Governance & Program Info

FirstNet & Public Safety AI — Governance

Cross-builder institution context and per-item ownership, due dates, status, and next actions for the governance-relevant checklist items in this builder.

← Back to checklist
Institution context
Program info
Applies across every builder in the app. Stored locally; nothing leaves the browser.
Checklist governance
Items (0 of 13 marked complete)
Annotate ownership, due date, status, and next action. Items on the left come from the builder's governance / compliance phases.
05 · Governance & Compliance
Map NIST SP 800-53 High baseline controls
required
Confirm the High baseline controls applicable to the AI stack — training pipeline, inference runtime, feature store, audit log.
05 · Governance & Compliance
Obtain or inherit FedRAMP authorization at target level
required
FedRAMP High, Moderate, or Agency ATO as dictated by Phase 1 scope.
05 · Governance & Compliance
Continuous monitoring / ConMon program
required
FedRAMP and NIST 800-53 both require continuous monitoring — vulnerability scanning, POA&M, monthly reporting.
05 · Governance & Compliance
Map CJIS Security Policy areas applicable to the AI stack
required
The 13 CJIS policy areas apply to any system touching CJI — including Advanced Authentication, media protection, and physical protection.
05 · Governance & Compliance
Enforce Advanced Authentication for model operators
required
CJIS-compliant MFA for every operator, admin, and service account that touches CJI-derived outputs.
05 · Governance & Compliance
Apply CJIS media protection to model artifacts and logs
required
Model weights trained on CJI, inference logs, and audit records all fall under CJIS media protection — FIPS-validated encryption at rest and controlled disposal.
05 · Governance & Compliance
Conduct CJIS personnel security screening for operators
required
Fingerprint-based background check for every person with unescorted logical or physical access to CJI systems.
05 · Governance & Compliance
Use FIPS 140-2 / 140-3 validated modules across the stack
required
All cryptography — at rest, in transit, and for key custody — must use FIPS-validated modules on the NIST CMVP list.
05 · Governance & Compliance
Deploy HSM / KMS for model and key custody
recommended
Hardware Security Module (or FIPS-validated KMS equivalent) for signing keys, artifact keys, and any CJI-derived data keys.
05 · Governance & Compliance
Publish AI use policy and governance model
required
The agency's AI use policy — what the AI does, what it does not, and how it is overseen — should be published and reviewed.
05 · Governance & Compliance
Document model cards for every deployed model
required
Model card per model — intended use, training data, known limitations, fairness evaluation, version — published to agency oversight.
05 · Governance & Compliance
Define prohibited uses explicitly
required
An explicit list of things the AI will not be used for (e.g., autonomous use-of-force, immigration enforcement where prohibited by local law).
05 · Governance & Compliance
Maintain a public-records / FOIA disclosure workflow
recommended
Inference outputs, logs, and supporting evidence are subject to public-records requests — build the disclosure path before you need it.