V4: Supply Chain Security — MLASVS-SUPPLY¶
Overview¶
ML supply chain security addresses risks introduced by third-party models, pre-trained weights, training datasets, and ML libraries. Unlike traditional software supply chains, ML models can be compromised in ways that are difficult to detect — a poisoned model may perform correctly on standard benchmarks while containing hidden backdoors.
Key Threats¶
| Threat | MITRE ATLAS | MLASWE Reference |
|---|---|---|
| Compromised base model | AML.TA0003 | MLASWE-0009 |
| Poisoned pre-trained weights | AML.T0020 | MLASWE-0002 |
| Malicious dataset in supply chain | AML.T0020 | MLASWE-0009 |
| Vulnerable ML library | AML.TA0003 | MLASWE-0009 |
| Counterfeit model | AML.TA0003 | MLASWE-0009 |
| Tainted transfer learning source | AML.T0020 | MLASWE-0002 |
Subcategories¶
SUPPLY-1: ML-SBOM (Controls SUPPLY-001 through SUPPLY-008)¶
Machine Learning Software Bill of Materials — documenting all components in the ML supply chain.
SUPPLY-2: Base Model Vetting (Controls SUPPLY-009 through SUPPLY-014)¶
Security evaluation of pre-trained models and foundation models.
SUPPLY-3: Dependency Security (Controls SUPPLY-015 through SUPPLY-022)¶
Security of ML libraries, frameworks, and runtime dependencies.
Control Inventory¶
L1 Controls (12)¶
| ID | Control | MITRE ATLAS | Test Ref |
|---|---|---|---|
| SUPPLY-001 | ML-SBOM generation | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-002 | Pre-trained model origin verification | AML.TA0003 | TEST-SUPPLY-002 |
| SUPPLY-003 | Training dataset provenance | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-004 | ML library version tracking | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-005 | License compliance check | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-006 | Model hash verification at load | AML.TA0006 | TEST-SUPPLY-002 |
| SUPPLY-007 | Transfer learning source validation | AML.T0020 | TEST-SUPPLY-002 |
| SUPPLY-008 | Dataset license verification | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-009 | Base model vulnerability scanning | AML.TA0003 | TEST-SUPPLY-002 |
| SUPPLY-010 | ML dependency scanning | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-011 | Secure model distribution channels | AML.TA0002 | TEST-SUPPLY-002 |
| SUPPLY-012 | Third-party model evaluation report | AML.TA0003 | TEST-SUPPLY-002 |
L2 Controls (10)¶
| ID | Control | MITRE ATLAS | Test Ref |
|---|---|---|---|
| SUPPLY-013 | Automated ML-SBOM generation in CI/CD | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-014 | Continuous dependency monitoring | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-015 | Cryptographic model provenance | AML.TA0006 | TEST-SUPPLY-002 |
| SUPPLY-016 | Model signing and attestation | AML.TA0006 | TEST-SUPPLY-002 |
| SUPPLY-017 | Fine-tuning data provenance chain | AML.T0020 | TEST-SUPPLY-001 |
| SUPPLY-018 | Adversarial robustness of base model | AML.T0015 | TEST-SUPPLY-002 |
| SUPPLY-019 | Backdoor scanning of pre-trained models | AML.T0020 | TEST-SUPPLY-002 |
| SUPPLY-020 | Vendor security assessment program | AML.TA0003 | TEST-SUPPLY-002 |
| SUPPLY-021 | ML supply chain incident response | AML.TA0003 | TEST-SUPPLY-001 |
| SUPPLY-022 | Reproducible build verification | AML.TA0006 | TEST-SUPPLY-002 |
ML-SBOM Requirements¶
A complete ML-SBOM should include:
| Component | Description | Verification |
|---|---|---|
| Model metadata | Name, version, author, date | SUPPLY-001, SUPPLY-015 |
| Base model | Source, architecture, hash | SUPPLY-002, SUPPLY-006 |
| Training dataset | Origin, hash, license, curation | SUPPLY-003, SUPPLY-008 |
| Fine-tuning data | Provenance, transformations | SUPPLY-017 |
| Framework dependencies | Library name, version, CVE status | SUPPLY-004, SUPPLY-010 |
| Training environment | Compute specs, software versions | SUPPLY-013 |
| Model signature | Cryptographic signature | SUPPLY-016 |