# GRN 6.2 - 3rd Party Contingency

NIST AI RMF (in the playbook companion) states:

> ### GOVERN 6.2 
>
> Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk. <br>
>
> <details>
>
> <summary><strong>About</strong></summary>
>
> To mitigate the potential harms of third-party system failure, organizations should implement policies and procedures that include redundancies for covering third-party functions.
>
> </details>
>
> <details>
>
> <summary><strong>Actions</strong></summary>
>
> * Establish policies for handling third-party system failures to include consideration of redundancy mechanisms for vital third-party AI systems.
> * Verify that incident response plans address third-party AI systems.
>
> </details>
>
> <details>
>
> <summary><strong>Transparency and Documentation</strong></summary>
>
> **Organizations can document the following:**
>
> * To what extent does the plan specifically address risks associated with acquisition, procurement of packaged software from vendors, cybersecurity controls, computational infrastructure, data, data science, deployment mechanics, and system failure?
> * Did you establish a process for third parties (e.g. suppliers, end-users, subjects, distributors/vendors or workers) to report potential vulnerabilities, risks or biases in the AI system?
> * If your organization obtained datasets from a third party, did your organization assess and manage the risks of using such datasets?
>
> </details>