On April 3, 2025, NIST hosted a Cybersecurity and AI Profile Workshop at our National Cybersecurity Center of Excellence (NCCoE) to hear feedback on our concept paper which presented opportunities to create profiles of the NIST Cybersecurity Framework (CSF) and the NIST AI Risk Management Framework (AI RMF). These would serve to support the cybersecurity community as they adopt AI for cybersecurity, need to defend against AI-enabled cybersecurity attacks, as well as protect AI systems as organizations adopt AI to support their business. Stay tuned for the soon to be released Workshop Summary Report!
What about Implementation Guidelines?
Community Profiles are an important first step. We’ve also heard strong demand (and opportunity) for NIST to concurrently provide practical implementation guidelines to help organizations achieve the outcomes in the Cyber AI profile. By working these efforts simultaneously, the profile development can inform implementation guideline development, and vice versa.
Both federal agency stakeholders and private sector stakeholders have identified such a need for practical implementation guidelines to help improve the cybersecurity of AI systems. Following on the feedback not to reinvent the wheel, NIST intends to fully leverage existing cybersecurity Frameworks and technical guidelines (specifically the Security and Privacy Controls) to develop a series of use case-focused, threat-informed cybersecurity control overlays.
Control overlays are a set of NIST SP 800-53 controls designed and tailored to address specialized requirements, technologies, or unique missions or environments of operations. In contrast to Community Profiles and the Frameworks that leverage them, the SP 800-53 controls are generally more detailed and geared toward specific implementations.
Rather than a general cybersecurity and privacy control overlay for all AI, we see that there is a critical need for more implementation-focused and use-case specific overlays to cover the different types of AI systems, specific components, and users. This is because:
- In many aspects, the cybersecurity and privacy controls needed to manage risk to AI systems and components is no different than those required for any type of software; there is no need to rehash or reiterate these controls.
- Not every organization will be developing AI; many will just be users. In these cases, scoping the needs for the intended user will ensure lightweight and modular solutions that organizations can pick from to use alone or in different combinations to meet their unique needs.
- The focus of these overlays should be based solely on the controls that require unique implementation considerations and address AI-specific risks.
The foundations of building a use-case focused set of control overlays already exist in NIST guidelines:
NIST will develop control overlays that are responsive to stakeholders’ calls to build on existing Frameworks and guidelines, and also demonstrate how our broad portfolio can be used seamlessly together to improve cybersecurity risk management practices.
Plans for NIST’s Future Work at the Intersection of Cybersecurity and AI:
To complement the efforts mentioned above, NIST may conduct research and work with the community to:
- Identify, develop, and seek public comment on additional high-level overlay use cases for organizations developing AI and using AI.
- Set up a Community of Interest (COI) for AI Control Overlays to ensure ongoing engagement.
- Continue to receive ideas and feedback from the cybersecurity and AI community every step of the way – through the COI, workshops, and other mechanisms.
- Share progress and details about what we’re up to.
We hope you will join us and contribute your feedback on this exciting new work; NIST welcomes your feedback and participation!