Overview
Severity: MEDIUM | Affected: US Critical Infrastructure Sectors | Category: policy
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new binding operational directive, AI-25-01, mandating AI model provenance reporting for all federal agencies and their critical infrastructure partners. The directive requires organizations to maintain and report a comprehensive 'AI Bill of Materials' (AI-BOM) for any AI system used in critical functions. This AI-BOM must include detailed information about the model's training data sources, architectural design, fine-tuning processes, and the results of safety and bias testing. The goal is to mitigate AI supply chain risks, such as data poisoning or the integration of backdoored models from untrusted sources. By enforcing transparency, CISA aims to prevent the deployment of insecure or compromised AI systems in sensitive sectors like energy, finance, and transportation. Compliance will be required within 12 months, forcing many organizations to overhaul their AI governance and procurement processes to meet the stringent new standards.