House panel moves bill that adds AI systems to National Vulnerability Database | CyberScoop<\/title> <meta name=\"description\" content=\"The AI Incident Reporting and Security Enhancement Act would put NIST in charge of setting up a vulnerability reporting process for AI systems.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/nist-artificial-intelligence-vulnerability-reporting-congress\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"House panel moves bill that adds AI systems to National Vulnerability Database\"> <meta property=\"og:description\" content=\"The AI Incident Reporting and Security Enhancement Act would put NIST in charge of setting up a vulnerability reporting process for AI systems.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/nist-artificial-intelligence-vulnerability-reporting-congress\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-09-25T21:07:08+00:00\"> <meta property=\"article:modified_time\" content=\"2024-09-25T21:07:40+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1725982252g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1726846296g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1727276187g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ada0ad45b21fc79c6694\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/81921\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.6.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=81921\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnist-artificial-intelligence-vulnerability-reporting-congress%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fnist-artificial-intelligence-vulnerability-reporting-congress%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-81921 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/nist-artificial-intelligence-vulnerability-reporting-congress\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"4.952380952381\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Voting is open for the 2024 CyberScoop 50 awards! <\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/vote\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.170415224913\">\n<div class=\"single-article__header-content\" readability=\"29.52\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/cybersecurity\/\"> <span>Cybersecurity<\/span> <\/a> <\/li>\n<\/ul>\n<p> The AI Incident Reporting and Security Enhancement Act would put NIST in charge of setting up a vulnerability reporting process for AI systems. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-2.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> Rep. Deborah Ross, D-N.C., speaks during a press conference in Washington, D.C., on June 3, 2024. Legislation from Ross and two colleagues to add AI systems to the National Vulnerability Database cleared a House panel on Sept. 25, 2024. (Photo by ALLISON BAILEY\/Middle East Images\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"42.99474525931\"><body readability=\"86.763013340309\"><\/p>\n<p>A bill that would push the National Institute of Standards and Technology to set up a formal process for reporting security vulnerabilities in AI systems sailed through a House committee Wednesday.<\/p>\n<p>The<a href=\"https:\/\/republicans-science.house.gov\/_cache\/files\/4\/7\/47ce9171-cedc-43d7-ae3d-22365e67abb8\/109CDADFF56C83D71A8ACB5F6F5E1343.h.r.-9720.pdf\"> AI Incident Reporting and Security Enhancement Act<\/a>, introduced by Reps. Deborah Ross, D-N.C., Jay Obernolte, R-Calif., and Don Beyer, D-Va., was approved via voice vote by the House Science, Space and Technology Committee.<\/p>\n<p>It would direct NIST to add AI systems to the<a href=\"https:\/\/nvd.nist.gov\/\"> National Vulnerability Database<\/a>, the federal government\u2019s centralized repository for tracking cybersecurity vulnerabilities in software and hardware. It would also require the agency to consult with other federal agencies, like the Cybersecurity and Infrastructure Security Agency, the private sector, standards organizations and civil society groups to establish common definitions, terminology and standardized reporting rules for AI security incidents.<\/p>\n<p>Ross noted that the introduction of<a href=\"https:\/\/www.warner.senate.gov\/public\/index.cfm\/2024\/5\/warner-tillis-introduce-legislation-to-advance-security-of-artificial-intelligence-ecosystem\"> companion legislation<\/a> in May from Sens. Mark Warner, D-Va., and Thom Tillis, R-N.C., means that \u201cwe have friends in the Senate\u201d who can help pass the bill into law.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>However, the bill includes language specifying that these actions are \u201csubject to the availability of appropriations,\u201d and Ross acknowledged \u201csignificant funding and scaling challenges that NIST has with the NVD\u201d under its existing workload.<\/p>\n<p>NIST has had well-established challenges managing the ballooning number of vulnerabilities it is already responsible for tracking and analyzing. In February, the agency temporarily stopped enriching data around reported security vulnerabilities \u2014 a process where agency analysts tag and connect specific vulnerability entries to other relevant public information. Cybersecurity practitioners have said NIST\u2019s enrichment work adds invaluable context that organizations use to address existing vulnerabilities.<\/p>\n<p>In March, Tanya Brewer, who manages NIST\u2019s NVD program, cited budget cuts, flat staff growth and an exponential increase in incoming email traffic related to the database over the past four years as <a href=\"https:\/\/cyberscoop.com\/plan-to-resuscitate-beleaguered-vulnerability-database-draws-criticism\/\">reasons for the pause<\/a>. <\/p>\n<p>\u201cMy colleagues and I on this committee are actively exploring solutions to help NIST address this problem and get the money,\u201d Ross said.<\/p>\n<p>Obernolte referenced a number of high-profile cybersecurity incidents over the past three years, including the 2021<a href=\"https:\/\/cyberscoop.com\/house-homeland-colonial-hearing-coordination\/\"> Colonial Pipeline<\/a> ransomware attack, the<a href=\"https:\/\/cyberscoop.com\/unitedhealth-group-steven-martin-ciso-ransomware-attack-recovery\/\"> Change Healthcare<\/a> hack and a<a href=\"https:\/\/cyberscoop.com\/crowdstrike-exec-apologizes-congressional-hearing-it-outage\/\"> CrowdStrike bug<\/a> that crashed systems across the globe as examples of how software glitches and vulnerabilities can severely disrupt the flow of supply chains.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This threat \u201cis especially true with AI systems, since they tend to be not only less deterministic but also less understood,\u201d he said, adding that he intends to fight for the bill to get a full House vote later this year.<\/p>\n<p>Although the bill passed by voice vote, some members raised concerns. Rep. Bill Posey, R-Fla., signaled his support for the underlying bill but said that more work is needed to define terms like \u201csubstantial artificial intelligence security incident\u201d and \u201cintelligence incident\u201d and measures to ensure that civil society groups invited to provide input don\u2019t include foreign standards organizations from China and other adversarial nations.<\/p>\n<p>Such scoping is particularly necessary, Posey said, in light of a recent Supreme Court<a href=\"https:\/\/fedscoop.com\/chevron-downfall-highlights-clear-ai-law-need\/\"> ruling<\/a> that overturned the so-called \u201cChevron doctrine,\u201d a legal precedent whereby courts defer to federal agencies to interpret how to implement laws passed by Congress. <\/p>\n<p>\u201cThese really jumped out at me post-Chevron,\u201d Posey said. \u201cThat elected people should really decide the spectrum at which we want them to operate and not let the bureaucracy take off again with a free wheel to do whatever they want.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.5443037974684\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/nist-artificial-intelligence-vulnerability-reporting-congress\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>House panel moves bill that adds AI systems to National<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[384,655,78,927,2759],"tags":[388,657,86,929,2760],"class_list":["post-5476","post","type-post","status-publish","format-standard","hentry","category-artificial-intelligence-ai","category-congress","category-cybersecurity","category-nist","category-vulnerability-reporting","tag-artificial-intelligence-ai","tag-congress","tag-cybersecurity","tag-nist","tag-vulnerability-reporting"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/artificial-intelligence-ai\/\" rel=\"category tag\">artificial intelligence (AI)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/congress\/\" rel=\"category tag\">Congress<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/nist\/\" rel=\"category tag\">NIST<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/vulnerability-reporting\/\" rel=\"category tag\">vulnerability reporting<\/a>","tag_info":"vulnerability reporting","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5476"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5476\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":5476,"date":"2024-09-25T16:07:08","date_gmt":"2024-09-25T21:07:08","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=81921"},"modified":"2024-09-25T16:07:08","modified_gmt":"2024-09-25T21:07:08","slug":"house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/25\/house-panel-moves-bill-that-adds-ai-systems-to-national-vulnerability-database\/","title":{"rendered":"House panel moves bill that adds AI systems to National Vulnerability Database"},"content":{"rendered":"