MITRE creates framework for supply-chain security

Supply chain security has been all the buzz in the wake of high-profile attacks like SolarWinds and Log4j, but to date there is no single, agreed-on way to define or measure it. To that end, MITRE has built a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over supply chain – including software.

MITRE’s so-called System of Trust (SoT) prototype framework is, in essence, a standard methodology for evaluating suppliers, supplies, and service providers. It can be used not just by cybersecurity teams but across an organization for assessing a supplier or product.

“An accountant, a lawyer, [or] an operations manager could understand this structure at the top level,” says Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. “The System of Trust is about organizing and amalgamating existing capabilities that just don’t get connected right now” to ensure full vetting of software as well as service provider offerings, for example.

The SoT will make its official public debut next month at the RSA Conference (RSAC) in San Francisco, where Martin will present the framework as a first step in gathering security community support and insight for the project. So far, he says, the initial feedback has been “very positive.”

MITRE is best known in the cybersecurity sector for heading up the Common Vulnerabilities and Exposures (CVE) system that identifies known software vulnerabilities and, most recently, for the ATT&CK framework that maps the common steps threat groups use to infiltrate networks and breach systems.

Martin says he’ll demonstrate the SoT framework and provide more details on the project during his RSAC presentation. The framework currently includes 12 top-level risk areas – everything from financial stability to cybersecurity practices – that organizations should evaluate during their acquisition process. More than 400 specific questions cover issues in detail, such as whether the supplier is properly and thoroughly tracking the software components and their integrity and security.

To read the complete article, visit Dark Reading.