AAT-12.1: Data Source Identification

There is no evidence of a capability to identify and document data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT).

Artificial Intelligence and Autonomous Technology (AAT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• No formal Governance, Risk & Compliance (GRC) team exists to provide AAT oversight, where the Chief Information Officer (CIO), or similar function, governs technology decisions what is acceptable for AAT within the organization.
• AAT-related GRC activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
• AAT process owners lack dedicated GRC function oversight to identify AAT-related cybersecurity and data protection controls that are required to address applicable statutory, regulatory and contractual requirements for AAT governance activities.
• AAT-related processes are expected to follow the organization's existing processes (e.g., incident response, asset management, change control, risk assessments, etc.).

Artificial Intelligence and Autonomous Technology (AAT) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• AAT activities are decentralized and are not standardized across the organization, where non-standardized methods are used to develop, implement and maintain AAT solutions.
• AAT developers identify relevant controls that are appropriate to address applicable statutory, regulatory and contractual requirements.
• A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain AAT-related development activities (e.g., Chief Technology Officer (CTO)).
• No formal Governance, Risk & Compliance (GRC) team exists to provide oversight of AAT-related activities. GRC roles are assigned to existing cybersecurity personnel.

Artificial Intelligence and Autonomous Technology (AAT) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• The Chief Information Security Officer (CISO), or similar function with technical competence to address cybersecurity concerns, analyzes the organization's business strategy and prioritizes the objectives of the security function to determine prioritized and authoritative guidance for Artificial Intelligence and Autonomous Technologies (AAT), within the broader scope of cybersecurity and data protection operations.
• The CISO, or similar function, develops a security-focused Concept of Operations (CONOPS) that documents management, operational and technical measures to apply defense-in-depth techniques across the organization. This CONOPS for AAT may be incorporated as part of a broader operational plan for the cybersecurity and data privacy program.
• A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to facilitate the implementation of secure and compliant practices to protect the confidentiality, integrity, availability and safety of the organization's applications, systems, services and data. Compliance requirements for AAT are identified and documented.
• A steering committee is formally established to provide executive oversight of the cybersecurity and data privacy program, including AAT. The steering committee establishes a clear and authoritative accountability structure for AAT operations.
• Legal reviews are conducted to minimize the inadvertent infringement of third-party Intellectual Property (IP) rights through the use of AAT products and/ or services.
• AAT-specific compliance requirements for cybersecurity and data privacy are identified and documented.
• Governance function for AAT is formally assigned with defined roles and associated responsibilities.
• A Program Management Office (PMO), or similar function, tracks and reports on activities related to the mapping, measuring and managing of AAT.
• Secure engineering principles are identified and implemented to ensure AAT are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and data privacy-enhanced to minimize emergent properties or unintended consequences.
• Robust development and pre-deployment functionality, security and data privacy testing is conducted on all internal and third-party AAT projects.
• Production use of AAT is closely monitored to minimize emergent properties or unintended consequences.
• Robust incident response and business continuity plans exist to respond to AAT-related emergent properties or unintended consequences.
• Data sources utilized in the training and/or operation of AAT are identified and documented.
• The Confidentiality, Integrity and Availability (CIA) of source data to prevent accidental contamination or malicious corruption (e.g., data poisoning) that could compromise the performance of AAT.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to identify and document data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT).

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to identify and document data sources utilized in the training and/or operation of Artificial Intelligence and Autonomous Technologies (AAT).