Skip to content

MLASVS-SUPPLY-2: Base Model Vetting

Category

MLASVS-SUPPLY: Supply Chain Security

Overview

Base model vetting ensures that pre-trained models sourced from third parties are evaluated for security risks before being incorporated into production ML systems. This includes vulnerability scanning, provenance verification, and security testing.

Controls

SUPPLY-002: Pre-trained Model Origin Verification (L1)

Description: Origin and authenticity of all pre-trained models must be verified.

MITRE ATLAS: AML.TA0003 (Resource Development) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. For each pre-trained model, verify: source URL, publisher/organization, version, date downloaded 2. Check cryptographic signature or hash from trusted source 3. Pass if: Model origin is verified and documented


SUPPLY-006: Model Hash Verification at Load (L1)

Description: Cryptographic hashes must be verified when loading pre-trained models.

MITRE ATLAS: AML.TA0006 (Persistence) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Review model loading code for hash verification 2. Attempt to load a tampered model file 3. Pass if: Tampered models are detected and rejected at load time


SUPPLY-007: Transfer Learning Source Validation (L1)

Description: Source models used for transfer learning must be validated for security.

MITRE ATLAS: AML.T0020 (Data Poisoning) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Verify that transfer learning source models underwent security evaluation 2. Check for known issues with the source model 3. Pass if: Source model has documented security evaluation


SUPPLY-009: Base Model Vulnerability Scanning (L1)

Description: Pre-trained models must be scanned for known vulnerabilities.

MITRE ATLAS: AML.TA0003 (Resource Development) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Run vulnerability scanner on model files (ModelScan, etc.) 2. Check for unsafe deserialization, embedded code, or known vulnerabilities 3. Pass if: No critical vulnerabilities in base model


SUPPLY-011: Secure Model Distribution Channels (L1)

Description: Models must be distributed through secure, authenticated channels.

MITRE ATLAS: AML.TA0002 (Initial Access) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Review model distribution mechanism (registry, artifact store, etc.) 2. Verify TLS and authentication are used for model downloads 3. Pass if: All model distribution uses secure channels


SUPPLY-012: Third-Party Model Evaluation Report (L1)

Description: Comprehensive security evaluation reports must exist for third-party models.

MITRE ATLAS: AML.TA0003 (Resource Development) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Review security evaluation reports for each third-party model 2. Verify evaluation covers: origin, vulnerabilities, robustness, poisoning 3. Pass if: Evaluation reports exist and are current


SUPPLY-015: Cryptographic Model Provenance (L2)

Description: Full cryptographic provenance using signed manifests for all models.

MITRE ATLAS: AML.TA0006 (Persistence) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Verify signed manifests exist for each model version 2. Validate signature chain from development through deployment 3. Pass if: Complete signed provenance chain exists


SUPPLY-016: Model Signing and Attestation (L2)

Description: Models must be cryptographically signed and attested before deployment.

MITRE ATLAS: AML.TA0006 (Persistence) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Verify model signing implementation (sigstore, GPG, or equivalent) 2. Check that signing is automated in CI/CD pipeline 3. Pass if: Models are signed and verified before deployment


SUPPLY-018: Adversarial Robustness of Base Model (L2)

Description: Base models must undergo adversarial robustness evaluation.

MITRE ATLAS: AML.T0043 (Craft Adversarial Data) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Review adversarial robustness test results for base model 2. Verify acceptable robustness thresholds are met 3. Pass if: Base model meets minimum robustness criteria


SUPPLY-019: Backdoor Scanning of Pre-trained Models (L2)

Description: Pre-trained models must be scanned for potential backdoors.

MITRE ATLAS: AML.T0020 (Data Poisoning) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Run backdoor detection techniques (activation clustering, pruning, trigger inversion) 2. Verify no indicators of backdoor presence 3. Pass if: No backdoor indicators detected


SUPPLY-020: Vendor Security Assessment Program (L2)

Description: Third-party ML model vendors must undergo security assessment.

MITRE ATLAS: AML.TA0003 (Resource Development) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Verify vendor security assessment program exists 2. Check that assessments cover: data handling, model security, incident response, compliance 3. Pass if: Vendor assessments are completed and current


SUPPLY-022: Reproducible Build Verification (L2)

Description: Model builds must be reproducible from source to verify integrity.

MITRE ATLAS: AML.TA0006 (Persistence) Test Reference: MLASTG-TEST-SUPPLY-002

Verification: 1. Verify training pipeline produces identical model given same code + data + seed 2. Compare cryptographic hashes of independent builds 3. Pass if: Builds are reproducible with matching hashes

Cross-References

  • MITRE ATLAS: AML.TA0003, AML.TA0006, AML.T0010, AML.T0020
  • MLASWE: MLASWE-0007, MLASWE-0009
  • NIST AI RMF: MAP-1, MAP-2, MEASURE-2