P.4.5 Regular third-party compliance

Control Details

Objective

Identify increased security risk of third-party and open-source components

Definition

Regularly check that third-party software components, including AI models, comply with the contractual requirements, such as following a secure SDLC, and fix detected vulnerabilities. Regularly scan components and containers to monitor for vulnerabilities and for evidence that artifacts are being maintained and have not been abandoned or deprecated.

Assessment Questions

1. How do you verify that third-party software components continue to comply with the requirements defined by the organization, such as through using a secure SDLC and the delivery of attestation of security practices?
2. How do you check that components are being maintained and are not at end-of-life or have been abandoned?
3. How are known critical vulnerabilities in third-party and open-source components and containers mitigated?

Reference sources

1. EO 4e(iii) 4e(iv) 4e(vi) 4e(x)
2. SSDF PW.4.4
3. SSDF-AI PW.4.4
4. 800-161 SA-4, SA-9, SA-11, SA-15, SR-3
5. OWASP-SCVS 5 5.8
6. S2C2F SCA-1, SCA-3
7. Self-attestation 2, 3, 4
8. SAMM I-SB-3-B D-SR-2-B
9. CNCF-SSC BP-SA Deploy monitoring tools to detect malicious behavior D-A Continuous vulnerability scanning
10. OSPS OSPS-VM-05 OSPS-VM-06