The National Security Agency’s Artificial Intelligence Security Center, in collaboration with U.S. and international partners, has released new guidance on deploying secure and resilient artificial intelligence systems.

NSA said Monday the document aims to guide organizations in implementing and operating AI technologies designed and developed by another entity and employing mitigations to counter security threats posed by the systems.

“AI brings unprecedented opportunity, but also can present opportunities for malicious activity. NSA is uniquely positioned to provide cybersecurity guidance, AI expertise, and advanced threat analysis,” said Dave Luber, cybersecurity director at NSA.

The guidance builds on the newly released Guidelines for Secure AI System Development and Engaging with Artificial Intelligence documents and outlines best practices that align with cybersecurity performance goals developed by the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology.

AISC developed the cybersecurity information sheet in partnership with CISA, the FBI, the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre and the U.K. National Cyber Security Centre.

The Potomac Officers Club will host the 2024 Cyber Summit on June 6 to hear from government and industry experts about the dynamic and ever-evolving role of cyber in the public sector. Register here!

The Department of Defense’s Office of the Chief Information Officer has released a document meant to serve as guidance for defense agencies seeking to achieve continuous authorization, or cATO, to operate for DevSecOps platforms and other applications produced by a software factory as part of efforts to counter cyberthreats.

The DevSecOps Continuous Authorization Implementation Guide states that the authorizing official should demonstrate three competencies to reach cATO: continuous monitoring of risk management framework controls, active cyber defense and use of an approved DevSecOps reference design for a software factory with a secure software supply chain.

A cATO assessment ensures the software factory includes a holistic set of information to enable continuous risk analysis against agreed-to risk tolerances, feedback from cyber operations on unexpected changes in incident analysis, security configurations and other factors and continuous security posture and risk reporting, according to the document that was cleared for publication Thursday.

The guidance has classified key practices into three categories: DevSecOps platform, cATO process and DevSecOps team or people.

For instance, several cATO practices apply with regard to the DevSecOps platform, including the use of a cybersecurity service provider for monitoring the system single authorization boundary for malicious threat actor actions, development of a continuous monitoring strategy and use of security automation for tracking the application security posture within the production system.

In February 2022, the Pentagon issued a memorandum providing guidance on the necessary steps to do to allow systems to operate under a cATO state.

Register here to join the Potomac Officers Club’s 5th Annual CIO Summit on April 17 and learn more about the latest modernization strategies and how industry can help meet the priorities of federal CIOs.

U.S. Cyber Command is growing its acquisition team and advancing the use of flexible procurement strategies as it plays an increasing role in the Department of Defense’s cyber procurement efforts, Federal News Network reported Monday.

“So we’s expanding our ability to acquire cyber goods, cyber services for the DoD in an integrated and holistic way,” Courtney Maggiulli, program executive officer for cyber, J9 acquisition and technology at CYBERCOM, said at a conference.

Maggiulli noted that her PEO intends to add 50 billets in 2024 as part of efforts to expand its workforce and that the command is advancing the adoption of non-traditional approaches to acquire and integrate cyber capabilities, including its use of DOD’s Adaptive Acquisition Framework.

She pointed to the framework’s software acquisition pathway and the middle tier of acquisition pathway, which she considers as “allowable ways to pursue acquisition that have strategies that are more responsive and tailored to the types of acquisitions we’re doing.”

The software pathway uses DevSecOps and Agile development practices, while the middle-tier acquisition seeks to facilitate rapid prototyping and fielding efforts.

“We’re being given flexibilities and tools by Congress that allow us to be faster and more responsive for the type of acquisition we’re doing with cyber,” Maggiulli said.

Join the Potomac Officers Club’s 2024 Cyber Summit on June 6 and hear cyber experts, government and industry leaders discuss the latest trends and the dynamic role of cyber in the public sector. Register here.