Figure 5-1 . Address Chaos , Align & Organize , and then Simplify , Tailor & Use .
Specifically , we decided to develop the content of the SoT BoK in a managed data store that could be actively trimmed to an appropriate subset . That subset would be used as the basis of the evaluations and assessments driving decisions and choices . Until now , no known content management capabilities fit the needs for active BoK curation , tailoring , and assessment that could be shared and synchronized appropriately for separate deployments by a variety of organizations .
This challenge resulted in the development of the Risk Model Manager ( RMM ) - a cloud-native capability that provides the core underpinnings for developing a sharable supply chain risk taxonomy that is grounded in industry and government best practices , open-source components , cloud-native services , standards , and policy . The RMM was specifically developed to allow for active tailoring of the BoK into profiled sub-sets for use in assessment activities . While the current instantiations of the RMM are native to Amazon Web Services ( AWS ) environments , the architecture , and components of the RMM technical platform can form the basis of versions usable in other cloud or non-cloud container environments .
In order to support assessments that leverage subsets of the supplier , supplies , and services risks , each risk must include knowledge of its contribution to a risk scoring approach as well a scoring method that can adjust weighting to differing sets of risks in each profile . Additionally , each must support tailoring of those weights as part of the profile creation . We envision a variety of profiles created over time and plan to roll them into the baseline SoT BoK so that all RMM deployments can leverage them and , if they so choose , to share back for community use .
Finally , to foster broad adoption and understanding of how the System of Trust functions , MITRE will be providing a functional copy of the SoT RMM capability for public usage on the SoT website . Since evaluating products and services for specific risks can quickly become sensitive , the version of RMM provided will only allow for viewing the SoT BoK and selecting or creating a profile of the BoK . A spreadsheet export capability will provide a mechanism for downloading the resultant sub-set of the SoT BoK for evaluation on an organization ’ s systems where they can protect the assessment appropriately .
50 July 2022