An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Nov. 27, 2023

Guidance for Securing AI Issued by NSA, NCSC-UK, CISA, and Partners

FORT MEADE, Md.- The National Security Agency (NSA), UK National Cyber Security Centre (NCSC-UK), U.S Cybersecurity and Infrastructure Security Agency (CISA), and other partners have released “Guidelines for Secure AI System Development,” a Cybersecurity Information Sheet (CSI).

The agencies are releasing the report to help developers, providers, and systems owners develop, deploy, and operate secure Artificial Intelligence (AI) systems, including those used in National Security Systems (NSS), by the Department of Defense (DoD), and by the Defense Industrial Base (DIB).

“We wish we could rewind time and bake security into the start of the internet. We have that opportunity today with AI. We need to seize the chance,” said Rob Joyce, NSA Cybersecurity Director.

According to the CSI, AI systems are subject to security vulnerabilities that need to be considered alongside standard cyber threats. For example, AI systems are vulnerable to “adversarial machine learning” (AML) attacks, which exploit fundamental vulnerabilities in machine learning (ML) systems, including hardware, software, workflows, and supply chains. Prompt injection and training data poisoning are examples of AML attacks that could enable malicious cyber actors to compromise an ML model’s classification or regression performance, perform unauthorized actions, or extract sensitive information.

The CSI indicates that secure by design principles are applicable to AI systems. Providers of AI components should implement security controls by design and default within their ML models, pipelines, and systems. Accordingly, the CSI focuses on four key areas of AI system development: secure design, secure development, secure deployment, and secure operation.

The UK National Cyber Security Centre (NCSC-UK) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) co-authored the CSI with NSA and other partners.
The authoring agencies advise that this CSI does not replace general cybersecurity best practices and risk management programs. Recommendations in the CSI should be considered in conjunction with established cybersecurity, risk management, and incident response best practices.

Read the full report here.
Visit our full library for more cybersecurity information and technical guidance.

NSA Media Relations