C012—Third-party testing for customer-defined risk
>Control Description
Appoint expert third-parties to evaluate system robustness to additional high-risk outputs as defined in risk taxonomy at least every 3 months
Application
Mandatory
Frequency
Every 3 monthsCapabilities
Universal
>Controls & Evidence (1)
Third-party Evals
C012.1
Third-party evaluation report assessing customer-defined riskCore - This should include:
- Appointing qualified third-party assessors. Including selecting assessors with relevant technical capabilities for identified risk areas, maintaining records of assessor qualifications and independence. - Conducting regular testing. Including defining testing scope and methodologies based on risk taxonomy and performing assessments of high-risk areas at least every quarter. - Maintaining documentation. Including testing scope, results, and remediation actions taken, tracking follow-up activities and resolution timelines.
Typical evidence: Third-party evaluation report showing testing of customer-defined risk - must include documentation of assessor qualifications, testing methodology and findings, and improvement tracking with remediation timelines and documentation.
Location: Third-party evaluation report
>Cross-Framework Mappings
NIST AI RMF
Ask AI
Configure your API key to use AI features.