Governance

Controls that focus on the organization, measurement of a secure software supply chain, decision-making policies, accountability to third-party obligations, and compliance with legal and regulatory requirements.

Practices

G

G.1 Perform compliance

Compliance is following established guidelines or specifications, possibly demonstrated through an audit.

G.2 Develop security policies

Establishing organizational roles and controls for driving internal security standards in alignment with the business purpose of the organization.

G.3 Manage suppliers

Controls to require that third-party suppliers employ adequate security measures to protect information, applications, AI models, and services provided to the organization.

G.4 Training

Educating all personnel in role-specific information about the secure software development, including awareness, technical skills, and emergency response.

G.5 Assess and manage risk

Proactively analyzing, mitigating, and managing software supply chain risk and achieving the objectives of a software security program.