Question 10
UnclassifiedSupply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:
Correct answer: B
Explanation
Cloud supply chain agreements should include mechanisms to verify that the provider meets contractual and security obligations. Audits, assessments, and independent verification of compliance certifications show whether the provider is following the agreement terms and required controls, rather than relying on assurances alone.
Why each option is right or wrong
A. regulatory guidelines impacting the cloud customer.
B. audits, assessments, and independent verification of compliance certifications with agreement terms.
NIST SP 800-144 and the FedRAMP/Cloud Computing SRG contracting guidance expect cloud agreements to preserve the customer’s right to verify the provider’s controls and attestations, not merely accept promises. In practice, that means the contract should expressly allow audits and assessments and require independent validation of compliance certifications against the agreement terms, so the customer can confirm the provider is meeting the stated security and service obligations.
C. the organizational chart of the provider.
D. policies and procedures of the cloud customer