In the mandated trust model, an organization establishes a level of trust with another organization on the basis of a specific mandate issued by a third party in a position of authority. This mandate can be established by the respective authority through legislation, directives, regulations, or policies (e.g., a policy from an organization directing that all subordinate components of the organization accept the results of security assessments conducted by any subordinate components of the organization). Mandated trust can also be established when an organization is decreed to be the authoritative source for the provision of information resources, including IT products, systems, or services. For example, an organization may be given the responsibility and the authority to issue public key infrastructure (PKI) certificates for a group of organizations.
- Electricity Subsector Cybersecurity Risk Management Process, App. E, at 71.