Requires the National Institute of Standards and Technology to update vulnerability management processes for AI security risks. Establishes a voluntary database to track AI security and safety incidents. Evaluates standards for AI vulnerability reporting. Encourages best practices for AI supply chain risks.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding federal statute enacted by the United States Congress with mandatory obligations on federal agencies (NIST, CISA) to establish processes, databases, and reporting mechanisms within specified timeframes.
The document has good coverage of approximately 6-8 subdomains, with strong focus on AI system security vulnerabilities (2.2), privacy compromise (2.1), malicious actors using AI for cyberattacks (4.2), lack of robustness (7.3), lack of transparency (7.4), and governance failure (6.5). Coverage is concentrated in security, privacy, and AI safety domains.
This document does not govern specific economic sectors but rather establishes cross-sectoral federal processes for AI security vulnerability management and incident tracking. It mentions critical infrastructure and safety-critical systems as priority areas for incident tracking, suggesting broad applicability across multiple sectors.
The document primarily addresses the Deploy and Operate and Monitor lifecycle stages, with some coverage of Build and Use Model through supply chain risk considerations. It focuses on post-deployment vulnerability management, incident tracking, and ongoing monitoring of AI security and safety risks.
The document explicitly mentions AI systems and AI models throughout. It does not specifically reference frontier AI, general purpose AI, task-specific AI, foundation models, generative AI, predictive AI, or compute thresholds. It addresses open-source datasets and does not mention open-weight models specifically.
United States Congress
This is a federal statute enacted by Congress as part of the Intelligence Authorization Act for Fiscal Year 2025, Title V, Section 510.
National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), Director of the National Security Agency, Director of the Office of Management and Budget, Congressional Committees (Committee on Homeland Security and Governmental Affairs of the Senate, Committee on Commerce, Science, and Transportation of the Senate, Select Committee on Intelligence of the Senate, Committee on the Judiciary of the Senate, Committee on Oversight and Accountability of the House of Representatives, Committee on Energy and Commerce of the House of Representatives, Permanent Select Committee on Intelligence of the House of Representatives, Committee on the Judiciary of the House of Representatives)
NIST and CISA are designated to implement and oversee the vulnerability management processes, databases, and reporting mechanisms. Congressional committees receive reports and provide oversight.
National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), Congressional Committees (Committee on Homeland Security and Governmental Affairs of the Senate, Committee on Commerce, Science, and Transportation of the Senate, Select Committee on Intelligence of the Senate, Committee on the Judiciary of the Senate, Committee on Oversight and Accountability of the House of Representatives, Committee on Energy and Commerce of the House of Representatives, Permanent Select Committee on Intelligence of the House of Representatives, Committee on the Judiciary of the House of Representatives)
NIST and CISA are responsible for tracking and processing security and safety incidents through databases and reporting mechanisms. Congressional committees monitor implementation through required reports.
National Institute of Standards and Technology (NIST), Cybersecurity and Infrastructure Security Agency (CISA), private sector entities, public sector organizations, civil society groups, academic researchers
The document mandates actions by federal agencies (NIST, CISA) and establishes voluntary mechanisms for private sector entities, public sector organizations, civil society groups, and academic researchers to participate in incident reporting.
9 subdomains (5 Good, 4 Minimal)