Taming the Chaos of Supply Chain Security Risks with MITRE's System of Trust™
The trust and trustworthiness of supply chains is at the center of many of today’s global security challenges. This presentation explores the details of MITRE’s System of Trust, a community effort to develop and validate a process for integrating evidence of the organizational, technical, and transactional trustworthiness of supply chain elements for decision makers dealing with supply chain security. This framework is defining, aligning, and addressing the specific concerns and risks that stand in the way of organizations’ trusting suppliers, supplies, and service offerings. More importantly, the framework offers a comprehensive, consistent, and repeatable methodology – for evaluating suppliers, supplies, and service offerings alike – that is based on decades of supply chain security experience, deep insights into the complex challenges facing the procurement and operations communities, and broad knowledge of the relevant standards and community best practices.
By creating and curating a community-enabled structured corpus of concerns that are important for trusting organizations, products, and components, and service offerings that can be adopted, taught, and utilized by any organization involved in a supply chain, the System of Trust offers a framework for focusing concise and rapid attention onto those risks most relevant and actionable to the parties involved in exchanging goods and services. This is comparable to how MITRE’s ATT&CK framework enables discourse and synergies in the cyber risk domain. Additionally, the framework includes a mechanism for winnowing down and tailoring the overall System of Trust to a set of concerns and investigative questions that consider the resources of your organization, the significance of the system or service to its operations, and the consequences that could result from failing to fully vet concerns. Finally, the System of Trust provides the ability to apply scoring mechanisms that can be adapted to your organization’s priorities, operational sensitivities, and experience with its type of business and partners.
Robert A. Martin
Robert A. Martin, a Senior Principal Software and Supply Chain Assurance Engineer at the MITRE Corporation, has dedicated his career to solving some of the world’s most difficult problems in systems and software engineering. His work focuses on the interplay of risk management, cyber security, and quality assessment and assurance. For 23 years, Robert has applied his expertise to international cybersecurity initiatives such as CVE, CAPEC, and CWE, which host large active vendor and research communities, and is now working on standardizing the Software Bill of Materials (SBOM) and MITRE’s supply chain security System of Trust™.
Robert is frequently invited to speak on security and quality issues pertaining to software-based technology systems and the work of the IIC and has published numerous articles and presentation. He also contributed to or authored over 60 standards within ITU-T, ETSI, OMG, The Open Group, UL, and ISO, including the new ISO/IEC 5055 code quality measurement standard. Robert hosts quarterly meetings on software and supply chain assurance with over 300 participants from international, commercial, academic, and government communities.
Prior to joining MITRE, Robert designed and installed manufacturing control systems in Area 2 of Kodak Park and performed software integration and porting projects for both RPI and General Electric. Robert holds degrees in electrical engineering from RPI and an MBA from Babson.