G.1.3 Produce attestation

Control Details

Objective

Produce an audit trail for every step in the build process, the integrity/provenance of training data, and evidence of the use of secure software development practices.

Definition

Configure tools to generate attestations (aka evidence) to create an audit trail for every step in the build process and of the use of secure software development practices. These attestations should indicate conformance with record retention requirements, preserve the integrity of the findings and the authenticity of the information. For AI models, generate attestations of the integrity and provenance of the training datasets. Assign responsibility for creating attestations that tools cannot generate. Attestations should be immutable and published in the source repository releases, in the package registry, or elsewhere, with their existence recorded in a transparency log.. An attestation is a signed assertion that the record is trustworthy.

Assessment Questions

1. Describe your automated or manual processes for producing attestations for the build process, the integrity/provenance of training data, and for the use of secure development practices?
2. Where do you publish your attestations, e.g. source repositories, package registries, transparency logs?
3. What are your auditability/retention requirements for these attestations?
4. How is responsibility assigned for creating needed attestations that tools cannot generate?
5. What tools or frameworks (e.g. TUF, in-toto) do you use to produce authenticated attestations?
6. What is your rationale for providing self-attestation for your product?
7. How do you ensure that the attestations are immutable?

Reference sources

1. EO 4e(i)(F) 4e(ii) 4e(v)
2. SSDF PO.3.3
3. SSDF-AI PO.3.3
4. BSIMM SE3.9 SM1.4 SR1.3
5. 800-161 SA-15 AU-2 AU-3 AU-12
6. SLSA Producing artifacts
7. Self-attestation 1f
8. CNCF-SSC BP-SA Sign every step in the build process A-A Use a store to manage metadata from in-toto
9. SAMM I-SB-3-A
10. OSPS OSPS-DO-03