One way to mitigate the risk of security flaws in custom software is to include security assurance clauses in the Service Level Agreement (SLA) between the customer and the software developer. The SLA is a contract that defines the expectations and obligations of both parties, such as the scope, quality, performance, and security of the software. By including security assurance clauses, the customer can specify the security requirements and standards that the software must meet, and the developer can agree to provide evidence of compliance and remediation of any defects. The other options are not effective ways to mitigate the risk of security flaws in custom software. Including security language in the Earned Value Management (EVM) contract is not relevant, as EVM is a project management technique that measures the progress and performance of a project, not the security of the software. Purchasing only Commercial Off-The-Shelf (COTS) products or software with no open source Application Programming Interfaces (APIs) does not guarantee that the software is free of security flaws, as COTS and closed source software can also have vulnerabilities and may not meet the customer’s specific needs and expectations. References: CISSP All-in-One Exam Guide, Eighth Edition, Chapter 21, p. 1119; Official (ISC)2 CISSP CBK Reference, Fifth Edition, Chapter 8, p. 507.