AI security requirements communicated to AI providers

HITRUST CSF requirement statement [?] (14.05kAISecOrganizational.1)

Agreements between the organization and external commercial providers of AI system 
components and services clearly communicate the organization’s AI security requirements, 
including agreements with providers of AI
(1) models,
(2) datasets, 
(3) software packages, 
(4) platforms and computing infrastructure, 
(5) language model tools such as agents and plugins, and 
(6) contracted AI system-related services (e.g., outsourced AI system development), as 
applicable.

Evaluative elements in this requirement statement [?]

1. Agreements between the organization and external commercial providers of AI models 
clearly communicate the organization’s AI security requirements, as applicable.

2. Agreements between the organization and external commercial providers of AI 
datasets clearly communicate the organization’s AI security requirements, as applicable.

3. Agreements between the organization and external commercial providers of AI 
software packages clearly communicate the organization’s AI security requirements, 
as applicable.

4. Agreements between the organization and external commercial providers of AI 
platforms and computing infrastructure clearly communicate the organization’s AI 
security requirements, as applicable.

5. Agreements between the organization and external commercial providers of AI models 
clearly communicate the organization’s AI security requirements, as applicable.

6. Agreements between the organization and external commercial providers of contracted 
AI system-related services (e.g., outsourced AI system development) clearly communicate 
the organization’s AI security requirements, as applicable.

Illustrative procedures for use during assessments [?]

• Policy: Examine policies related to each evaluative element within the requirement statement. Validate the existence of a written or undocumented policy as defined in the HITRUST scoring rubric.
  
  
• Procedure: Examine evidence that written or undocumented procedures exist as defined in the HITRUST scoring rubric. Determine if the procedures and address the operational aspects of how to perform each evaluative element within the requirement statement.
  
  
• Implemented: Examine evidence that all evaluative elements within the requirement statement have been implemented as defined in the HITRUST scoring rubric, using a sample based test where possible for each evaluative element. Example test(s):
  • For example, review a sample of agreements between the organization and external commercial providers of AI system components and services to evidence these documents clearly communicate the organization’s AI security requirements. Further, confirm that agreements are in place with all providers of AI models, datasets, software packages, platforms and computing infrastructure, language model tools such as agents and plugins, and contracted AI system-related services (e.g., outsourced AI system development), as applicable.
    
    
• Measured: Examine measurements that formally evaluate and communicate the operation and/or performance of each evaluative element within the requirement statement. Determine the percentage of evaluative elements addressed by the organization’s operational and/or independent measure(s) or metric(s) as defined in the HITRUST scoring rubric. Determine if the measurements include independent and/or operational measure(s) or metric(s) as defined in the HITRUST scoring rubric. Example test(s):
  • For example, measures indicate if agreements between the organization and external commercial providers of AI system components and services clearly communicate the organization’s AI security requirements. Reviews, tests, or audits are completed by the organization to measure the effectiveness of the implemented controls and to confirm that agreements are in place with all providers of AI models, datasets, software packages, platforms and computing infrastructure, language model tools such as agents and plugins, and contracted AI system-related services (e.g., outsourced AI system development), as applicable.
    
    
• Managed: Examine evidence that a written or undocumented risk treatment process exists, as defined in the HITRUST scoring rubric. Determine the frequency that the risk treatment process was applied to issues identified for each evaluative element within the requirement statement.
  
  

Placement of this requirement in the HITRUST CSF [?]

• Assessment domain: 14 Third-party Assurance
• Control category: 05.0 – Organization of Information Security
• Control reference: 05.k – Addressing Security in Third Party Agreements
  
  

Specific to which parts of the overall AI system? [?]

AI application layer:

• AI plugins and agents
• The deployed AI application (Considered in the associated HITRUST e1, i1, or r2 assessment)
• The AI application’s supporting IT infrastructure (Considered in the associated HITRUST e1, i1, or r2 assessment)

AI platform layer:

• The AI platform and associated APIs (Considered in the associated HITRUST e1, i1, or r2 assessment)
• The deployed AI model
• Model engineering environment and model pipeline
• AI datasets and data pipelines
• AI compute infrastructure (Considered in the associated HITRUST e1, i1, or r2 assessment)
  
  

Discussed in which authoritative AI security sources? [?]

• ISO/IEC 38507:2022- Governance implications of the use of artificial intelligence by organizations
  2022, © International Standards Organization (ISO)/International Electrotechnical Commission (IEC)
  • Where:
    • 6. Policies to address the use of AI > 6.7. Risk > 6.7.2. Risk management
      
      
• ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system
  2023, © International Standards Organization (ISO)/International Electrotechnical Commission (IEC)
  • Where:
    • Annex A > A.10. Third-party and customer relationships > A.10.2. Allocating responsibilities
    • Annex A > A.10. Third-party and customer relationships > A.10.3. Suppliers
      
      
• LLM AI Cybersecurity & Governance Checklist
  Feb. 2024, © The OWASP Foundation
  • Where:
    • 3. Checklist > 3.7. Legal > Bullet #11
      
      

• OWASP AI Exchange
  2024, © The OWASP Foundation
  • Where:
    • #SUPPLYCHAINMANAGE
      
      

• Guidelines for Secure AI System Development
  Nov. 2023, Cybersecurity & Infrastructure Security Agency (CISA)
  • Where:
    • 2. Secure development > Secure your supply chain
      
      

• Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems
  Apr 2024, National Security Agency (NSA)
  • Where:
    • Secure the deployment environment > Manage deployment environment governance > Bullet 3
      
      

• Managing Artificial Intelligence-Specific Cybersecurity Risks in the Financial Services Sector
  March 2024, U.S. Department of the Treasury
  • Where:
    • 5. Best practices for managing AI-specific security risks > 5.9. Cybersecurity best practices to closely apply to AI systems
      
      

• Generative AI framework for HM Government
  2023, Central Digital and Data Office, UK Government
  • Where:
    • Building generative AI solutions > Buying generative AI > Specifying your requirements > Paragraph 1
    • Using generative AI safely and responsibly > Ethics > Accountability and responsibility > Practical recommendations > Bullet 3
      
      

Discussed in which commercial AI security sources? [?]

• The anecdotes AI GRC Toolkit
  2024, © Anecdotes A.I Ltd.
  • Where:
    • Control 3.2: Agreement
      
      

Control functions against which AI security threats? [?]

• Control function: Variance reduction
  • Denial of AI service
  • Prompt injection
  • Evasion
  • Model inversion
  • Model extraction and theft
  • Data poisoning
  • Model poisoning
  • Compromised 3rd-party training datasets
  • Compromised 3rd-party models or code
  • Confabulation
  • Excessive agency
  • Sensitive information disclosed in output
    

Additional information

• Q: When will this requirement included in an assessment? [?]
  • This requirement will always be added to HITRUST assessments which include the
    Security for AI systems regulatory factor.
  • No other assessment tailoring factors affect this requirement.
    
    

• Q: Will this requirement be externally inheritable? [?] [?]
  • No (joint responsibility). The AI application provider and its AI service providers (if used) are responsible for jointly performing this requirement outside of the AI system’s technology stack (e.g., through a jointly executed agreement / contract).