Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo

We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence.
Ensuring agencies have access to adequate IT infrastructure,.
We base our remarks on our experience helping US Federal agencies transform their information technology systems using new and emerging technologies like cloud computing technologies since 2009 with the first migration of a government wide system - Recovery.
We have had the privilege of supporting numerous transformation initiatives including being part of the GSA Centers of Excellence since 2018 and having contributed towards the development of the Cloud Adoption Playbook while supporting transformation engagements at agencies including USDA, HUD, NIH and OPM amongst others agencies.
Our approach to Risk Management and Governance is rooted in using open standards and frameworks provided by NIST. We believe that OMB's guidance should encourage the augmentation and tailoring of existing risk management processes to ensure that Federal agencies can start accruing the benefits of AI technologies without costly delays associated with implementing a new governance program.
The composition of Federal agencies varies significantly in ways that will shape the way they approach governance.
An overarching Federal policy must account for differences in an agency's size, organization, budget, mission, organic AI talent, and more.
Given that most AI capabilities within an agency will be delivered by IT systems that are highly likely to be based on cloud computing technologies, the designated Chief AI Officers should have sufficient experience with and exposure to cloud computing technologies as well as the Federal Risk and Authorization Management Program to ensure that cost-effective and secure commercial solutions can help meet the agency's AI needs.
Such experience helps agencies rapidly reap the benefits of AI capabilities, maximizing the use of secure and compliant commercial solutions will be critical and to the extent Chief AI Officers understand AI systems and commercial solutions, it will help in remove roadblocks and avoid duplication of efforts, where agencies re-create capabilities that already exist in the commercial sector.
Further Chief AI Officers should have a keen understanding of the agency's mission and how AI can enhance and improve or bring new service delivery capabilities.
Agencies should have the flexibilities to determine appropriate reporting structures that best fit their needs, and where the Chief AI Officer is not dual hatted with the CIO or CDO, for example, ensure close collaboration and coordination with other CxO's.
Using an approach that ties NIST AI RMF to existing cyber risk management models based on NIST RMF, NIST SP 800-53 and NIST SP 800-53A as well as leveraging the work done by the Federal Privacy Council, there is a critical mass of understanding and knowledge that agencies can leverage to reduce the time and cost with AI adoption across the federal enterprise.
To help avoid a situation where every agency comes up with its own governance model, OMB could direct NIST, GSA and DHS/CISA to create a FISMA Profile for NIST AI RMF, which then can be tailored and adopted by each one of the 24 CFO Act agencies.
OMB should consider creating a consistent and uniform governance model that does not vary from agency to agency.
Once the initial wave of foundational systems and AI computing platforms, the enduring set of government or agency specific solutions are likely to come from small, nimble businesses.
OMB should reinforce and support agencies on their overall data maturity such that agencies are better positioned to take advantage of AI capabilities.
We recommend OMB direct NIST, DOD, DHS/CISA and GSA to develop FISMA and FedRAMP Profile for NIST AI RMF that helps provide an actionable implementation model for agencies.
There should also be directive to separate the evaluation process for AI capabilities that are embedded in vendor solutions and AI capabilities that are built by government agencies.
I hope you find the information and contents of this brief document useful as OMB formulates and finalizes the OMB memo on safe and secure AI adoption in agencies.
Based on our experience helping agencies, commercial organizations and regulated entities implement security controls, we have developed an open and standards-based governance model that we call ATO for AITM. This model begins with the seven trustworthy characteristics of AI and the NIST AI RMF risk categories & sub-categories and maps them to the NIST SP 800-53 Rev 5 control families and controls.


This Cyber News was published on securityboulevard.com. Publication date: Tue, 19 Dec 2023 00:13:25 +0000


Cyber News related to Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo

Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo - We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence. Ensuring agencies have access to adequate IT infrastructure,. We base our remarks on our experience helping US Federal agencies transform their ...
1 year ago Securityboulevard.com
Aim Security Raises $10M to Secure Generative AI Enterprise Adoption - PRESS RELEASE. TEL AVIV, Israel-(BUSINESS WIRE)-Aim Security, an Israeli cybersecurity startup offering enterprises a holistic, one-stop shop GenAI security platform, today announced $10 million in seed funding. Aim Security was founded by ...
10 months ago Darkreading.com
DORA and your quantum-safe cryptography migration - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. New requirements for financial entities in the EU. DORA lays out a set of requirements across ICT risk management, incident ...
10 months ago Securityintelligence.com
Secure Workload and Secure Firewall: The recipe for a robust zero trust cybersecurity strategy - You hear a lot about zero trust microsegmentation these days and rightly so. While a host-based enforcement approach is immensely powerful because it provides access to rich telemetry in terms of processes, packages, and CVEs running on the ...
1 year ago Feedpress.me
CISA's Flags Memory-Unsafe Code in Major Open Source Projects - A comprehensive new study has unearthed fresh details on the extensive and troubling use of memory-unsafe code in major open source software projects. The chances that fresh insight on a long known issue will spur any immediate changes to the ...
5 months ago Darkreading.com
Google Chrome To Roll Out Real-Time Phishing Protection - Google Chrome has been protecting users from malicious websites and files with Safe Browsing, which maintains a locally-stored list updated every 30-60 minutes. To address it, Chrome is introducing a new version of Safe Browsing that provides ...
9 months ago Cybersecuritynews.com
GenAI development should follow secure-by-design principles - Given how dangerous the gold rush was and how long it took to incorporate safety measures, the time is now for organizations using GenAI to follow secure-by-design principles and follow CISA's example. Beyond writing faux movie scripts and passing ...
10 months ago Techtarget.com
Latest Information Security and Hacking Incidents - The NSA and CISA have released a set of five cybersecurity bulletins to help make cloud environments safer. These bulletins share important tips for keeping cloud systems secure, which are used a lot by businesses. Cloud services are popular because ...
9 months ago Cysecurity.news
Bad Bots Drive 10% Annual Surge in Account Takeover Attacks - Internet traffic associated with malicious bots now accounts for a third of the total, driving a 10% year-on-year increase in account takeover attacks last year, according to Imperva. The Thales-owned company's 2024 Imperva Bad Bot Report is a ...
8 months ago Infosecurity-magazine.com
Don't phish for deals this holiday season - This season is also a prime opportunity for attackers seeking to capitalize on unsuspecting individuals, employing identity-based cyberattacks such as phishing to compromise users' credentials and take control of their accounts. While education on ...
1 year ago Securityboulevard.com
Cloud Security: Stats and Strategies - An interesting aspect in O'Reilly's latest Cloud Adoption report based on a global survey conducted is that 90% of the responders are using the cloud to support their business. One of the key takeaways from the State of the Cloud report from Flexera ...
11 months ago Feeds.dzone.com
Secure Online Shopping: Tips for Smart Homeowners - Secure shopping online is a prudent practice for homeowners. Researching the store and its reviews is an important step in ensuring a secure online shopping experience. Taking these steps before making an online purchase can help ensure a secure ...
1 year ago Securityzap.com
Zero Trust Security: How to Secure Critical Infrastructure - Zero trust security is a critical component of any organization's security strategy that enables organizations to protect their data and systems from malicious actors, cyber threats, and unauthorized access. With the ever-evolving cyber threats ...
1 year ago Csoonline.com
2023 Cloud Security Report - Security concerns remain a critical barrier to cloud adoption, showing little signs of improvement in the perception of cloud security professionals. Cloud adoption is further inhibited by a number of related challenges that prevent the faster and ...
1 year ago Cybersecurity-insiders.com
CISA, NSA, FBI and International Cybersecurity Authorities Publish Guide on The Case for Memory Safe Roadmaps - Guide encourages software manufacturesto address memory safety vulnerabilities and implement secure by design principles. WASHINGTON - Today, the Cybersecurity and Infrastructure Security Agency, in partnership with the National Security Agency, ...
1 year ago Cisa.gov
Accelerating Your Journey to the 128-bit Universe - The 2023 National Cybersecurity Strategy requires acceleration of your agency's mission to go boldly into the 128-bit address space universe with greater speed and urgency. IPv6-only is the addressing standard for the U.S. Federal Government, ...
1 year ago Feedpress.me
CISO Corner: What Cyber Labor Shortage?; SEC Deadlines - Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Companies could face millions of dollars in fines if they fail to notify the SEC of a material breach. ...
7 months ago Darkreading.com
'Secure by design' makes waves at RSA Conference 2024 - Secure by design refers to the principle that software should be developed with security in mind through established development frameworks and best practices. Though the concept is far from new, the approach has been featured in multiple different ...
7 months ago Techtarget.com
How Secure Cloud Development Replaces Virtual Desktop Infrastructures - The need to secure corporate IT environments is common to all functions of organizations, and software application development is one of them. Development environments have notoriously complex setups and often require significant maintenance because ...
9 months ago Feeds.dzone.com
Cisco Secure Access named Leader in Zero Trust Network Access - Zero Trust Network Access is a critical component to increase productivity and reduce risk in today's hyper-distributed environments. Cisco Secure Access provides a modern form of zero trust access that utilizes a new architecture to deliver a unique ...
9 months ago Feedpress.me
CVE-2007-1002 - Format string vulnerability in the write_html function in calendar/gui/e-cal-component-memo-preview.c in Evolution Shared Memo 2.8.2.1, and possibly earlier versions, allows user-assisted remote attackers to execute arbitrary code via format ...
6 years ago
Biden Issues Executive Order on Safe, Secure AI - President Biden has issued an Executive Order to establish new standards for AI safety and security. The order follows previous actions the President has taken on responsible innovation, including work that led to 15 leading tech companies pledging ...
1 year ago Infosecurity-magazine.com
CISA Finalizes Microsoft 365 Secure Configuration Baselines - When CISA initiated its Secure Cloud Business Applications project, our goal was to elevate the federal government's baseline for email and cloud environments by optimizing the security capabilities available within widely used products and services ...
1 year ago Cisa.gov
CISA: Most critical open source projects not using memory safe code - The U.S. Cybersecurity and Infrastructure Security Agency has published research looking into 172 key open-source projects and whether they are susceptible to memory flaws. The report, cosigned by CISA, the Federal Bureau of Investigation, as well as ...
5 months ago Bleepingcomputer.com
How to Eliminate Shadow IT and Achieve a Secure SaaS Environment in 2023 - The prevalence of Shadow IT has grown exponentially over the years, with most organizations being unaware of the security risks of unauthorized cloud applications. Shadow IT is any application or cloud service being used by employees for business ...
1 year ago Thehackernews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)