|
|
G.1.1 Organizational security requirements
|
|
|
G.1.2 Software license conflict
|
|
|
G.1.3 Produce attestation
|
|
|
G.1.4 Deliver provenance
|
|
|
G.1.5 Deliver SBOM
|
|
|
G.2.1 Upper management support
|
|
|
G.2.2 Secure SDLC checks
|
|
|
G.2.3 Roles and responsibilities
|
|
|
G.2.4 Security code review policy
|
|
|
G.2.5 Asset inventory
|
|
|
G.2.6 Protection of information at rest
|
|
|
G.3.1 Security-related contract terms
|
|
|
G.3.2 Separation of duties
|
|
|
G.3.3 Information disclosure
|
|
|
G.3.4 Session audits
|
|
|
G.3.5 Notification agreement
|
|
|
G.4.1 Role-based training
|
|
|
G.4.2 Contingency training
|
|
|
G.4.3 Gather attack trends
|
|
|
G.5.1 Criticality analysis
|
|
|
G.5.2 Track security risks and decisions
|
|
|
G.5.3 Security metrics
|
|
|
G.5.4 Data-informed product decisions
|
|
|
P.1.1 Product security requirements
|
|
|
P.1.2 Software release integrity
|
|
|
P.2.1 Security design review
|
|
|
P.2.2 Secure coding
|
|
|
P.2.3 Secure-by-default implementation
|
|
|
P.2.4 Standard security features
|
|
|
P.2.5 In-house components
|
|
|
P.2.6 Confirm Integrity of AI model data
|
|
|
P.3.1 Component and container choice
|
|
|
P.3.2 Trusted repositories
|
|
|
P.3.3 Require signed commits
|
|
|
P.3.4 Vetted third-party component and container repositories
|
|
|
P.4.1 Security code review
|
|
|
P.4.2 Automated security scanning tools
|
|
|
P.4.3 Automated vulnerability detection
|
|
|
P.4.4 Executable security testing
|
|
|
P.4.5 Regular third-party compliance
|
|
|
P.5.1 SBOM consumption
|
|
|
P.5.2 Dependency update
|
|
|
E.1.1 Safely store release artifacts
|
|
|
E.1.2 Version control
|
|
|
E.1.3 Multi-factor authentication (MFA)
|
|
|
E.1.4 Developer SSH key
|
|
|
E.1.5 Branch protection
|
|
|
E.1.6 Decommission assets
|
|
|
E.2.1 Release policy verification
|
|
|
E.2.2 Verify dependencies and environment
|
|
|
E.2.3 Defensive compilation and build
|
|
|
E.2.4 CI/CD hosting and automation
|
|
|
E.2.5 Secured orchestration platform
|
|
|
E.2.6 Reproducible builds
|
|
|
E.2.7 Build output
|
|
|
E.2.8 Hardened and isolated builds
|
|
|
E.3.1 Authentication
|
|
|
E.3.2 Environmental separation
|
|
|
E.3.3 Role-based access control
|
|
|
E.3.4 Information flow enforcement
|
|
|
E.3.5 Baseline configuration
|
|
|
E.3.6 Monitor changes to configuration settings
|
|
|
E.3.7 Boundary protection
|
|
|
E.3.8 Key rotation
|
|
|
E.3.9 Ephemeral credentials
|
|
|
E.3.10 Establish a root of trust
|
|
|
D.1.1 Vulnerability analysis
|
|
|
D.1.2 Risk-based vulnerability remediation
|
|
|
D.1.3 Vulnerability disclosure
|
|
|
D.1.4 Vulnerability eradication
|
|
|
D.1.6 Root cause analysis
|
|
|
D.2.1 System monitoring
|
|
|
D.2.2 Build process monitoring
|
|
|
P.3.5 Prevent component vetting bypass
|
|
|
D.1.5 Emergency artifact fix
|
|
|
G.3.x Support Upstream Dependencies
|
|
|
E.3.x Development Environment Scanning Tools
|
|
|
D.1.x Establish Response Partnerships
|