Mitre has introduced a new framework designed to help organizations evaluate and mitigate potential supply chain security risks, including concerns related to software acquisition. 

The System of Trust is a free and open platform that highlights the 14 risk areas organizations must consider when evaluating suppliers and service providers and offers a list of specific supply chain security risk questions, Mitre said Monday.

The framework works to enable organizations to rank suppliers based on their strengths and weaknesses. It also aims to ensure that organizations achieve a deeper understanding of supply chain security risks by providing a common vocabulary to reduce communication barriers.

Wen Masters, vice president for cyber technologies at Mitre, said the System of Trust platform continues the corporation’s mission of providing free cyber resources to help secure the entire supply chain and ensure “that goods and services can be delivered even in threatened and contested environments.”

Mitre unveiled the framework at the RSA 2022 Conference and will launch a follow-up report in July during the upcoming Supply Chain Summit.

The accreditation body responsible for helping operationalize the Department of Defense’s Cybersecurity Maturity Model Certification program has rebranded itself, seven months after the Pentagon revamped its initiative to ensure contractors meet standards for safeguarding sensitive information.

CMMC-AB adopted the name The Cyber AB, created a new website and redesigned its emblem as part of the rebranding move, the Maryland-based nonprofit said Tuesday.

The organization’s roles and responsibilities under a support agreement with the Pentagon will remain the same.

“As we get closer to CMMC becoming an operational reality, it was important for us to distinguish ourselves more effectively,” said Matthew Travis, CEO of The Cyber AB.

The non-governmental entity updated its online marketplace that lists service providers and other parties involved in the certification program for the defense industrial base’s cybersecurity efforts.

DOD formally introduced the program in January 2020 in a move to establish a mechanism for confirming the cyber readiness of defense primes and their subcontractors before they can do business with the department.

The Pentagon launched CMMC 2.0 in November last year after completion of an internal review.

The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI have released a joint advisory saying major telecommunications companies and network service providers have been targeted by Chinese state-backed cyberthreat actors using publicly known vulnerabilities since 2020.

Hackers are exploiting common vulnerabilities and exposures to compromise network devices, such as network attached storage devices and small office/home office routers, and gain access into victims’ accounts, NSA said Tuesday.

The three agencies listed the top network device CVEs that Chinese state-sponsored threat actors exploit, including vulnerabilities that allow remote code execution, privilege elevation and authentication bypass to compromise networks.

According to the advisory, threat actors carry out their intrusions by accessing hop points or compromised servers from several China-based internet protocol addresses resolving to various internet service providers in China. 

These hackers “typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers,” the advisory reads.

Some of the mitigation measures outlined in the advisory are keeping systems patched and updated as soon as possible; removing suspected compromised devices from the network; segmenting networks to block lateral movement; enforcing multifactor authentication; disabling external management capabilities; and performing regular data backup procedures.