This study addresses the challenge faced by software organizations in quantitatively evaluating the effectiveness of distinct risk management tasks against supply chain attacks. To this end, we systematically establish, for the first time, a fine-grained mapping between MITRE ATT&CK adversary tactics and techniques and tasks in the Proactive Software Supply Chain Risk Management (P-SSCRM) framework. The mapping is achieved via a rigorous four-fold independent consensus strategy to ensure reliability and validity. Beyond enabling the first formal linkage between ATT&CK and P-SSCRM, the mapping is extended to ten major security standards—including NIST SSDF and ISO/IEC 27001—facilitating cross-framework interoperability and benchmarking. The resulting attack technique–defense task matrix provides actionable, traceable mitigation pathways, significantly enhancing the precision, coverage, and coordination of supply chain risk countermeasures.

The MITRE Adversarial Tactics, Techniques and Common Knowledge (MITRE ATT&CK) Attack Technique to Proactive Software Supply Chain Risk Management Framework (P-SSCRM) Task mapping described in this document helps software organizations to determine how different tasks mitigate the attack techniques of software supply chain attacks. The mapping was created through four independent strategies to find agreed-upon mappings. Because each P-SSCRM task is mapped to one or more tasks from the 10 frameworks, the mapping we provide is also a mapping between MITRE ATT&CK and other prominent government and industry frameworks.