Overview
Severity: MEDIUM | Affected: U.S. CISA | Category: policy
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with NIST, has issued a new binding operational directive requiring a 'Bill of Materials' for all AI-enabled software procured by federal agencies. This AI Bill of Materials (AIBOM) must detail the components of the AI system, including the foundational models used, key training datasets, data-processing libraries, and known vulnerabilities in its dependencies. The goal is to enhance transparency and security in the federal government's AI supply chain. Vendors will be required to provide and maintain an updated AIBOM throughout the software lifecycle. This policy aims to mitigate risks associated with data poisoning, model theft, and the use of insecure open-source components in critical government systems, marking a significant step towards standardizing AI security practices.