PO.1.3: Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software. [Formerly PW.3.1]
Example 1: Define a core set of security requirements for software components, and include it in acquisition documents, software contracts, and other agreements with third parties.
Example 2: Define security-related criteria for selecting software; the criteria can include the third party’s vulnerability disclosure program and product security incident response capabilities or the third party’s adherence to organization-defined practices.
Example 3: Require third parties to attest that their software complies with the organization’s security requirements.
Example 4: Require third parties to provide provenance5 data and integrity verification mechanisms for all components of their software.
Example 5: Establish and follow processes to address risk when there are security requirements that third-party software components to be acquired do not meet; this should
Description
Communicate requirements to all third parties who will provide commercial software components to the organization for reuse by the organization’s own software. [Formerly PW.3.1]