Risk Model Manager (RMM)

The Risk Model Manager (RMM) is a prototype cloud-native capability that provides the core underpinnings for leveraging the System of Trust (SoT) supply chain security risk framework that is grounded in industry and government best practices, open-source components, cloud-native services, standards, and policy. RMM was specifically developed to allow for active tailoring of the SoT Body of Knowledge into profiled sub-sets for use in assessment activities.

The RMM web app allows for the repeatable utilization of a comprehensive and consistent BoK of risk concerns structured from top-level risk categories, to risk sub-categories, to specific risk factors, and down to explicit concrete risk measure questions, as described in the SoT Framework, to address any specific organizational or localized areas of interest.

RMM supports:

• Viewing SoT content
• Building/editing SoT content
• Tailoring the scope of SoT content to be used and its scoring weights
• Conducting an assessment
• Exporting SoT content (as a spreadsheet for viewing, for a tailored sub-set of SoT, and for assessment elsewhere)

Using RMM

Users interact with RMM depending on their role(s), which are assigned by the user’s organization: Content Editors and Content Readers edit or read SoT BoK content; Profile Editors and Profile Readers edit or read profiles that define subsets of the RMM content to be used for assessments; and Assessors, Assessment Managers, and Assessment Reviewers have the ability to create, execute, and/or review assessments.

RMM includes four modes for users in these roles to interact with the content:

1. View—The View mode is seen when the RMM is launched and is the default view. In this mode, a user in the Content Reader role can view and explore the SoT BoK by selecting elements in the overview tree hierarchy or one of the element type-specific lists, however, they cannot edit or make any changes to content in RMM.
2. Edit—A user in the Content Editor role can create, modify or delete elements from the organization’s BoK.
3. Tailor—In this mode, a user in the Profile Reader role can view existing tailoring profiles and their details, and a user in the Profile Editor role can create, modify or delete tailoring profiles. The Profile Editor will create, modify, and delete profiles as needed to meet the organization’s needs. This may include different profiles for each use case, system, family of systems, department, mission, or lifecycle phase.
4. Assessment—In this mode, a user in the appropriate role can view existing assessments, create new assessments, edit assessment metadata, or execute a risk assessment, by creating risk measurements within an assessment.

Figure 1. System of Trust Risk Model Manager Modes Screen

Register for Read-Only Access to RMM

The RMM web app is currently limited to READ-ONLY access of views and profiles only. Please fill-out this form to request access.