Overview
Severity: MEDIUM | Affected: US CISA | Category: policy
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding directive that mandates the use of an 'AI Bill of Materials' (AIBOM) for all AI systems used by federal agencies and contractors in critical infrastructure sectors. This new policy, modeled after the Software Bill of Materials (SBOM) for traditional software, requires a detailed inventory of an AI model's components. This includes the sources and licenses of training data, data preprocessing steps, model architecture, and dependent software libraries. The goal is to improve transparency and help organizations better understand the potential risks and vulnerabilities within their AI supply chain, such as data poisoning or inherited flaws from third-party components. The directive is a major step towards standardizing AI security practices and ensuring accountability for systems deployed in high-impact areas like energy grids and financial networks.