P-SSCRM Documentation

G.2.3 Roles and responsibilities

Control Details

Objective

Ownership for security controls throughout the SDLC at the organizational level and at the product team- and operational- level are established and visible.

Definition

Throughout the organization, create new roles and alter responsibilities for existing roles to incorporate security controls and practices, as appropriate, into the SDLC and to keep management educated and informed on security issues. These roles can be centralized for the organization to promote thought leadership among developers and architects; and distributed throughout the organization in a network of security advocates.

Assessment Questions

  1. What security roles and responsibilities have been created to encompass all parts of the SDLC - both within the development teams as well as at an organizational level?
  2. What security roles and responsibilities have been created to address AI model acquisition, development, use, and publication?

Reference sources

  1. EO 4e(ix)
  2. SSDF PO.2.1
  3. SSDF-AI PO.2.1
  4. BSIMM SM2.3 SM2.7 CR1.7
  5. 800-161 SA-3
  6. SAMM G-EG-2-B
  7. OSPS OSPS-GV-01