[WTL] RSP Security mitigations: OpenAI
How Open will secure model weights according to their Preparedness Framework
The latest Preparedness Framework (Version 2; April 15, 2025) rates capabilities as either High or Critical. Models with Critical capabilities are simply not deployed or even developed so security controls are only defined for High. The only section of the Framework of interest is therefore C.3 Security controls.
Note: This is a “writing to learn” exercise. See the following article for details.
Benchmark comparison
Unlike GDM’s FSF or Anthropic’s RSP, OpenAI makes no explicit mention of RAND SL. It does however mention a number of specific practices than can be compared against parts of the RAND SL benchmarks.
Defense in Depth
Layered Security Architecture: This sounds enough like the “[t]wo independent security layers” in the SL3 benchmark that I’ll rate it at that level.
Zero Trust Principles: This sounds enough like what the SL3 benchmark describes. The SL3 benchmark specifically calls out the “Advanced” level of “CISA’s Zero Trust Maturity Model” but that sounds like to much for me to try to dive into now.
Access Management
Principle of Least Privilege: access to High models is limited, protected with MFA, and “may require additional approvals” but it doesn’t sound like all access to weights takes place through a tool and therefore I rate this SL2.
Secure Development and Supply Chain
Change Management: Only changes to critical infrastructure seem to mandate multi-party review so this is below SLSA 3 and therefore below SL4. I can’t see any reason to rank below SL3.
Operational Security
Monitoring and Incident Response: Logs are not just collected but continuously monitored which I believe pushes them to SL3. There’s no mention of hardware level protection of the logs or forced time delays for code reviews so I won’t rate this at SL4.
Adversarial Testing and Red-Teaming: OpenAI does them. And they have a bug bounty program. But it’s unclear if their red-teaming would be “advanced” according to the RAND benchmarks so I’ll rate them SL2 here.
The Framework doesn’t touch upon physical, hardware, or personnel security. I imagine this is because OpenAI gets its compute externally. The overall picture seems to be between SL2 and SL3. The best term for it may be the SL2+ coined in GDM’s FSF. What’s different from GDM is that this is the highest security commitment the Preparedness Framework makes. In contrast, GDM would recommend reaching SL3 when it reaches “ML R&D acceleration level 1” which I think is comparable to “AI Self-improvement High”.
The Preparedness Framework also doesn’t even do the move Anthropic’s RSP or GDM’s FSF do in mentioning SL4 or higher commitments as ideal industry goals while not committing to undertake them unilaterally.
Mentioned frameworks
In addition to the list of practices, the Framework lists a number of security frameworks in passing, most of which I’m unfamiliar with. Familiarity with these frameworks doesn’t seem necessary for analyzing OpenAI’s Framework but I’m taking this opportunity to learn about them. Here I’ll give a short description of each.
SOC 2: “System and organization controls”1. This is a framework for a type of audit a CPA can perform. It scores a organization on up to five metrics they call “Trust Service Criteria” which are just the traditional CIA triad plus security and privacy. Confusing, SOC originally referred to “service organization controls”2 but AICPA changed it while trying to keep the same acronym; apparently, they did this so they could score organizations that don’t actual perform any services for anyone3. A SOC doesn’t score your org with a level like FedRAMP. Instead, it just describes what your org’s security measures are and reports on if there are major issues with them and if you are actually applying them4. The description on the AICPA website stresses that it isn’t a “certification”. It comes in Type 1 or 2 depending on if the report was snapshot or over a 3-12 month window. Apparently there are SOC 1 and SOC 3 and rather than being different versions of SOC they serve different audiences. That said, I’ve only seen SOC 2 referenced, typically in comparison with ISO 27001.
ISO 27001: International Organization for Standardization5 standard 27001. This definitely is a certification. It applies to ISMS (Information Security Management System) which seems to be a special term for anything that handles sensitive data. Aside from that the only obvious difference seems to be that SOC 2 is demanded more in the US whereas ISO 27001 is demanded more in Europe, though both are required to varying degrees on both sides of the Atlantic6. Where SOC 2 seems to be along the lines of “do you meet the standards needed for your purposes”, ISO 27001 scores a company on some objective rubric7. ISO 27001 uses the CIA triad with authenticity and non-repudiation added in.
NIST SP 800-53: NIST “Special Publication” 800-53. NIST is the standard making body in the Department of Commerce. Claude says that “‘Special Publication’ is just a catch-all series for documents that aren't journal articles, Technical Notes, Monographs, or Handbooks”8. NIST SP 800 groups together all the computer security recommendations and NIST SP 800-53 in particular gives guidance for security and privacy in “information systems” which seems to mean the same thing as ISMS. Unlike SOC 2 or ISO 27001, you can’t get a report or certification on NIST SP 800-53 compliance as a private organization. It is however mandated9 that federal “information systems” comply with various parts of it based on how dangerous it is for info to leak from those systems10.
FedRAMP: This applies NIST SP 800-53 to cloud providers. The Wikipedia page says FedRAMP is described as “FISMA for the cloud” but backs that up with a reference to a dead link11. I was a bit confused as to why FedRAMP was needed when FISMA already requires agencies to follow various parts of NIST SP 800-53 even when using vendors. Claude suggested two reasons that made sense to me12: First, the problem of “N×M assessments” as Claude called it. Each cloud-agency pairing would need to do its own assessment. After FedRAMP, a cloud provider can be certified once and every agency at a matching impact level can use it. Second, FedRAMP accredits third parties to perform the assessment.
“AI-specific security standards”
Cloud Security Alliance’s AI Safety Initiative: The Cloud Security Alliance is a non-profit. It has a AI Safety Initiative and has produced a bunch of whitepapers. The “Executive Leadership Council” of the initiative has the CISOs of Google DeepMind, Google Cloud, and Anthropic as well as well as high level reps from AWS, OpenAI, and Microsoft and from CISA in the DHS. That said, I’m not sure what the importance of this initiative is. It isn’t a law or a widely used framework or standard. I don’t think I’ve seen it referenced elsewhere. I will keep my eyes out for references to it from now on.
NIST SP 800-218 AI updates: This seems to refer to NIST SP 800-218A. NIST SP 800-218 is about safe software development processes. According to this summary, 800-218A extends these safety practices to the data models are trained and fine tuned and suggests adding AI model hacks to the threat model.
Remaining questions
Where does OpenAI get its compute from? Do they own their own data centers or do they entirely rely upon cloud providers? Are its providers FedRAMP compliant? What would it look like for a company that doesn’t have its own in-house cloud as Google does to do a push to SL4 or SL5? Can I hope get a picture of what OpenAI’s security practices look like at a similar fidelity as what I could get for Google or Microsoft?
https://en.wikipedia.org/wiki/System_and_organization_controls
See https://www.aicpa-cima.com/resources/article/aicpa-system-and-organization-controls-communications-guidelines. The website obnoxiously requires you to create an account to read the content.
See my chat https://claude.ai/share/4bedd195-eeae-4125-956f-f5f36b850cb2.
At least, that’s the impression I get from the top comment in this Reddit thread: https://old.reddit.com/r/cybersecurity/comments/1u87jot/what_is_a_soc_2_report_and_why_does_every/.
I find it a bit confusing that the ISO acronym matches neither its name in English nor its name in French.
This is the impression I get reading the comments highlighted when I search for “ISO” in the same Reddit thread from above: https://old.reddit.com/r/cybersecurity/comments/1u87jot/what_is_a_soc_2_report_and_why_does_every/.
https://prescientsecurity.com/resources/blogs/iso-27001-vs-soc-2
https://claude.ai/share/f8a5deb3-2631-408f-bcb3-403dbace5d13
By FISMA. In response to FISMA, NIST created FIPS 200 which states: “Federal agencies must meet the minimum security requirements as defined herein through the use of the security controls in accordance with NIST Special Publication 800-53“ https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf
Federal offices are rated as “Low”, “Moderate”, or “High” for each element of the CIA triad using the process described in FIPS 199: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf.
https://en.wikipedia.org/wiki/FedRAMP
https://claude.ai/share/f8a5deb3-2631-408f-bcb3-403dbace5d13
