Title page

Contents

Executive Summary 2

Introduction 5

Current and Proposed AI Regulations and Rules 6

Cybersecurity Risk Management in Contracts as a Case Study for AI 7

Cybersecurity Procurement Challenges and Lessons for AI 9

Balancing the Level of Risk Management with the Level of Risk Impact 9

Recommendation 10

Balancing Trust in Vendors' Commitment to Risk Management Practices with Government's Need for Verification 11

Recommendation 13

Appropriately Preparing the Acquisition Workforce 13

Recommendation 15

Third-Party Auditing Concerns 15

Recommendation 16

Incident Sharing and Reporting Enforcement 17

Recommendation 18

Summary of Recommendations for AI Risk Management 19

Conclusion 20

Author 21

Acknowledgments 21

Endnotes 22

Table 1. Summary of the Documents NIST Developed in Compliance with FISMA Directives 10