cy Beat Podcast.

Listen to the podcast here.

BACK TO TOP

Article Focuses on SBOM Panel Discussion at MITRE’s “Supply Chain Security Hot Topics Summit 2022

November 7, 2022 | Share this article

A panel discussion about SBOMs at MITRE’s “Supply Chain Security Hot Topics Summit 2022” is the main topic of an October 17, 2022 article entitled “SBOMs are a 'no brainer': 4 takeaways from MITRE's software supply chain security summit” on the ReversingLabs Blog.

The author states: “With software supply chain attacks ramping up — and presenting a very real new risk category for security teams and CISOs — software bills of materials (SBOMs) are getting the nod from both government and industry experts as a “no brainer” … SBOMs have become an essential talking point in the conversation on how to best secure the software supply chain. At MITRE’s Supply Chain Security Hot Topics Summit 2022, a panel discussion, moderated by MITRE’s VP of Cyber Technologies Wen Masters, Ph.D., featured both private and public sector officials who all had something to say about SBOMs.” The author then cites four takeaways, discussing each in turn: 1) SBOMs are a ‘no-brainer,’; 2) There's much more to do on SBOM adoption, 3) Automation is a must, and 4) SBOMS need to evolve alongside risks.

BACK TO TOP

MITRE’s SoT Is Topic of GrammaTech Video Blog

October 10, 2022 | Share this article

MITRE’s SoT is one of the main topics of an October 6, 2022 video interview entitled “Automating Supply Chain Integrity” on the GrammaTech Blog.

In the interview, MITRE Senior Software and Supply Chain Assurance Principal Engineer Robert A. Martin talks about the Internet Engineering Task Force’s (IETF) recently announced “Supply Chain Integrity Transparency and Trust (SCITT) initiative and [the] emerging frameworks to come out of the initiative … [and how] MITRE’s supply chain “System of Trust” is [a framework that is] already available to help identify and score risk, while providing a common taxonomy for software, hardware and service providers.”

“Of the fourteen top-level practices recommended in MITRE’s System of Trust, seven apply to the developers of commercial software and embedded products. To developers of commercial and embedded software products, he says that no matter what industry you’re developing to, it comes down to three aspects of risk: malicious taint, good hygiene, and counterfeits.”

BACK TO TOP

Video of MITRE System of Trust Briefing at Supply Chain Security Hot Topics Summit 2022 Now Available

September 19, 2022 | Share this article

The video of the “MITRE’s System of Trust | Supply Chain Assessment Synergy | Consistency and Evidence-Based” presentation at MITRE’s “Supply Chain Security Hot Topics Summit 2022” on August 25, 2022 is now available on the SoT website.

Watch now or on the SoT YouTube Channel:

BACK TO TOP

Session Videos from MITRE’s Supply Chain Security Hot Topics Summit 2022 Now Available

September 19, 2022 | Share this article

Eleven session videos from MITRE’s “Supply Chain Security Hot Topics Summit 2022” are now available on the SoT YouTube Channel and here on the SoT website.

Session topics included:

Visit Supply Chain Security Hot Topics Summit 2022 on the SoT website for links to session videos, speaker and panel members bios, and more.

BACK TO TOP

MITRE to Host Hot Topics in Supply Chain Security Summit on August 25

August 19, 2022 | Share this article

SoT will be a main discussion topic at the “MITRE Hot Topics in Supply Chain Security Summit” on August 25, 2022 in McLean, Virginia, USA. The event, which will be held 8:00 am - 5:30 pm ET, will be both in-person and virtual. View the agenda.

The Sot briefing, “MITRE’s System of Trust | Supply Chain Assessment Synergy | Consistency And Evidence-Based,” is scheduled for 11:05 am - 11:35 am ET, per the event agenda. SoT will also be included in the discussion panels.

This “full-day Summit is open to the public and a place for discussion and exploration of the various aspects of Supply Chain Security relevant to government, industry, and academic partners. To support this the Summit has panels on supply chain policy, software supply chain, supply chain organizational management, transportation supply chain, and medical supply chains as well as opening and closing keynotes by two of MITRE's senior vice presidents and a lunchtime talk on MITRE's System of Trust. MITRE hopes to use the learnings and key takeaways from the sessions and comments from the audience during the day to further engage with stakeholders on the key areas of supply chain security going forward, and hopes to establish collaboration opportunities and synergies with those also working on these critical areas.”

Please register here.

BACK TO TOP

Video of MITRE System of Trust Briefing at RSA 2022 Now Available

August 19, 2022 | Share this article

The video of the “Addressing Supply Chain Security Risks: MITRE’s System of Trust™” presentation at RSA 2022 on June 7, 2022 is now available on the RSA website.

Watch below or on the RSA Conference YouTube Channel:

BACK TO TOP

MITRE System of Trust Is Topic of Keynote Presentation at Hitcon Peace 2022

August 19, 2022 | Share this article

MITRE’s SoT is the main topic of an August 18, 2022 presentation entitled “MITRE System of Trust Identifies and Quantifies Supply Chain Security Risks” at Hitcon Peace 2022 in Taipei, Taiwan.

Keynote talk synopsis on Hitcon website:

“The trust and trustworthiness of supply chains is at the center of many of today’s global security challenges. This presentation explores the details of MITRE’s System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices.

By creating and curating a community-enabled structured corpus of concerns that are important for trusting organizations, products, and components, and service offerings that can be adopted, taught, and utilized by any organization involved in a supply chain, the System of Trust offers a framework for focusing concise and rapid attention onto those risks most relevant and actionable to the parties involved in exchanging goods and services. This is comparable to how MITRE’s ATT&CK framework enables discourse and synergies in the cyber risk domain. Additionally, the framework includes a mechanism for winnowing down and tailoring the overall System of Trust to a set of concerns and investigative questions that consider the resources of your organization, the significance of the system or service to its operations, and the consequences that could result from failing to fully vet concerns. Finally, the System of Trust provides the ability to apply scoring mechanisms that can be adapted to your organization’s priorities, operational sensitivities, and experience with its type of business and partners.”

BACK TO TOP

MITRE’s SoT Is Main Topic of ConversingLabs Podcast

August 9, 2022 | Share this article

MITRE’s SoT is the main topic of a June 2022 podcast episode entitled “Robert Martin of MITRE on Supply Chain System of Trust” on Reversing LabsConversingLabs podcast.

In the podcast, MITRE Senior Software and Supply Chain Assurance Principal Engineer Robert A. Martin talks about how SoT “provides a framework for supply chain security risk assessments that is customizable, evidence-based, scalable and repeatable … [and how, once] implemented, the SoT will give organizations within the supply chain confidence in each other as well as different service offerings and supplies.”

Also discussed is “how the software supply chain is highly complicated, due to an increasing number of things in society becoming cyber-enabled. Martin explained how software is not written neatly end to end, but rather is built with drivers, dependencies, and frameworks that give the supply chain depth and magnitude. If software practitioners are not given visibility into this complicated picture, they will miss the software supply chain risks that pose a threat to their organizations. The SoT’s goal is to promote transparency, allowing developers to see all of the players in the supply chain.”

Listen below or directly on the ConversingLabs podcast:

Video and podcast credit: Reversing Labs

BACK TO TOP

MITRE’s SoT Receives Extensive News Media Coverage

July 26, 2022 | Share this article

MITRE’s recently released System of Trust (SoT™) received global media coverage and extensive interest from the community. We thank the community for all of your messages and inquiries regarding the MITRE SoT.

Below is a partial list of articles from around the world about SoT:

MITRE’s System of Trust: A proposed standard for software supply chain security, ReversingLabs Blog

Robert Martin of MITRE on Supply Chain System of Trust, ConversingLabs Podcast

ConversingLabs - Episode 6: Robert Martin of MITRE on Supply Chain System of Trust, ConversingLabs Video

MITRE System of Trust identifies and quantifies supply chain security risks, Help Net Security

MITRE has published a new framework for supply chain risk management, Root.CZ

[RSAC 2022] Global Security Company Trends and Key Talks to Security Organizations, South Korean Daily Security

SBOMs Go Prime Time at RSAC 2022, Security Boulevard

RSA Conference 2022 - Announcements Summary (Day 1): MITRE introduces “System of Trust”, SecurityWeek

New MITRE Framework for Supply Chain Security, IT Security News

In Case You Missed RSA Conference 2022: A News Digest, Dark Reading

What’s hot at #RSAC? Here’s our picks for the big show, Security Boulevard

How New Policies Could Strengthen US Cyber Defense, Forbes

Malicious Python Repository Package Drops Cobalt Strike on Windows, macOS & Linux Systems, Dark Reading

MITRE System of Trust identifies and quantifies supply chain security risks, IT Security News

RSAC 2022 Experts Call for Major Changes to Third-party Risk Management, Tenchi Security Blog

MITRE’s New “System of Trust” Protects Vulnerable Supply Chains, MITRE website

New MITRE Framework For Supply Chain Security, Information Security Buzz

MITRE launches supply chain framework for telecom, tech sectors to address security risk, Inside Cybersecurity

MITRE Creates Framework for Supply Chain Security, Dark Reading

To add a news item to this list, please send the title, publication name, and link to sot@mitre.org.

BACK TO TOP

“MITRE System of Trust Identifies and Quantifies Supply Chain Security Risks” Article on Help Net Security

June 15, 2022 | Share this article

MITRE’s SoT is the main topic of a June 7, 2022 article entitled “MITRE System of Trust Identifies and Quantifies Supply Chain Security Risks” on Help Net Security.

The author explains what SoT is and the problem it solves, explaining that the framework will provide “a comprehensive, community-driven, knowledge base of supply chain security risks and a customizable, security-risk assessment process for use by any organization within the supply chain ecosystem.”

The author states: “For the first time, there’s a free and open platform that will help companies identify, discuss, and quantify the risks in major supply chains and with suppliers—including the security concerns posed by software.” “System of Trust provides a proactive approach to identify and mitigate threats—before they happen.”

MITRE Senior Software and Supply Chain Assurance Principal Engineer Robert A. Martin and MITRE Vice President of Cyber Technologies Wen Masters are both quoted in the article.

Read the complete article at https://www.helpnetsecurity.com/2022/06/07/mitre-system-of-trust/.

BACK TO TOP

News Release: MITRE’s New “System of Trust” Protects Vulnerable Supply Chains

June 6, 2022 | Share this article

MITRE issued a news release entitled “MITRE’s New “System of Trust” Protects Vulnerable Supply Chains” on June 6, 2022 to officially announce the System of Trust (SoT™) at RSA Conference 2022. Read the news release here.

BACK TO TOP

MITRE’s SoT Is Main Topic of Article on Inside Cybersecurity

June 5, 2022 | Share this article

MITRE’s SoT is the main topic of a June 3, 2022 article entitled “MITRE launches supply chain framework for telecom, tech sectors to address security risk” on Inside Cybersecurity.

The author describes the SOT framework and includes several quotes from MITRE Senior Software and Supply Chain Assurance Principal Engineer Robert A. Martin, who states: “[SoT] is a common vocabulary and body of knowledge around supply chain risks that you may need to assess from suppliers, supplies and service providers. It’s not that you need to address all of them but it is a common departure point for what you may need to investigate and things that could cause a problem.”

“We want to also encourage people to capture the data they are using to make these decisions” so they can point to or include the data that supports their decision making in an evaluation ... The goal is to make this work “defendable and repeatable [and] it will also allow you to revisit an assessment because some things change over time and by capturing that underlying data, you can see where things are evolving for better or worse and swinging back and forth.”

Read the complete article at https://insidecybersecurity.com/daily-news/mitre-launches-supply-chain-framework-telecom-tech-sectors-address-security-risk.

BACK TO TOP

Welcome to the System of Trust Website!

June 1, 2022 | Share this article

Welcome to our new Supply Chain Security System of Trust™ (SoT) website! Here we will provide you with information and updates about the SoT initiative, as well as the latest white papers, journal articles, videos, events, and other items of interest about supply chain security SoT. We also hope to serve as a resource for any questions you might have about how SoT can improve your supply chain security issues.

In short, the objective of SoT is to create what did not exist previously: a comprehensive, consistent, and repeatable methodology—along with a probabilistic risk assessment process—that is customizable, and will enable all organizations within the supply chain to trust the security of each other and the supplies being delivered. Before SoT, the concepts of trust, trustworthiness, and security for supply chain participants had disparate meanings, requirements, and expectations for each of the various organizations participating in the supply chain (acquirers, suppliers, and service providers), and these differences were often a core factor in supply chain failures. Our work to achieve this is described in more detail in the Overview and System of Trust Framework sections of this website, while the results of the SoT pilot show the clarity of trust that SoT can bring to supply chain transactions using real world scenarios and data.

Please take a look at the website, review the journal articles and other materials, and let us know what you think, what additional information you would find useful, or how we can help you.


“Addressing Supply Chain Security Risks: MITRE’s System of Trust” Talk at RSA 2022 on June 7

June 1, 2022 | Share this article

MITRE Senior Software and Supply Chain Assurance Principal Engineer Robert A. Martin is scheduled to present a talk entitled “Addressing Supply Chain Security Risks: MITRE’s System of Trust” at RSA Conference 2022 at the Moscone Center in San Francisco, California, USA. The talk, Session PDSC-T08, is scheduled for June 7, 2022, at 1:15 PM - 2:05 PM PT in Moscone West 2006. The full conference, which is also a virtual event, is June 6-9.

As noted on the RSA website, “This session will discuss System of Trust (SoT), a supply chain security community effort defining, aligning, and addressing the concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. SoT offers a framework for focusing attention on those supply-chain-related risks most relevant and actionable to the parties involved in exchanging goods and services.”


MITRE’s SoT Is Main Topic of Article on Dark Reading

June 1, 2022 | Share this article

MITRE’s SoT is the main topic of a May 18, 2022 article entitled “MITRE Creates Framework for Supply Chain Security” on Dark Reading.

The author states: “Supply chain security has been all the buzz in the wake of high-profile attacks like SolarWinds and Log4j, but to date there is no single, agreed-on way to define or measure it. To that end, MITRE has built a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over supply chain - including software. MITRE’s so-called System of Trust (SoT) prototype framework is, in essence, a standard methodology for evaluating suppliers, supplies, and service providers. It can be used not just by cybersecurity teams but across an organization for assessing a supplier or product.”

The article also includes several quotes from MITRE Senior Software and Supply Chain Assurance Principal Engineer Robert A. Martin, including the following about the goal of SoT: “‘Supply chain’ has a lot of different meanings,” Martin explains. “We’re not talking microelectronics in the US versus overseas. We’re not trying to solve port issues. We’re trying to get a culture of organizational risk management that includes supply chain concerns as a normal part of that. We want to bring some consistencies, automation, and data-driven evidence so there’s more understanding of supply chain risks.”

Read the complete article at https://www.darkreading.com/application-security/mitre-creates-framework-for-supply-chain-security.

BACK TO TOP