The statement is false because even if a contract with an integrator specifies security requirements, the organization must still perform due diligence and continuous monitoring. We cannot assume that contracts alone are sufficient to mitigate security risks. It is critical to validate that the integrators are complying with security requirements, conduct periodic security audits, and implement security controls on the systems they manage. The risk of supply chain attacks remains, and organizations must take an active role in managing and mitigating these risks regardless of contractual obligations.