Definition
A widely-used checklist and methodology (from CIS and SAFECode, building on NIST's Secure Software Development Framework) that helps procurement teams and assessors judge whether a vendor built their software — including AI features — with security baked in from the start, rather than bolted on afterward. The newest version adds specific criteria for assessing AI components.
Why it matters
Procurement and vendor-risk teams now have a concrete, referenceable standard to demand evidence of secure AI development practices before signing a contract, rather than taking a vendor's word for it.