Overview
Severity: MEDIUM | Affected: US Federal Government | Category: policy
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive requiring all software vendors providing AI-powered systems to federal agencies for critical infrastructure to provide an AI 'Bill of Materials' (AI-BOM). This new mandate extends the concept of a Software Bill of Materials (SBOM) to the AI domain. The AI-BOM must detail the model's architecture, training datasets (including data sources and licenses), key dependencies, and the results of third-party security audits and bias assessments. The goal is to increase transparency and allow federal agencies to better assess the security risks and potential biases inherent in the AI tools they deploy. The directive is seen as a major step towards holding AI vendors accountable for the security and safety of their products, pushing the industry towards more transparent and secure development practices, especially in sensitive sectors like energy and finance.