mitre system of trust

MITRE’s new supply-chain risk management tool

Print Friendly, PDF & Email

The nonprofit research organization MITRE has long been associated with forward-thinking, data-driven solutions for managing security and risk at enterprise and government scale. Their ATT@CK matrix is a powerful tool for categorizing cyberattack tactics and techniques, and for assessing vulnerabilities. (I discussed MITRE ATT@CK’s uses and benefits in more detail in this January 2022 blog post.)

MITRE’s newest initiative, announced at the recent 2022 RSA conference, is called System of Trust (SoT), and once again it’s a free and open platform that any organization can use to evaluate and understand risks — in this case supply-chain risks based on cyber and other threats.

Data-driven risk mitigation

System of Trust provides a framework for assessing supply-chain risks across 14 defined risk areas, and it drills down into great detail with 2,200 supply-chain questions. As it builds its knowledge base with a flow of up-to-date community-provided input, its assessments remain precise and accurate over time.

Once you have a reliable assessment of risks in your supply chains, you can choose how to mitigate those risks — whether it’s replacing an unreliable supplier, adjusting your insurance coverage, or investing in your cybersecurity infrastructure, et cetera. SoT is also very useful in evaluating a potential acquisition, partnership, or other possible disruption to existing supply chains.

A common language of risk

This high-level depiction of the SoT framework shows how MITRE’s 14 risk categories are organized into three trust aspects relevant to supply chains. Each of these 14 categories are thoroughly evaluated as the system gathers answers to its questions.

MITRE system of trust

In addition to serving as a useful tool for risk assessment and mitigation, MITRE System of Trust provides a common, systematic vocabulary for communicating both within and among organizations about supply-chain risks — making efforts to mitigate those risks more efficient and productive.

Report: The state of application security

Scroll to top