GRN 6.2 - 3rd Party Contingency

NIST AI RMF (in the playbook companion) states:

GOVERN 6.2

Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk.

About

To mitigate the potential harms of third-party system failure, organizations should implement policies and procedures that include redundancies for covering third-party functions.

Actions

• Establish policies for handling third-party system failures to include consideration of redundancy mechanisms for vital third-party AI systems.

• Verify that incident response plans address third-party AI systems.

Transparency and Documentation

Organizations can document the following:

• To what extent does the plan specifically address risks associated with acquisition, procurement of packaged software from vendors, cybersecurity controls, computational infrastructure, data, data science, deployment mechanics, and system failure?

• Did you establish a process for third parties (e.g. suppliers, end-users, subjects, distributors/vendors or workers) to report potential vulnerabilities, risks or biases in the AI system?

• If your organization obtained datasets from a third party, did your organization assess and manage the risks of using such datasets?