This is the thirty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs describes described the actions taken by various government agencies to implement the Cyber EO from June 2021through January 2024. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during February 2024. It also describes key actions taken during February 2024 to implement President Biden’s Executive Order on Artificial Intelligence (the “AI EO”), particularly its provisions that impact cybersecurity, secure software, and federal government contractors.
NIST Publishes Cybersecurity Framework 2.0
On February 26, 2024, the U.S. National Institute of Standards and Technology (“NIST”) published version 2.0 of its Cybersecurity Framework. The NIST Cybersecurity Framework (“CSF” or “Framework”) provides a taxonomy of high-level cybersecurity outcomes that can be used by any organization, regardless of its size, sector, or relative maturity, to better understand, assess, prioritize, and communicate its cybersecurity efforts. CSF 2.0 makes some significant changes to the Framework, particularly in the areas of Governance and Cybersecurity Supply Chain Risk Management (“C-SCRM”). Covington’s Privacy and Cybersecurity group has posted a blog that discusses CSF 2.0 and those changes in greater detail.
NTIA Requests Comment Regarding “Open Weight”
Dual-Use Foundation AI Models
Also on February 26, the National Telecommunications and Information Administration (“NTIA”) published a request for comments on the risks, benefits, and possible regulation of “dual-use foundation models for which the model weights are widely available.” Among other questions raised by NTIA in the document are whether the availability of public model weights could pose risks to infrastructure or the defense sector. NTIA is seeking comments in order to prepare a report that the AI EO requires by July 26, 2024 on the risks and benefits of private companies making the weights of their foundational AI models publicly available. NTIA’s request for comments notes that “openness” or “wide availability” are terms without clear definition, and that “more information [is] needed to detail the relationship between openness and the wide availability of both model weights and open foundation models more generally.” NTIA also requests comments on potential regulatory regimes for dual-use foundation models with widely available model weights, as well as the kinds of regulatory structures “that could deal with not only the large scale of these foundation models, but also the declining level of computing resources needed to fine-tune and retrain them.”
GSA Urges Agencies Using Federal Tech Modernization
Funds to Request Proposals for AI Services and Products
On February 8, 2024, the General Services Administration (“GSA”) Technology Modernization Fund (“TMF”) issued a call for proposals from federal agencies to use TMF funding for purchasing AI products and services. Agency proposals seeking $6 million or less and having a project timeline not greater than 1.5 years “will receive an expedited review process for investment in an effort to help agencies achieve positive outcomes and impact quickly.” GSA’s notice states that all proposals must include a clear path for user testing, risk mitigation, evaluation metrics, and senior executive support, but also notes that “agencies have flexibility in how they approach their project and potential solutions.” GSA’s notice also states that agencies submitting proposals for TMF funding of purchases of AI products and services should expect to repay TMF a minimum of 50 percent of their investment over five years.
NIST Publishes Guidance on Applying SSDF
Principles to Cloud Application Software
On February 12, 2024, NIST issued SP 800-2040, which provides guidance on how to apply NIST’s Secure Software Development Framework (“SSDF”) to the development of cloud-based application software. The publication notes that such applications are “generally developed through an agile software development life cycle (SDLC) paradigm called Dev Sec Ops, which uses flow processes called continuous integration/continuous delivery (CI/CD).” NIST states that the overall goal of the new publication is to “ensure that the CI/CD pipeline activities that take source code through the build, test, package, and development stage are not compromised.” The publication is notable because it has historically been difficult to defense the specific requirements for SBOMs that relate to cloud products, in part because cloud products are continuously changing, and in part because cloud products have a number of inherited security dependencies.