The Supply Chain Management, Transparency, and Accountability (STA) domain aids cloud parties in delineating a broad set of supply chain risk management controls, such as managing the SSRM between the CSPs and the CSCs. These controls enable third-party providers to employ appropriate security measures to protect the confidentiality, integrity, and availability of information, applications, and services across the full technology stack. These controls also help manage security and regulatory compliance across the supply chain.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| STA-16 | Supply Chain Data Security Assessment | mitigates | T1176 | Software Extensions |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
|
| STA-16 | Supply Chain Data Security Assessment | mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
|
| STA-16 | Supply Chain Data Security Assessment | mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
|
| STA-16 | Supply Chain Data Security Assessment | mitigates | T1195 | Supply Chain Compromise |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
|
| STA-10 | Supply Chain Risk Management | mitigates | T1525 | Implant Internal Image |
Comments
The mitigative applications of this control relate to:
"(c) documentation and testing of the specific technical controls implemented to support the product or service (e.g., identity and access management, network design and security)"
"(e) software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
Code Signing can ensure the authenticity and integrity of software by digitally signing executables, scripts, and other code artifacts.
|
| STA-10 | Supply Chain Risk Management | mitigates | T1190 | Exploit Public-Facing Application |
Comments
The mitigative applications of this control relate to:
"(c) documentation and testing of the specific technical controls implemented to support the product or service (e.g., identity and access management, network design and security)"
"(e) software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code on public-facing applications or systems.
|
| STA-10 | Supply Chain Risk Management | mitigates | T1210 | Exploitation of Remote Services |
Comments
The mitigative applications of this control relate to:
"(c) documentation and testing of the specific technical controls implemented to support the product or service (e.g., identity and access management, network design and security)"
Network design and security testing (segmentation, secure protocols, egress controls) limit an adversary’s ability to move laterally or exfiltrate via compromised software components through SMB and RDP as well as applications that may be used within internal networks such as MySQL and web server services.
|
| STA-10 | Supply Chain Risk Management | mitigates | T1176 | Software Extensions |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code from known installed software extensions on endpoints.
|
| STA-10 | Supply Chain Risk Management | mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
|
| STA-10 | Supply Chain Risk Management | mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
|
| STA-10 | Supply Chain Risk Management | mitigates | T1195 | Supply Chain Compromise |
Comments
The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))"
SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.
|
| Capability ID | Capability Name | Number of Mappings |
|---|---|---|
| STA-10 | Supply Chain Risk Management | 7 |
| STA-16 | Supply Chain Data Security Assessment | 4 |