SECURITY FOR GenAI - 4986.11

(New: 02/2025)

 

Scope:

This Chapter of the GenAI Policy applies to all State Entities.

Policy:

A.  Security Incident Reporting

1. Violations or incidents involving the use, disclosure, or breach of GenAI and state data must be addressed through a clearly defined reporting and escalation process. This process should be integrated into the State Entity’s Incident Response Plan and Playbook, ensuring compliance with the standards outlined in SIMM 5340-A Incident Reporting and Response Instructions and SIMM 5340-C Requirements to Respond to Incidents Involving a Breach of Personal Information.
2. A State Entity must promptly report all suspected or confirmed violations and incidents to oversight agencies.
   1. New identified threats and Tactics, Techniques, and Procedures (TTPs) must be reported to oversight agencies.

B.  Security Frameworks

1. A State Entity should leverage the NIST AI Risk Management Framework (AI RMF) to identify, assess, and mitigate risks associated with GenAI, ensuring their development and use align with principles of reliability, fairness, and accountability.
2. A State Entity must document potential risks associated with GenAI throughout their lifecycle, including technical, operational, privacy, legal, ethical, and societal risks in their risk register.
3. A State Entity must ensure that all GenAI adheres to NIST 800-53 Security and Privacy Controls for Information Systems and Organizations to help ensure SIMM and SAM policies are met at a minimum baseline.

C.  Security Compliance

1. A State Entity must inventory and document all GenAI systems in a Business Impact Analysis and System Security Plan (SSP) that is submitted with the State Entity’s Technology Recovery Plan as outlined in SIMM 5325-A Technology Recovery Plan Instructions and SIMM 5325-B Technology Recovery Program Certification.
   1. All data for GenAI must be classified and documented in their SSPs if applicable.
2. All GenAI (procured or developed by a State Entity) must have an associated SIMM 5305-F Generative Artificial Intelligence Risk Assessment and SIMM 5310-C Privacy Threshold Assessment and Privacy Impact Assessment, unless specifically exempted, as detailed in SAM 4986.9, GenAI Procurement.
3. All GenAI systems must align with SAM 5335 Information Security Monitoring Policy for real time continuous monitoring. Work tools with, GenAI features, are also to align and be monitored in accordance with SAM 5335 when available.
4. A State Entity must continuously oversee and monitor new, ongoing, and changing security, privacy, and operational risks for any GenAI use.
   1. State entity must implement controls and safeguards to mitigate identified risks outlined in SIMM 5345-A Vulnerability Management Standard and ensure compliance with applicable laws, regulations, and ethical standards.
5. A State Entity must approach all GenAI from a Zero Trust Architecture perspective.

References:

SAM 4986.9; SAM 5335; SIMM 5305-F; SIMM 5310-C; SIMM 5325-A; SIMM 5325-B; SIMM 5335-A; SIMM 5340-A; SIMM 5340-C; SIMM 5345-A