{"id":36529,"date":"2026-05-12T19:36:08","date_gmt":"2026-05-12T19:36:08","guid":{"rendered":"https:\/\/www.europesays.com\/ai\/36529\/"},"modified":"2026-05-12T19:36:08","modified_gmt":"2026-05-12T19:36:08","slug":"heres-how-nist-is-teeing-up-guidance-for-securing-ai","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ai\/36529\/","title":{"rendered":"Here\u2019s how NIST is teeing up guidance for securing AI"},"content":{"rendered":"

Launched some 20 years ago, the National Institute of Standards and Technology\u2019s information security standard set a go-to benchmark for organizations to secure IT systems and data. Today, NIST\u2019s Special Publication 800-53<\/a> endures as not just the foundational controls to which all federal agencies must adhere, but in combination with NIST\u2019s Cybersecurity Framework<\/a>, as the common lexicon and baseline for information security across industries.<\/p>\n

The introduction of AI into cybersecurity raises many questions about potential new uses and vulnerabilities, the best ways to adopt and key considerations for ensuring continued security. These questions, and plenty of others, are all focus areas for NIST as the agency works to provide practical and impactful guidance for organizations looking to integrate AI into their cybersecurity arsenal.<\/p>\n

\u201cAt NIST, whenever we look at a new space and when we look at what can we do here, we always start by engaging with the community and talking to the community about how we can we help,\u201d said Kat Megas, NIST program manager for cybersecurity, privacy and AI.<\/p>\n

By consulting the user community, Megas got a clear signal for emerging requirements.<\/p>\n

\u201cI asked a lot of CISO community colleagues as I was able to engage \u2014 whether it be in roundtables or in different discussions at different conferences \u2014 would it be helpful if NIST would do something like use the Cybersecurity Framework, which is a tool you\u2019re all already familiar with, to create this common taxonomy? Would it be helpful for these different references that are out there, whether they be standards or other NIST guidelines, to have those mapped back to this common framework that we all broadly already use?\u201d Megas said. \u201cAnd the feedback from the community was a resounding yes.\u201d<\/p>\n

Building the blueprint\u2026from the existing blueprint<\/p>\n

It was clear there\u2019s no need to start from scratch when it comes to NIST guardrails on AI security. Instead, agency leaders are working to develop overlays for NIST 800-53, reviewing the entire catalog to identify and highlight key controls for adoption or adaptation to secure AI systems. The goal is for agencies to leverage the overlays as guidance for implementing AI security.<\/p>\n

Moreover, NIST is looking at the Cybersecurity Framework to help build out a Cyber AI profile that helps agencies recognize the opportunities, risks and impact of AI on their cybersecurity \u2013 and to develop strategies accordingly.<\/p>\n

Early on in NIST\u2019s efforts to understand and evaluate the impact of AI, there were three areas that emerged as priorities for addressing risk and impact: cybersecurity of AI systems, AI-enabled cyber defenses and AI-enabled cyberattacks.<\/p>\n

Megas said her engagement with the CISO community revealed a couple recurring themes in the feedback she was getting. For one, CISOs are highly concerned about AI\u2019s effects on their cybersecurity, but struggle to balance their day-to-day demands against digging into specific best practices, plans and strategies. For two, data and discussion around AI and cybersecurity is voluminous, but a lack of common lexicon further complicates CISOs\u2019 ability to interpret and relate that information back to their respective cybersecurity strategies.<\/p>\n

\u201cWhen you think about the Cybersecurity Framework profile for AI, I would think of it as more of a strategy, a planning document,\u201d Megas said. \u201cI talk about CISOs because I often think CISOs look at, how do I allocate my resources? How should I be thinking about integrating and communicating about my cybersecurity strategy?\u201d<\/p>\n

Charting a clear path through AI\u2019s noise and complexity<\/p>\n

The CISO perspective helped clarify needs and better frame the potential solutions.<\/p>\n

\u201cThis is where the CSF and the Cyber AI profiles help a lot. It helps you with assessing internally: Is my strategy focused on the right things? Should I be focusing on other things? Do I need to be looking at integrating tools into my portfolio of what I\u2019m doing to manage cybersecurity?\u201d Megas said.<\/p>\n

For NIST, the vision among those working on developing these critical frameworks and guidelines is that they compliment each other and provide a familiar path forward as organizations plan for adopting AI for cybersecurity.<\/p>\n

By providing the guidance, use cases and essential considerations \u2013 think priorities around trust, risk-mapping and metrics \u2013 Megas hopes to provide a playbook of sorts.<\/p>\n

\u201cFrom a federal agency perspective, I think usage of those overlays coming out of this effort and seeing agencies adopt and use those is paramount,\u201d Megas said. \u201cSomething that I anticipate and hopefully would be of use\u2026would be to get feedback from federal agencies on how to evolve it, how we might need to add additional considerations to it after they\u2019ve been using it for a while. It\u2019s also very non-sector specific, so I\u2019d say we\u2019ve been successful if different sectors pick up the profile and adapt it for, let\u2019s say, financial use cases or healthcare use cases. I think those two together would be my measurement, looking back a year from now, of how successful we\u2019ve been.\u201d<\/p>\n

Copyright
\n \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.\n <\/p>\n","protected":false},"excerpt":{"rendered":"Launched some 20 years ago, the National Institute of Standards and Technology\u2019s information security standard set a go-to…\n","protected":false},"author":2,"featured_media":36530,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[24,22891,22892,25,22893,3805,22894,22895,22896,22897],"class_list":{"0":"post-36529","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-ai","8":"tag-ai","9":"tag-ai-augmented-cyber-defenses","10":"tag-ai-informed-cybersecurity","11":"tag-artificial-intelligence","12":"tag-katerina-megas","13":"tag-nist","14":"tag-nist-800-53","15":"tag-nist-cybersecurity-framework","16":"tag-tanium-federal","17":"tag-tanium-federal-autonomous-it"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/36529","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=36529"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/36529\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/36530"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=36529"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=36529"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=36529"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}