This is the thirtieth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through September 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during October 2023.
Biden Administration Announces Artificial Intelligence (“AI”) Executive Order
On October 30, 2023, the Biden Administration issued its new Executive Order on Artificial Intelligence, setting out a comprehensive strategy to support the development of safe and secure AI. According to the Administration’s Fact Sheet, the Executive Order establishes new AI safety and security standards, protects privacy, advances equity and civil rights, protects workers, consumers, and patients, promotes innovation and competition, and advances American leadership. For example, as relevant to government contractors and critical infrastructure, the AI Executive Order:
· Sharing Results – Will “require that companies developing any foundation model that poses a serious risk to national security, national economic security, or national public health and safety must notify the federal government when training the model, and must share the results of all red-team safety tests[,]” in accordance with the Defense Production Act.
· AI Standards – Directs the U.S. National Institute of Standards and Technology (“NIST”) to “set the rigorous standards for extensive red-team testing to ensure safety before public release[,]” which will be applied to critical infrastructure sectors by the U.S. Department of Homeland Security (“DHS”).
The AI Executive Order follows the administration’s earlier Blueprint for an AI Bill of Rights, which was published in September 2022, as well as other developments in the administration’s cybersecurity efforts more broadly, such as the Cyber EO and U.S. National Cybersecurity Strategy. A more detailed discussion of the AI Executive Order is available in our prior post.
The U.S. Office of Management and Budget (“OMB”) Releases Implementation Guidance Following President Biden’s AI Executive Order
On November 1, 2023, OMB released draft guidance on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence. (While we know that November 1st is not part of October, we decided to include this update as part of this post to accompany the reporting on the AI Executive Order.) The draft guidance would implement many of the provisions of the AI Executive Order. For example, the draft guidance would direct federal agencies to: · “Designate Chief AI Officers, who would have the responsibility to advise agency leadership on AI[;]”
· “Remove unnecessary barriers to the responsible use of AI, including those related to insufficient information technology infrastructure[;]” and
· “Provide recommendations for managing risk in federal procurement of AI[,]” among other actions.OMB is accepting public comments on the draft guidance until December 5, 2023.
Federal Acquisition Regulation (“FAR”) Council Releases New Proposed Cybersecurity Rules
On October 3, 2023, the FAR Council released two new proposed cybersecurity rules on (1) Cyber Threat and Incident Reporting and Information Sharing and (2) Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems. Both of these proposed rules arise under the Cyber EO.
The proposed cyber threat and incident reporting rule implements recommendations made by OMB and CISA concerning the cybersecurity incident reporting obligations of federal contractors. Specifically, the cyber threat and incident reporting rule amends provisions of several existing FAR Subparts and introduces new FAR clauses for contracting officers to incorporate into future solicitations and contract actions. The proposed rule also adds new FAR definitions and expands others. For example, the proposed rule broadly expands the definition of “Information and Communications Technology (ICT)” by specifying that operational technology, such as industrial control systems, building management systems and physical access control mechanisms, are covered by the rule. A more detailed discussion of the Cyber Threat and Incident Reporting and Information Sharing proposed rule is available here. The second proposed rule, Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems, will be the subject of a forthcoming post.