It has been reported that MITRE has built a prototype framework for information and communications technology (ICT) that defines and quantifies risks and security concerns over the supply chain – including software. MITRE’s so-called System of Trust (SoT) prototype framework is, in essence, a standard methodology for evaluating suppliers, supplies, and service providers.
Supply chain risk is higher than ever but as a security community, we’ve relied far too heavily on questionnaires and “blind” 3rd party risk assessment platforms. The sheer level of resources from the customer and vendor security communities creating, answering, and reviewing questionnaires answered by people and tools is not improving security but rather, further impacting our staffing challenges. We need a common standard that 3rd parties (like us) can build to and evidence accordingly such that public and private sector operations consuming technologies and services can rapidly assess and consume with confidence. This is that standard and, from an entity that we already trust to build and measure effective programs that deliver material benefits to the operations that we’re protecting. This will be rapidly adopted and in turn, will enable our ability to select and consume the right technologies and services with confidence while returning resources on both sides of the equation to further optimize the security of products and programs.