Accelerating NIST AI RMF Implementation in the Federal Enterprise with ATO for AITM

Extending Existing Risk Management Frameworks to AI Systems can help Accelerate Safe Adoption of AI to Drive Performance
Efficiencies in Public Sector and Critical Infrastructure Industries

The Whitehouse Executive Order (EO 144110) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence directs Agency Chief Information Officers, Chief Information Security Officers, and authorizing officials to operationalize generative AI and other critical and emerging technologies. Agencies must incorporate risk management tailored to AI systems. The NIST AI Risk Management Framework (NIST AI 100-1) helps manage the many risks of AI and promote trustworthy and responsible development and use of AI systems. Given the stringent timelines associated with implementing strong governance and risk management protocols, agencies should consider augmenting and enhancing existing risk management models such NIST RMF and NIST SP 800-53 to define an implementable risk management profile for AI.

ATO for AITM: An Open Standards-based Governance Model

NIST AI RMF (NIST AI 100-1) provides a starting point for organizations to understand and assess risk associated with AI systems. Organizations must find systematic and consistent ways to enable actions to manage AI risks and responsibly develop trustworthy AI systems. To deploy trustworthy AI systems, the NIST AI RMF defines four functions: Govern, Map, Measure and Manage. Each of these high-level functions is broken down into categories and subcategories. Categories and subcategories are subdivided into specific actions and outcomes. Actions do not constitute a checklist, nor are they necessarily an ordered set of steps. Hence there is a need for an actionable set of instructions, steps and specific guidance on how best to implement risk management capabilities. This gap can be filled by mapping NIST AI RMF risk categories to NIST SP 800-53 controls and implementing a governance model that builds upon existing practices covering cybersecurity risk to now include AI specific risks like bias, safety and explainability. By starting with NIST AI RMF risk categories and mapping them to NIST SP 800-53 controls with AI overlays and executing the NIST RMF activities we get

Figure: ATO for AITM is open and NIST standards-based governance model for managing AI systems risk in Defense, Government and Critical Infrastructure as it based on NIST AI RMF, NIST SP 800-53, NIST SP 800-37 and FedRAMP

Extending and adapting existing cyber risk management programs with AI overlays to address safety, bias and explainability can help public sector organizations start deploying AI systems faster – safely! stackArmor’s novel approach of mapping NIST AI RMF risk categories to security, governance, and risk management security controls codified in NIST SP 800-53, avoids the cost and time delay of creating a new governance framework. By tailoring control implementations specifically for managing AI Systems risk, organizations can reduce the time and cost of delivering secure and trustworthy AI. The ATO for AITM governance model allows risk management and security professionals that have experience with NIST RMF, FedRAMP, StateRAMP and NIST CSF to jumpstart immediate measures to address AI risk, security, and governance issues. By tailoring security control implementations specifically for managing AI Systems risk, organizations can reduce the time and cost of delivering secure and trustworthy AI. The ATO for AITM governance model allows risk management and security professionals that have experience with NIST RMF, FedRAMP, StateRAMP and NIST CSF to jumpstart immediate measures to address AI risk, security and governance issues. The benefits of using the NIST AI RMF mapping to NIST SP 800-53 security and privacy controls unlocks highly repeatable procedures for risk management familiar to security practitioners and provides a verifiable objective metric that helps drive measurable assessments. Additionally, once the applicable controls are identified, the associated testing and verification procedures can be also identified and applied as shown in the infographic below.

Figure: Ensure the security of the AI system by applying NIST AI RMF risk categories to security controls defined in NIST SP 800- 53 and standardized assessment/testing procedures codified in NIST SP 800-53A

"Harnessing the power of AI for delivery of government mission and services will be transformational. But, it is complicated to align all the emerging policy, risk frameworks, approval processes and existing policy and law. I am thrilled to be included in the COE because I have seen the work of the stackArmor team to drill down to details and find a path to connect all the pieces. We can only get to use of operational AI at scale by working through these details. I hope the output of the COE will deliver tools that agencies can use to move faster and to confidently scale AI capabilities.”

“Managing risk associated with AI systems is essential to ensuring Government’s ability to improve agency effectiveness and efficiency using next generation AI and Automated Decision Support systems. stackArmor’s systems engineering approach to applying NIST security controls to AI systems provides a reasonable blueprint for AI risk management.”

“The adoption of risk-based methods for managing and governing AI systems that leverage security controls defined in NIST SP 800-53 Rev 5 as well as established governance programs like FedRAMP can help agencies adopt AI more rapidly. Reducing the time and cost burden on agencies and supporting contractors by enhancing existing protocols is critical to ensuring timely deployment of AI systems for supporting the government mission.” 

“ATO for AI offers government agencies a fiscally prudent pathway to safe and secure AI adoption that builds upon lessons learned upon implementing existing governance frameworks like FISMA and FedRAMP. stackArmor’s approach of operationalizing NIST AI RMF with actionable control implementations can help agencies accelerate safe AI systems adoption without having to retrain thousands of program, acquisition and IT specialists on new governance models for AI.”

Scope of Services and Topics​

  • Principles for Designing a Safe and Secure Risk Management System for AI
  • Control Specific Guidance for AI Systems
  • ATO for AI Toolkit

Contact Us