G.2.1 Upper management support

Control Details

Objective

Upper management understands the business risks of insecure software and supports the resources necessary for secure software development.

Definition

An upper management (e.g., c-suite) leadership team understands the business risk of insecure software development, including AI models used and delivered, and of violating compliance and privacy obligations. The team is responsible for the entire software development process and deploying secure software to production. The commitment of this team is communicated to personnel associated with development-related roles and is backed up by the commitment to allocating adequate resources and making sometimes-difficult business decisions for security over faster release dates.

Assessment Questions

1. Please describe upper management's commitment to secure software development practices involving AI models.
2. In what way is this commitment publicly demonstrated and communicated to development roles and responsibilities?
3. Comment on the adequacy of resources dedicated to secure software development.

Reference sources

1. EO 4e(ix)
2. SSDF PO.2.3
3. SSDF-AI PO.2.3
4. BSIMM SM1.3 CP2.5
5. SAMM G-SM-2-A