Overview
Severity: MEDIUM | Affected: NIST | Category: policy
The U.S. National Institute of Standards and Technology (NIST) has officially released the AI Secure Supply Chain Framework (AI-SSCF), a landmark policy designed to mitigate risks from data poisoning and malicious model tampering. The framework establishes new standards for organizations developing or deploying AI in critical sectors. A key mandate is the implementation of verifiable provenance tracking for all training data, dependencies, and pre-trained models. This requires maintaining a comprehensive 'AI Bill of Materials' (AI-BOM) that logs data sources, licensing, transformations, and model versioning. The goal is to create a transparent and auditable supply chain, enabling organizations to quickly identify and remediate compromises. Compliance will be phased in over 18 months, beginning with federal agencies and contractors. While lauded as a crucial step for standardizing AI security, industry groups have expressed concerns about the potential compliance burden on smaller businesses and startups.