We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence.
Ensuring agencies have access to adequate IT infrastructure,.
We base our remarks on our experience helping US Federal agencies transform their information technology systems using new and emerging technologies like cloud computing technologies since 2009 with the first migration of a government wide system - Recovery.
We have had the privilege of supporting numerous transformation initiatives including being part of the GSA Centers of Excellence since 2018 and having contributed towards the development of the Cloud Adoption Playbook while supporting transformation engagements at agencies including USDA, HUD, NIH and OPM amongst others agencies.
Our approach to Risk Management and Governance is rooted in using open standards and frameworks provided by NIST. We believe that OMB's guidance should encourage the augmentation and tailoring of existing risk management processes to ensure that Federal agencies can start accruing the benefits of AI technologies without costly delays associated with implementing a new governance program.
The composition of Federal agencies varies significantly in ways that will shape the way they approach governance.
An overarching Federal policy must account for differences in an agency's size, organization, budget, mission, organic AI talent, and more.
Given that most AI capabilities within an agency will be delivered by IT systems that are highly likely to be based on cloud computing technologies, the designated Chief AI Officers should have sufficient experience with and exposure to cloud computing technologies as well as the Federal Risk and Authorization Management Program to ensure that cost-effective and secure commercial solutions can help meet the agency's AI needs.
Such experience helps agencies rapidly reap the benefits of AI capabilities, maximizing the use of secure and compliant commercial solutions will be critical and to the extent Chief AI Officers understand AI systems and commercial solutions, it will help in remove roadblocks and avoid duplication of efforts, where agencies re-create capabilities that already exist in the commercial sector.
Further Chief AI Officers should have a keen understanding of the agency's mission and how AI can enhance and improve or bring new service delivery capabilities.
Agencies should have the flexibilities to determine appropriate reporting structures that best fit their needs, and where the Chief AI Officer is not dual hatted with the CIO or CDO, for example, ensure close collaboration and coordination with other CxO's.
Using an approach that ties NIST AI RMF to existing cyber risk management models based on NIST RMF, NIST SP 800-53 and NIST SP 800-53A as well as leveraging the work done by the Federal Privacy Council, there is a critical mass of understanding and knowledge that agencies can leverage to reduce the time and cost with AI adoption across the federal enterprise.
To help avoid a situation where every agency comes up with its own governance model, OMB could direct NIST, GSA and DHS/CISA to create a FISMA Profile for NIST AI RMF, which then can be tailored and adopted by each one of the 24 CFO Act agencies.
OMB should consider creating a consistent and uniform governance model that does not vary from agency to agency.
Once the initial wave of foundational systems and AI computing platforms, the enduring set of government or agency specific solutions are likely to come from small, nimble businesses.
OMB should reinforce and support agencies on their overall data maturity such that agencies are better positioned to take advantage of AI capabilities.
We recommend OMB direct NIST, DOD, DHS/CISA and GSA to develop FISMA and FedRAMP Profile for NIST AI RMF that helps provide an actionable implementation model for agencies.
There should also be directive to separate the evaluation process for AI capabilities that are embedded in vendor solutions and AI capabilities that are built by government agencies.
I hope you find the information and contents of this brief document useful as OMB formulates and finalizes the OMB memo on safe and secure AI adoption in agencies.
Based on our experience helping agencies, commercial organizations and regulated entities implement security controls, we have developed an open and standards-based governance model that we call ATO for AITM. This model begins with the seven trustworthy characteristics of AI and the NIST AI RMF risk categories & sub-categories and maps them to the NIST SP 800-53 Rev 5 control families and controls.
This Cyber News was published on securityboulevard.com. Publication date: Tue, 19 Dec 2023 00:13:25 +0000