>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

PO.1.3Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software. [Formerly PW.3.1]

PO.1

>Control Description

Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software. [Formerly PW.3.1]

>Practice: PO.1

Define Security Requirements for Software Development

Ensure that security requirements for software development are known at all times so that they can be taken into account throughout the SDLC and duplication of effort can be minimized because the requirements information can be collected once and shared. This includes requirements from internal sources (e.g., the organization’s policies, business objectives, and risk management strategy) and external sources (e.g., applicable laws and regulations).

>Notional Implementation Examples

  1. 1.Define a core set of security requirements for software components, and include it in acquisition documents, software contracts, and other agreements with third parties.
  2. 2.Define security-related criteria for selecting software; the criteria can include the third party’s vulnerability disclosure program and product security incident response capabilities or the third party’s adherence to organization-defined practices.
  3. 3.Require third parties to attest that their software complies with the organization’s security requirements.
  4. 4.Require third parties to provide provenance data and integrity verification mechanisms for all components of their software.
  5. 5.Establish and follow processes to address risk when there are security requirements that third-party software components to be acquired do not meet; this should include periodic reviews of all approved exceptions to requirements.

>Cross-Framework References

Mappings to related frameworks and standards from NIST SP 800-218

BSA FSS

SM.1
SM.2
SM.2-1
SM.2-4

BSIMM

CP2.4
CP3.2
SR2.5
SR3.2

EO 14028

4e(vi)
4e(ix)

IDA SOAR

19
21

IEC 62443

SM-9
SM-10

Microsoft SDL

7

NIST CSF

ID.SC-3

OWASP SAMM

SR3-A

SAFECode Agile

Tasks Requiring the Help of Security Experts 8

SAFECode FPSSD

Manage Security Risk Inherent in the Use of Third-Party Components

SAFECode SIC

Vendor Sourcing Integrity Controls

SP 800-53

SA-4
SA-9
SA-10
SA-10(1)
SA-15
SR-3
SR-4
SR-5

SP 800-160

3.1.1
3.1.2

SP 800-161

SA-4
SA-9
SA-9(1)
SA-9(3)
SA-10
SA-10(1)
SA-15
SR-3
+2 more

SP 800-181 (NICE)

T0203
T0415
K0039
S0374
A0056
A0161

Ask AI

Configure your API key to use AI features.