G.1.1 Organizational security requirements

Control Details

Objective

Organizational security requirements, such as those imposed by standards and regulations, are included in the SDLC.

Definition

Identify, document, communicate, and maintain security requirements and policies for the organization's software development infrastructure, including all AI models used, and secure SDLC. Maintain the requirements and policies over time. Incorporate constraints imposed by standards and regulations and customer-driven security requirements.

Assessment Questions

1. How do you document and share a secure SDLC that the engineers are aware of?
2. How do you define security requirements and policies for the organization, its development infrastructure, contributions, and processes?
3. How are these requirements and contributions maintained over time?
4. How are constraints imposed by regulatory and compliance drivers included in these requirements, policies, and the SDLC?

Reference sources

1. EO 4e(ix)
2. SSDF PO.1.1
3. SSDF-AI PO.1.1 PO.1.2
4. BSIMM CP1.1 CP1.2 CP1.3 SE3.9 SR1.1 SR2.2 SR3.3
5. 800-161 SA-15
6. CNCF-SSC SC-CE: Establish and adhere to contribution policies
7. Self-attestation 2
8. SAMM G-PC-1-A G-PC-2-B