The trustworthiness and security of supply chains have been a top issue since since the high-profile hacks on SolarWinds and Log4j, but there isn’t a single, accepted way to characterize or evaluate it.
In order to do this, MITRE is putting forth a prototype framework for describing and quantifying risks and supply chain security issues, including software.
The System of Trust is a suggested system for assessing suppliers, supplies, and service providers (SoT). It offers a thorough, uniform, and repeatable method for evaluating a vendor or product that may be used by cybersecurity teams and throughout an organization.
The Roles of the Framework for Supply Chain Security System of Trust (SoT)
According to official papers, the SoT structure is separated into three groups: suppliers, supplies, and services.
It includes 12 top-level decisional risk areas and covers 76 risk sub-domains with about 400 detailed questions.
A score algorithm and data measures are used to rate each threat. The resulting ratings enable businesses to gauge and assess a software source’s dependability by highlighting a supplier’s advantages and disadvantages in relation to the particular risk areas.
Agencies and enterprises can utilize the findings to guide their decisions across the whole life cycle of their acquisition activities.
Consider whether to purchase from a particular business and whether to purchase a particular item or component number from that organization.
The System of Trust’s ultimate goal is to organize and combine already-existing capabilities that don’t frequently work together to provide thorough vetting of software and service provider offerings.
Here are a few inquiries as examples:
- Is a supplier making use of a typical service bill of materials, which is a list of all the repairable components needed to keep an asset in working order?
- In order to manage the risk of malicious taint, is the supplier using high assurance and integrity capabilities to monitor where software “supplies/components” originated, who generated them, and whether they have been validated to have gone through the necessary assurance and validation stages?
- Additionally, the framework develops a probabilistic risk assessment of the dependability of a good, service, or provider using a variety of reliable data sources.
In order to gain community support and feedback, Robert A. Martin, Sr. Software and Supply Chain Assurance Principal Engineer at mitre creates framework for supply chain security, will present the SoT at the RSA Conference (RSAC) in San Francisco.
The project has been receiving comments for months and will continue to be evaluated in pilots and in actual applications. The SoT architecture, according to the author, will eventually become the industry standard for supply chain security.
The Common Vulnerabilities and Exposures (CVE) system, which identifies known software vulnerabilities, and, more recently, the development of the ATT&CK framework, which charts the typical steps threat groups take to infiltrate networks and breach systems, are examples of previous successful projects MITRE has worked on.
Added tool or increased workload?
A frequent theme with new supply chain security initiatives or standards in general is an increase in recurrent requests and inquiries from auditors and/or customers.
It may be necessary for compliance officers to provide the same answers as in their valid security certifications (such as SOC 2, ISO 270001, PCI, etc.), to provide information on “how” the controls are applied, or to complete new forms.
Risk assessments are important for businesses to do on their suppliers, but they are frequently unpleasant and wasteful for both sides.
The good news is that the bulk of this process can be automated and connected with the acquisition and procurement process.
Questionnaire answer systems like Beacon by ThirdPartyTrust decrease repetition, reduce friction, and improve oversight and control by centralizing security documentation in one source that customers and auditors can assess using a self-service approach.
Limitations on Supply Chain Risk Management with SoT Software
Robert Martin noted during the CAPEC Summit that despite their obvious importance, SBOMs are missing some essential components.
When identified by the supplier, it neither detects nor involves quick disclosure of alleged violations at the supply chain level.
Since end-users will be able to immediately tell if the supplied software is vulnerable to a recently reported vulnerability and may thus patch in time, SBOMs would be valuable for emerging significant vulnerabilities such as Log4j.
The SBOM, however, would be of little to no use for a SolarWinds-style attack because supply chain attackers’ stealth tactics would not be included on that list.
Additionally, it wouldn’t be useful in preventing supply chain vulnerabilities like Follina, for which a fix was still lacking two weeks after the problem was made public.
A continuous security assessment of the supplier’s security posture and the integrity of the software they offer would be necessary to attain a high enough level of supplier certification.
Such capabilities are not imminent at this moment, but they might be investigated in the future for inclusion in the MITRE SoT’s organizational security area.
Consistency in Supply Chain Evaluation Synergy
Today’s global security issues frequently center on supply chain trustworthiness.
The System of Trust (SoT), a community initiative to develop and assess a mechanism for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain parts for supply chain security decision makers, is discussed in detail in this presentation.
The main worries and risks that prohibit businesses from depending on their suppliers, products, and service offerings are defined, grouped, and addressed by this framework.
Importantly, the framework offers a thorough, uniform, and repeatable methodology based on years of supply chain security expertise, in-depth comprehension of the complex issues facing the operations and procurement communities, and extensive knowledge of pertinent best practices and standards.
By building and curating a structured corpus of risks about trusting organizations, products and components, and service offerings that can be adopted, taught, and used by any organization involved in a supply chain, SoT offers a framework for focusing concise and rapid attention on those risks most relevant and actionable to the parties involved in exchanging goods and services.
This is comparable to how MITRE’s ATT&CK framework promotes communication and collaboration in the field of cyber risk.