"MITRE Creates Framework for Supply Chain Security"

MITRE has developed a prototype framework for Information and Communications Technology (ICT) that defines and quantifies supply chain risks and security concerns, including software. The prototype framework called System of Trust (SoT) is essentially a standard process for evaluating suppliers, supplies, and service providers. Cybersecurity teams can use it to assess a supplier or product. MITRE is known in the cybersecurity industry for leading the Common Vulnerabilities and Exposures (CVE) system, which catalogs known software vulnerabilities. It is also best known for the ATT&CK framework that maps the common actions threat groups take to infiltrate networks and breach systems. The SoT framework currently covers 12 top-level risk areas that firms should examine during their acquisition process, ranging from financial stability to cybersecurity standards. Over 400 questions cover various topics, including whether the supplier is correctly and thoroughly tracking software components, as well as their integrity and security. Each risk is assigned a score based on data measurements and a scoring system. The data scores indicate a supplier's strengths and weaknesses in relation to various risk categories. The trustworthiness of a software supplier could then be assessed more quantitatively. This article continues to discuss MITRE's SoT prototype framework and how it goes hand in hand with Software Bill of Materials (SBOM) programs. 

Dark Reading reports "MITRE Creates Framework for Supply Chain Security"