G.3.1 Security-related contract terms

Control Details

Objective

Component, system, AI model, and service acquisition policies include the inclusion of adherence to security policies, security requirements, and secure SDLC practices that are compatible with compliance requirements.

Definition

Compliance requirements, security requirements, and secure SDLC practices are included in vendor contracts with specified means of adherence enforcement. Examples include supplying an SBOM, VEX, self-attestation of security practices and provenance information; having a vulnerability disclosure program and incident response plan; and a security training program. The vendors include component, cloud, AI model, middleware providers, container and orchestration providers, and contractors.

Assessment Questions

1. What requirements language is included in system and services acquisition policies and contracts related to adherence to security policies, security requirements, and secure SDLC practices compatible with compliance requirements?
2. How Do you obtain SBOMs, provenance data, and attestation of adhering to security practices from your suppliers?
3. How is adherence to contract terms verified?
4. How do you track the provenance of training, testing, fine-tuning, and aligning data used for AI models?

Reference sources

1. EO 4e(vi)
2. SSDF PO.1.3
3. SSDF-AI PO.1.3 PW.3.1 PW.3.2 PW.3.3
4. SLSA Verifying artifacts
5. OWASP-SCVS 1.5
6. S2C2F ING-1
7. CNCF-SSC M-V Require SBOMs and VEX statements from third-party suppliers
8. BSIMM CP2.4 CP3.2 SR2.5 SR3.2
9. 800-161 SA-1 SA-4 SI-3 SA-9 SR-4 SR-5 SR-6
10. Self-attestation 3
11. SAMM D-SR-3-B