MITRE’s System of Trust: A standard for software supply chain security

The security of software supply chains is one of the biggest topics at this week’s RSA Conference in San Francisco, where dozens of presentations and panels will pick apart all aspects of both supply chain risk, attacks and defense.

But what constitutes software supply chain security? And how do we compare the security of one firm (or supplier) against another? With no agreed-upon definition of supply chain security, assessments of it are often narrowly focused and bespoke.

What is needed is something closer to a framework to measure supply chain risk. At the RSA Conference on Tuesday, Robert Martin, a senior staffer in the MITRE Labs Cyber Solutions Innovation Center is presenting one idea for realizing something close to that: a “System of Trust” framework that MITRE says will provide a way to assess the relative software supply chain risk of organizations across the economy.

The SoT, which has been described by MITRE in a series of papers (PDF), is intended as a kind of “GAAP” (generally accepted accounting principles) for software supply chain security. Just as GAAP standardizes financial accounting practices and measures (at least among North American firms), the MITRE SoT looks to do the same for supply chain security. To call attention to its work on supply chain security, MITRE launched a new website, sot.mitre.org.

In a conversation for our ConversingLabs podcast recorded at RSA, Martin said the System of Trust builds on decades of work that MITRE has done — dating back to the Cold War — on behalf of Federal government agencies and contractors: helping them to identify quality suppliers and also avenues for threats and attacks, such as industrial espionage.

The making of the MITRE System of Trust

"This is the 'next step' for things that have been going on for a number of years," Martin told me in an interview from the RSA Conference in San Francisco. "This movement into the supply chain is really stepping up into the organization. These issues are not for the technologists. This is a business issue that needs business attention," he said.

Though questions about supply chain security go back decades, the growing reliance on information and communications technology (ICT) in recent years has complicated a already difficult task, Martin notes in the 2021report:

The computerization of everything gave rise to pervasive cyber threats – including those stemming from vulnerabilities inherent in repurposed software of often dubious provenance. Our adversaries seek to inject themselves into every conceivable stage of technology development, for both disruptive and intelligence objectives.

The COVID pandemic has highlighted supply chain risk as well by contributing to supply chain disruptions. But many organizations currently have no holistic way to assess supply chain security and integrity. "They're either building their own little lists of these issues, or borrowing something from some other project they thought was good," Martin said. "Both are not really going to give you the holistic context you need to start with."

The System of Trust provides a framework on which to start answering some of the questions about supply chain risk, not just in government, but in the private sector also. The SoT provides a “consistent, and repeatable methodology” for evaluating suppliers, supplies, and service providers, MITRE says.

MITRE System of Trust: Key categories

The System of Trust is organized into key categories of supply chain participants including suppliers, supplies, and services. For each, the SoT focuses on a small number of risk areas that government agencies and enterprises are asked to evaluate during the acquisition process and then “make decisions about” whether that evaluation has identified undo risk.

For example, when evaluating supplies or components used in a product or service, organizations using the System of Trust framework are asked to look for issues related to possible counterfeit products, assess the “hygiene” of the supplies and look for evidence of “malicious taint” by assessing the provenance of the software, how it was made (software composition) and any updates.

Organizations assessing the security of suppliers are asked to consider 5 risk categories comprising 26 risk factors. They include “organizational security” (both IT and data security) as well as “maliciousness” - say, being named on a sanctions list or investigated for fraud and corruption. A supplier’s financial health and ownership is part of the assessment, as is, its internal cybersecurity practices and how it attains software- and hardware assurance.

Trust what the software or service is all about

The goal is to enable an acquirer of software or services to make “a clear, well informed decision about whether to purchase from a particular entity, and whether to purchase a specific item/part number from that entity,” MITRE said.

Assessments begin with general “scoping” questions for the would-be supply chain partner with a goal of orienting the System of Trust framework to the product, service or supplier in question. From there, subject-specific questions are posed about the presence (or absence) of “aspects of concern.” These questions may reflect best practices from government and industry.

Risks that are identified are scored using what MITRE describes as a “set of contextually driven, tailorable, weighted measurements that are used as inputs into a scoring algorithm.”

MITRE said it has used the SoT to evaluate a set of 11, publicly traded companies with promising results. Resulting risk scores ranged from 15 to 58 out of 70, with lower scores connoting lower risk. For the company scoring the “58,” both IT security and its financial stability raised red flags under the SoT evaluation.

Putting the System of Trust into action

Martin said that the System of Trust is a "starting point" for organizations to step into the question of supply chain security. Even if individual organizations don't feel the need to implement the entire system of trust internally, just engaging in the process can give them a quick read on whether they face supply chain risks that warrant attention.

Martin uses the example of "counterfeits," which is one of the risk areas for supplies. The methodology for spotting counterfeit components in your supply chain varies greatly depending on whether you're making microelectronics or, say, handbags. However, simply being aware that the issue of counterfeits is one that your organization needs to be aware of and address is an important first step, Martin said.