In a validated trust model, one organization obtains information on the actions of another organization (e.g., the organization's cybersecurity policies, activities, and risk-related decisions) and uses the information to establish a level of trust with other organizations. An example of validated trust is when one organization develops an information technology (IT) and industrial control system (ICS) application and provides evidence (e.g., security plan, assessment results) that the application meets certain security requirements. The evidence offered may not fully satisfy the trust requirements or expectations. Additional evidence may be needed between organizations to establish trust. Trust is linked to the degree of transparency between two organizations with regard to risk and cybersecurity-related activities and decisions.
- Electricity Subsector Cybersecurity Risk Management Process, App. E, at 70.