Blog Archives - Page 2 of 11

Managing Generative AI Risk and Meeting M-24-10 Mandates on Monitoring & Evaluation

OMBâ€™s memo M-24-10 (5c. Minimum Practices for Safety-Impacting and Rights-Impacting Artificial Intelligence) is prescriptive (and timebound): No later than December 1, 2024 and on an ongoing basis while using new or existing covered safety-impacting or rights-impacting AI, agencies must ensure these practices are followed for the AI: D. Conduct ongoing monitoring. In addition to pre-deployment testing, agencies must institute ongoing procedures to monitor degradation of the AIâ€™s functionality and to detect changes in the AIâ€™s impact on rights and safety. Agencies should also scale up the use of new or updated AI features incrementally where possible to provide adequate time to monitor for adverse performance or outcomes. Agencies should monitor and defend the AI from AI-specific exploits, particularly those that would adversely impact rights and safety. Â E. Regularly evaluate risks from the use of AI. The monitoring process in paragraph (D) must include periodic human reviews to determine whether

Test & Evaluation Techniques for Meeting M-24-10 Mandates to Manage Generative AI Risk

Overview The release of the National Institute of Standards and Technology (NIST)â€™s AI Risk Management Framework (AI RMF) helped put a framework around how testing would enable organizations to manage and mitigate AI risks. While testing is predominantly considered a core part of model development, the NIST AI RMF emphasizes the importance of continuous testing and monitoring of AI. The validity and reliability for deployed AI systems are often assessed by ongoing testing or monitoring that confirms a system is performing as intended. Measurement of validity, accuracy, robustness, and reliability contribute to trustworthiness and should take into consideration that certain types of failures can cause greater harm NIST AI RMF Â§3.1 OMBâ€™s memo M-24-10 goes into detail about the expectations around AI safety testing. Section 5c of the memo (5c. Minimum Practices for Safety-Impacting and Rights-Impacting Artificial Intelligence) has laid out the minimum practices for AI risk management. These are:

Continuous ATO: Going from Authority to Operate (ATO) to Ability to Respond

This white paper explores best practices designed to help reduce the time and cost of ATOs while improving access to risk data using process automation.

Is it time to enforce an Authority-to-Operate (ATO) for Healthcare Organizations?

The Change Healthcare security breach has impacted over 94% of hospitals as reported by the American Health Association (AHA). A cascading set of events was unleashed starting with the Feb 21, 2024 announcement of the data breach at Change Healthcare requiring nearly $2BÂ in advance payments severely impacting nearly 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories. The security attack is reported to have been caused by a security vulnerability in software provided by ConnectWise and used by Change Healthcare. Security and cybersecurity incidents in healthcare are not new. However, what makes the Change Healthcare security breach standout is the widespread impact and the need for a forceful government response that included the Whitehouse. In many ways this cyberattack mirrors the Colonial Pipeline incident a few years ago where Citizens faced gas shortages serving as a wakeup call to policy makers that cybersecurity incidents can be disruptive to the

GSA Small Business Office and FedRAMP PMO looking for Small Business Cloud Solutions

General Services Administration (GSA), Office of Small and Disadvantaged Business Utilization (OSDBU) and The FedRAMP PMO are hosting a webinar on March 21, 2024 to provide guidance to small business CSPs in becoming FedRAMP authorized. Small businesses are encouraged to attend and register for this free event. The topics that will be covered include: Gain insight into the benefits of partnering with FedRAMP Understand The FedRAMP Authorization process Identify FedRAMP Resources for CSPs Time: Thursday, March 21, 2024 at 1:00 PM in Eastern Time (US and Canada) The registration link is available here. Small businesses with cloud service offerings that cater to federal agencies with innovative SaaS or PaaS solutions should seek FedRAMP accreditation. What is FedRAMP? The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security assessment for commercial cloud service providers (CSPs). Any cloud system hosting federal must be

FedRAMP ATO Prioritization for Generative AI Cloud Solutions

The US Government is continuing to move rapidly to ensure US competitiveness in the area of Artificial Intelligence (AI). The FedRAMP Program Management Office (PMO) published the Emerging Technology Prioritization Framework (ETPF) in January 2024. The ETPF is designed to help accelerate the availability of FedRAMP accredited Gen AI cloud solutions for federal agencies and users. The FedRAMP PMO is soliciting feedback and comments due by March 11, 2024 on the the proposed prioritization framework. Please read our blog to learn more about FedRAMP. US Government agencies including DOD and Federal Civilian agencies spent nearly $3B on AI solutions based on a 2023 report from Stanford University. This spending is expected to grow rapidly as agencies and public sector organizations start production deployments in the near future. To ensure the safe and secure deployment of AI technologies and to drive the development of standards, the Department of Commerce announced the creation

stackArmor Announces Participation in Department of Commerce Consortium Dedicated to AI Safety

**stackArmor will be part of the leading AI stakeholders to help advance the development and deployment of safe, trustworthy AI under new U.S. Government safety institute** MCLEAN, Va.–February 8, 2024–Today, stackArmor announced that it has been selected by the Department of Commerce to join the nation’s leading artificial intelligence (AI) stakeholders to participate in a Department of Commerce initiative to support the development and deployment of trustworthy and safe AI. Established by the Department of Commerce’s National Institute of Standards and Technology (NIST), the U.S. AI Safety Institute Consortium (AISIC) will bring together AI creators and users, academics, government and industry researchers, and civil society organizations to meet this mission. “Understanding that adopting AI in a safe and secure manner is a challenge for public sector agencies due to evolving guidance, standards for risk, and a shortage of resources, it’s of the utmost importance to offer proven solutions to the

stackArmor’s ThreatAlert ATO® Accelerator Supports NIH AIM-AHEAD Program

Solution enables underrepresented communities greater access to AI/ML research capabilities MCLEAN, Va.–(BUSINESS WIRE)–stackArmor, a leading provider of cloud, security and compliance acceleration solutions for meeting FedRAMP, FISMA and CMMC 2.0, today announced it has been supporting Dr. Paul Avillach, one of the Multiple Principal Investigators of the National Institutes of Health (NIH)’s Artificial Intelligence/Machine Learning Consortium to Advance Health Equity and Researcher Diversity (AIM-AHEAD) program. The AIM-AHEAD program mission is to enhance the participation of underrepresented communities in the development of AI/ML models. The program improves the capabilities of this emerging technology, beginning with electronic health records (EHR) and extending to other diverse data to address health disparities and inequities. A lack of diversity of data and researchers in the AI/ML field runs the risk of creating and perpetuating harmful biases in its practice, algorithms and outcomes. “We have been privileged to support Dr. Avillach’s vision to reduce the cost

GAO Report Details FedRAMP ATO Challenges and Costs

The US Government Accountability Office (GAO) released a report on The Federal Risk and Authorization Management Program (FedRAMP®). The 37 page report provides highly relevant insights to both agencies and commercial organizations pursuing FedRAMP accreditations or ATOs. Highlights from the report are presented below. Key Challenges Faced by Agencies and Cloud Service Providers (CSP) Receiving timely responses from stakeholders: Agencies and CSPs reported that they had issues with receiving timely responses from stakeholders throughout the authorization process. Sponsoring CSPs that were not fully prepared Agencies reported that CSPs did not fully understand the FedRAMP process and lacked complete documentation. Lacking sufficient resources: Agencies reported that they lacked the resources (e.g., funding and staffing) needed to sponsor an authorization. Meeting FedRAMP technical and process requirements: CSPs reported that they had to update the infrastructure to meet federal security requirements. Finding an agency sponsor: CSPs reported that finding an agency sponsor was difficult. Engaging

Understanding AI Risk Management – Securing Cloud Services with OWASP LLM Top 10

Welcome back to the era of GenAI, where the world remains captivated by the boundless potential of artificial intelligence. However, the proliferation of AI does not preclude us from considering the new risks it poses. As you may recall, I have been supporting numerous initiatives around AI Risk Management as part of our ATO for AI offering and recently explored the ethical risks surrounding AI using the IEEE CertifAIEd framework. As part of the NIST AI RMF, we need to continue to adopt new and emerging risk management practices unique to AI systems. Today, weâ€™re going to be exploring the other type of risks: the security vulnerability vectors that are unique to AI systems. Today we will be examining the most common of those vectors, called the OWASP LLM Top 10 and how to protect yourself while building solutions using AWS Native AI services. What is the OWASP LLM TopÂ 10?

Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo

Updated on 5/24/2025 with new developments related to this topic. On May 22, 2025, NIST published a blog stating their intent to leverage existing control frameworks to protect AI systems as opposed to creating new frameworks. stackArmor’s position published in 2023 to use AI Overlays to develop guardrails for AI systems has been accepted as an approach that will be implemented by NIST. Ms. Clare Martorana, U.S. Federal Chief Information Officer, Office of the Federal Chief Information Officer, Office of Management Budget. Subject: Request for Comments on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Draft Memorandum Ms. Martorana, We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence. As the CEO and founder of a small and innovative solutions provider, stackArmor, Inc., headquartered in Tysons VA, I applaud your efforts to foster transparency and solicit ideas and comments.Â We

stackArmor, Carahsoft partner with University of Utah School of Medicine to Accelerate FISMA ATO for NEMSIS

TYSONS CORNER, Va., Dec. 15, 2023 — stackArmor, Inc., a leading provider of FedRAMP, FISMA, CMMC 2.0, NIST AI RMF and StateRAMP compliance acceleration solutions and Carahsoft Technology Corp., the Trusted Government IT Solutions Provider® today announced that it has assisted University of Utah School of Medicine, with successfully obtaining a FISMA Moderate ATO for the National Emergency Medical Services Information System (NEMSIS). NEMSIS is a collaborative system hosted on Amazon Web Services (AWS) to improve prehospital patient care through the standardization, aggregation, and utilization of point of care EMS data at a local, state, and national level. NEMSIS is a program of US Department of Transportation’s National Highway Traffic Safety Administration (NHTSA) Office of EMS and hosted by the University of Utah’s Data Coordinating Center, housed within the School of Medicine. “FISMA is one of the most important regulations regarding Federal data security standards and guidelines. An ATO (Authority To Operate) forms the

Understanding Risk Assessment Standards for Deploying Safe & Secure AI Systems

A blog post by Matthew Venne, Sr. Solutions Director, stackArmor Itâ€™s no secret that Cloud 2.0 will be driven by Artificial Intelligence (AI). The rate at which the world is adopting AI-based solutions is nothing short of staggering; what was once viewed as science fiction, is quickly becoming science fact. With each AI system that gets deployed into the world, another machine takes ownership of decisions previously made by a human. We are currently seeing AI being adopted across all sectors of life: self-driving cars, college admissions, housing applications, the defense industry and more. Â This presents unique challenges and risks that require new thought leadership to properly assess and mitigate. What happens if: An Autonomous Intelligence System (AIS) used for college admissions incorporates a bias against any demographic? An AI-powered smartwatch discovers its owner has a condition they wanted to keep private? An AIS escalates its own privileges to access

All Eyes on AI: Rising Interest, Regulation, and Compliance Requirements

AI is so much more than a buzz term these days. It is a full blown technological revolution commanding the attention of industries and sectors across the board. Its surging role is particularly evident in the public sector where government and federal agencies are flocking to capture the benefits of the emerging tech. Take the Department of State for example. In order to automate the time-consuming task of documentation processing and declassification, the department has instituted an AI-driven pilot project that helps to streamline reviews. AI Initiatives from The White House and Public Sector But as AI gains traction, there is also a rush to get ahead of its challenges. In a talk hosted by the Information Technology Industry Council, Arati Prabhakar, the director of the White House’s Office of Science and Technology Policy, discussed an expected executive order that focuses on balancing opportunity with risk. Of course, that became

FedRAMP and Federal Cybersecurity Market Roundup October 2023

October was a busy month for FedRAMP. From Federal Secure Cloud Advisory Committee (FSCAC) meetings to an automation overhaul, there were a slew of activities aiming to further prepare the program for the future it faces and will need to serve. Developing the Next Generation of FedRAMP The push to really explore FedRAMP’s upcoming chapter began with the first FSCAC meeting of the month on October 19. The focus of this particular gathering was to delve further into the Cloud Solution Provider (CSP) Authorization Path and offer an opportunity to present insights on how to enhance this process. The following convening on October 26 was centered around the growing role of Continuous Monitoring (ConMon), also offering an opening of the floor to discuss input that would lead to draft recommendations. But the key theme that keeps recurring is automation. While the forthcoming November meetings will tune more deeply into equipping

stackCast Episode #4: Nick Mistry, SVP and CISO at Lineaje

On a new episode of stackCast (powered by stackArmor), host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, welcomes the SVP and CISO at Lineaje, Nick Mistry. The two discuss: The importance of software supply chain security and why it has been mandated by some government programs such as FedRAMP and FISMA The overview of a Software Bill of Materials (SBOM) and breakdown of transitive dependencies vs. dependencies Why Lineaje developed an SBOM exchange platform (SBOM360 Hub) and how it works How SBOM360 Hub impacts the overall security posture of a company To learn more about Lineaje and how they solve critical Software Supply Chain security problems faced by every organization that builds, uses, or sells software, please visit: https://www.lineaje.dev/. – About stackCast: Welcome to stackCast, powered by stackArmor, your go-to source for all things related to cloud security and cybersecurity compliance. Hosted by Martin Rieger, Chief Solutions Officer

Accelerating FedRAMP ATOs: OMB Memo

The Office of Management and Budget (OMB) released a Draft Memorandum for Modernizing the Federal Risk and Authorization Management Program (FedRAMP) on Friday, Oct 27, 2023. FedRAMP was codified in 2022 when Congress passed the FedRAMP Authorization Act (“Act”). The Act established FedRAMP within the General Services Administration (GSA) and created a FedRAMP Board to provide input and recommendations to the Administrator of GSA. FedRAMP has been in place through a Office of Management and Budget (OMB) memorandum in December 2011. OMB released the DRAFT Memorandum that has a number of highlights. Salient elements of the proposed changes are summarized below from our perspective in having supported over 200 system migrations and ATOs since 2009 when we supported the first Government wide Cloud Authorization To Operate (ATO) in May 2010 for Recovery.gov and then the first Cabinet Agency Cloud ATO in Dec 2010 for Treasury.gov. SaaS focus: OMB has a

Suzette Kent Joins stackArmor AI Risk Management Center of Excellence (CoE) 

By: Gaurav “GP” Pal, Founder and CEO, stackArmor Last month at stackArmor, we announced the establishment of our AI Risk Management Center of Excellence (CoE), comprised of executives with strong operational backgrounds and experience driving large-scale modernization efforts in Federal agencies. We’re pleased to share that Suzette Kent, former Federal Chief Information Officer for the United States, is joining the stackArmor CoE to advise and provide ongoing counsel to stackArmor and its stakeholders. “Harnessing the power of AI for delivery of government mission and services will be transformational,” said Suzette Kent. “But, it is complicated to align all the emerging policy, risk frameworks, approval processes and existing policy and law. I am thrilled to be included in the COE because I have seen the work of the stackArmor team to drill down to details and find a path to connect all the pieces. We can only get to use of

FedRAMP and Federal Cybersecurity Market Roundup September 2023

It’s been a few weeks now since Carahsoft’s FedRAMP Headliner Summit, but there is no shortage of moments to recall from it. For instance, Robert Costello commemorated his two-year anniversary as CIO at the Cybersecurity and Infrastructure Security Agency (CISA) during the event. While speaking on his role, he explained the difference that has unfolded, including a greater emphasis on having technically savvy federal employees. As quoted by MeriTalk, he stated, “We’re now doing cutting-edge technology solutions, providing services to the agencies that we weren’t before…” Growing Demand for Cloud Services It’s an important point that agencies such as CISA are enhancing tech skills. With growing risk, expanding innovations, and rising regulations, the demand is higher than ever. This is seen in funding initiatives as well. According to Government Technology, the federal government is preparing to distribute $1 billion to states and cities in order to support their cybersecurity plans.

Implementing Zero Trust with Okta’s Identity Engine

By: Matthew Venne, Senior Solutions Director In an increasingly interconnected world, securing digital assets and sensitive information has never been more critical. In a never-ending game of â€œcat and mouse, malicious actors and cyber security professionals go back and forth trying to one-up each other.Â Â As a result, the security required to protect digital assets has outgrown the â€œtraditionalâ€ perimeter-based security model, where processes and identities are typically only authenticated once and then implicitly trusted.Â Â To adapt to the new network complexity, a new model, the â€œZero Trustâ€ security model, has gained prominence as a more robust and effective approach to safeguarding data and systems. Â Okta, a leading identity and access management (IAM) solution provider, has recently introduced its Identity Engine to implement Zero Trust principles. In this blog post, we will delve into how Okta’s Identity Engine implements Zero Trust and the benefits it offers for modern organizations. Understanding

stackArmor Launches ATO for AI™ Governance Model To Help Public Sector Organizations Safely and Securely Accelerate AI Adoption

Solution receives industry backing with newly established AI Risk Management Center of Excellence (CoE) MCLEAN, Va., September 27, 2023 – stackArmor, the leader in security and compliance acceleration for government organizations, today announced its Approval To Operate (ATO) for AI™ accelerator, that helps public sector and government organizations rapidly implement security and governance controls to manage risks associated with Generative AI and General AI Systems. ATO for AI™ builds on the decades of experience in managing digital and information systems risk using open NIST standards like NIST RMF, NIST SP 800-53 and NIST SP 800-171 and integrates them with emerging frameworks like NIST AI RMF specifically tailored to manage AI risk. As organizations across the globe reap the benefits of AI for automated decision-making and data analysis, the Biden administration recently issued a fact sheet announcing commitments from eight AI companies to manage the risks posed by AI. The document notes the

stackCast Episode #3: Stephen de Vries, CEO at IriusRisk

On a new episode of stackCast (powered by stackArmor), host Martin Rieger, Chief Solutions Officer & CISO at stackArmor, welcomes the CEO at IriusRisk, Stephen de Vries. The two discuss: What threat modeling is, and why it’s crucial in today’s digital landscape How IriusRisk automates the threat modeling process How IriusRisk breaks down silos between Security and Development The guide to how companies can invest in security Compliance and how working with G-SIBs comes with a unique challenge To learn more about IriusRisk and how they automate the threat modeling process, please visit: https://www.iriusrisk.com/. —- About stackCast: Welcome to stackCast, powered by stackArmor, your go-to source for all things related to cloud security and cybersecurity compliance. Hosted by Martin Rieger, Chief Solutions Officer & CISO at stackArmor, the series focuses on navigating the ever-changing landscape of cloud technology and cybersecurity. In a world where our reliance on digital technology is

Looking Forward to the GovForward FedRAMP Headliner Summit

What’s the cloud hanging over cloud service providers’ heads? The rapidly evolving threat landscape. It’s challenging to keep up with the pace and scale of risk, which is especially true when you are working with clients as essential as federal government agencies. Therefore, it’s critical to not only maintain cyber hygiene, but to anticipate what’s lurking. One key way to help reach those goals is to band together with other cybersecurity experts to exchange ideas, discuss the topics impacting everyday tasks, explore solutions, and brainstorm on what’s ahead. Cue the GovForward FedRAMP Headliner Summit presented by GovExec. GovForward FedRAMP Headliner Summit On August 23, leaders across the cybersecurity, cloud technology, government, and military fields will descend on the Waldorf Astoria in Washington, D.C. for conversations ranging from the need to better protect critical infrastructure to the state of cloud adoption. The main overarching theme, though, will be examining the impact

FedRAMP and Federal Cybersecurity Market Roundup August 2023

If federal cybersecurity were a play, regulatory programs such as FedRAMP would be like the directors helping to guide all of the participating actors properly execute their parts and bring the vision to life. And with the spotlight growing brighter due to the mass digital migration, evolving tech landscape, and expanding threat environment, they recently brought in some new stage managers to help. 2nd Meeting of the Federal Secure Cloud Advisory Committee (FSCAC) In compliance with the FedRAMP Authorization Act of 2022, the General Services Administration (GSA) established the Federal Secure Cloud Advisory Committee (FSCAC), an alliance of 14 private and public sector representatives stemming from companies such as Google to agencies such as the Defense Information Systems Agency. According to the Federal Register, FSCAC’s purpose is to “provide advice and recommendations to the Administrator of GSA, the FedRAMP Board, and agencies on technical, financial, programmatic, and operational matters regarding