Clock Synchronization
Specification
Use a reliable time source across all relevant information processing systems.
Threat coverage
Architectural relevance
Lifecycle
Data collection, Data curation, Data storage, Resource provisioning
Design, Training
Evaluation, Validation/Red Teaming, Re-evaluation
Orchestration, AI Services supply chain, AI applications
Operations, Maintenance, Continuous monitoring, Continuous improvement
Archiving, Data deletion, Model disposal
Ownership / SSRM
PI
Shared across the supply chain
Shared control ownership refers to responsibilities and activities related to LLM security that are distributed across multiple stakeholders within the AI supply chain, including the Cloud Service Provider (CSP), Model Provider (MP), Orchestrated Service Provider (OSP), Application Provider (AP), and Customer (AIC). These controls require coordinated actions, communication, and governance across all involved parties to ensure their effectiveness.
Model
Owned by the Model Provider (MP)
The model provider (MP) designs, develops, and implements the control as part of their services or products to mitigate security, privacy, or compliance risks associated with the Large Language Model (LLM). Model Providers are entities that develop, train, and distribute foundational and fine-tuned AI models for various applications. They create the underlying AI capabilities that other actors build upon. Model Providers are responsible for model architecture, training methodologies, performance characteristics, and documentation of capabilities and limitations. They operate at the foundation layer of the AI stack and may provide direct API access to their models. Examples: OpenAI (GPT, DALL-E, Whisper), Anthropic(Claude), Google(Gemini), Meta(Llama), as well as any customized model.
Orchestrated
Shared Model Provider-Orchestrated Service Provider (Shared MP-OSP)
The MP and OSP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Application
Shared Orchestrated Service Provider-Application Provider (Shared OSP-AP)
The OSP and AP are jointly responsible and accountable for the design, development, implementation, and enforcement of the control to mitigate security, privacy, or compliance risks associated with Large Language Model (LLM)/GenAI technologies in the context of the services or products they develop and offer.
Implementation guidelines
Auditing guidelines
1. Inquiring with Control Owners 1.1 Conduct interviews with personnel responsible for managing time synchronization across cloud infrastructure and AI processing resources to understand their implementation of reliable time sources for compute resource management, customer workload tracking, and infrastructure monitoring. Verify their understanding of time synchronization requirements for multi-tenant environments, GPU/TPU clusters, and procedures for maintaining accurate timestamps across distributed cloud infrastructure. 2. Inspecting Records and Documents 2.1 Confirm cloud infrastructure systems handling compute resources and customer workloads use a centralized time source. 2.2 Verify implementation of Network Time Protocol (NTP) or equivalent time synchronization protocols across cloud infrastructure, hypervisors, and AI processing clusters. 2.3 Check synchronization logs to validate accurate timestamping across compute resource allocation, customer workload execution, and infrastructure monitoring activities. 2.4 Assess whether unsynchronized cloud infrastructure systems trigger alerts or errors that could affect customer workload scheduling or resource billing accuracy. 2.5 Verify clock drift thresholds are defined and monitored for cloud infrastructure components, GPU/TPU clusters, and customer tenant environments. 2.6 Confirm the accuracy of timestamps in cloud infrastructure logs critical for customer billing, resource utilization tracking, and security investigations. 2.7 Validate incident response records for infrastructure issues reference consistent timestamps across customer environments and infrastructure components. 2.8 Examine documentation of reliable time source configuration for cloud infrastructure and backup time synchronization mechanisms across data centers. 2.9 Review time synchronization policies covering cloud infrastructure, customer tenant isolation, and AI processing resource management systems. 2.10 Validate that time source reliability is monitored for cloud infrastructure and backup time sources are available to maintain service availability across multiple regions. 2.11 Confirm use of centralized, authenticated NTP servers across the cloud infrastructure. 2.12 Verify tenant isolation does not interfere with consistent time sync in multi-tenant setups. 2.13 Ensure that logs generated from different services share a common time reference. 2.14 Validate redundancy and fault-tolerance in time source configurations. 2.15 Check monitoring systems for alerting when time synchronization fails. 2.16 Review logs of past sync failures and documented remediation steps. 2.17 Confirm compliance with regulatory standards requiring timestamp precision.
Standards mappings
No Mapping for ISO 42001 ISO 27001 A.8.17
Addendum
No ISO 42001 control maps to LOG-06 topic.
No Mapping
Addendum
No explicit mention to the use of a reliable time source across information processing systems is made in the European regulation, nor does it set broader requirements that may be interpreted as encompassing the one defined by the control.
No Mapping
Addendum
Using a reliable time source.
C4 PC-02 C5 OPS-10
Addendum
No C4 control speaks to LOG-06 topic of time source across infrastructure.
AI-CAIQ questions (1)
Is a reliable time source being used across all relevant information processing systems?