nerdexam
(ISC)2

CISSP · Question #356

An organization plan on purchasing a custom software product developed by a small vendor to support its business model. Which unique consideration should be made part of the contractual agreement pote

The correct answer is A. A source code escrow clause. When purchasing custom software from a small vendor, a source code escrow clause protects the organization if the vendor goes out of business or discontinues support, mitigating long-term dependency risks.

Submitted by yousef_jo· Mar 5, 2026Software Development Security

Question

An organization plan on purchasing a custom software product developed by a small vendor to support its business model. Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency?

Options

  • AA source code escrow clause
  • BRight to request an independent review of the software source code
  • CDue diligence form requesting statements of compliance with security requirements
  • DAccess to the technical documentation

How the community answered

(48 responses)
  • A
    83% (40)
  • B
    8% (4)
  • C
    4% (2)
  • D
    4% (2)

Why each option

When purchasing custom software from a small vendor, a source code escrow clause protects the organization if the vendor goes out of business or discontinues support, mitigating long-term dependency risks.

AA source code escrow clauseCorrect

A source code escrow clause requires the vendor to deposit the source code with a neutral third-party escrow agent, which is released to the organization under predefined conditions such as vendor bankruptcy, acquisition, or discontinuation of support. This directly addresses the unique long-term risk of vendor dependency by ensuring the organization can maintain, modify, or hand off the software even if the vendor ceases to exist. It is the only contractual mechanism specifically designed to protect against the existential risk posed by relying on a small, potentially volatile vendor.

BRight to request an independent review of the software source code

The right to request an independent source code review addresses security assurance and audit rights, but does not protect the organization from losing access to the software if the vendor goes out of business.

CDue diligence form requesting statements of compliance with security requirements

A due diligence form requesting compliance statements addresses security posture assessment at a point in time, but provides no contractual protection against the vendor disappearing or becoming unable to support the product.

DAccess to the technical documentation

Access to technical documentation supports knowledge transfer and understanding of the product, but documentation alone does not give the organization the ability to maintain or modify the software if the vendor ceases operations.

Concept tested: Source code escrow for vendor dependency risk mitigation

Source: https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf

Topics

#Software escrow#Vendor lock-in#Supply chain security#Contractual agreements

Community Discussion

No community discussion yet for this question.

Full CISSP Practice