The National Institute of Standards and Technology has prepared a companion to its widely used Cybersecurity Framework that focuses on how organizations can safely use AI.
NIST’s Cybersecurity Framework Profile for Artificial Intelligence, which the agency released in draft form on Tuesday, describes how organizations can manage the cybersecurity challenges of different AI systems, improve their cyber defense capabilities with AI and block AI-powered cyberattacks. The document maps components of the Cybersecurity Framework (CSF) onto specific recommendations in each of those three areas, which NIST dubbed “secure,” “defend” and “thwart,” respectively.
“The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Barbara Cuthill, one of the profile’s authors, said in a statement. “But ultimately every organization will have to deal with all three.”
The AI profile is designed to help organizations implement the CSF’s activities with respect to all three categories of AI concerns. It lists AI-specific considerations for every item in the CSF, covering everything from intrusion detection to supply chain security to vulnerability identification and remediation. In its announcement, NIST said the document “offers insights to help organizations understand, examine and address the cybersecurity concerns related to AI and thoughtfully integrate AI into their cybersecurity strategies.”
NIST drafted the document in consultation with a community of more than 6,500 people who submitted ideas for how to map AI considerations onto the CSF. The agency is now seeking public comments on the draft through Jan. 30. It plans to hold a virtual workshop on Jan. 14.
Expansion of existing guidance
The AI-specific CSF profile is NIST’s latest publication focused on helping organizations manage AI’s benefits and drawbacks. In 2023, the agency released an AI Risk Management Framework, and in 2024 it released a generative AI profile for the framework. In August, NIST published a document intended to help organizations secure their AI systems using the agency’s existing and widely adopted security controls catalog.
Multiple presidents have tasked NIST with developing security guidance for AI. President Joe Biden ordered NIST to publish standards for AI security testing and synthetic content. President Donald Trump has rescinded some of those directives and added others, including instructions for NIST to help other agencies evaluate their AI models.