Key Takeaways
- The National Institute of Standards and Technology (NIST) has released a draft of the Cybersecurity Framework Profile for Artificial Intelligence to help organizations manage AI-related cybersecurity challenges.
- The profile focuses on three areas: "secure," "defend," and "thwart," which cover the use of AI to improve cyber defense capabilities, manage AI systems securely, and block AI-powered cyberattacks.
- The document provides AI-specific considerations for every item in the Cybersecurity Framework, covering topics such as intrusion detection, supply chain security, and vulnerability identification and remediation.
- NIST is seeking public comments on the draft through January 30 and plans to hold a virtual workshop on January 14.
- The AI-specific CSF profile is part of NIST’s ongoing efforts to provide guidance on managing the benefits and drawbacks of AI, including the release of an AI Risk Management Framework and a generative AI profile.
Introduction to the Cybersecurity Framework Profile for Artificial Intelligence
The National Institute of Standards and Technology (NIST) has prepared a companion to its widely used Cybersecurity Framework that focuses on how organizations can safely use Artificial Intelligence (AI). The Cybersecurity Framework Profile for Artificial Intelligence, released in draft form, describes how organizations can manage the cybersecurity challenges of different AI systems, improve their cyber defense capabilities with AI, and block AI-powered cyberattacks. The document maps components of the Cybersecurity Framework (CSF) onto specific recommendations in each of these three areas, which NIST has dubbed "secure," "defend," and "thwart," respectively. This profile is designed to help organizations implement the CSF’s activities with respect to all three categories of AI concerns.
Understanding the Three Focus Areas
According to Barbara Cuthill, one of the profile’s authors, the three focus areas reflect the fact that AI is entering organizations’ awareness in different ways. However, every organization will have to deal with all three areas eventually. The "secure" area focuses on managing AI systems securely, the "defend" area focuses on using AI to improve cyber defense capabilities, and the "thwart" area focuses on blocking AI-powered cyberattacks. The profile lists AI-specific considerations for every item in the CSF, covering everything from intrusion detection to supply chain security to vulnerability identification and remediation. This comprehensive approach will help organizations understand, examine, and address the cybersecurity concerns related to AI and thoughtfully integrate AI into their cybersecurity strategies.
Development of the AI Profile
NIST drafted the document in consultation with a community of more than 6,500 people who submitted ideas for how to map AI considerations onto the CSF. The agency is now seeking public comments on the draft through January 30 and plans to hold a virtual workshop on January 14. This collaborative approach ensures that the profile is informed by a wide range of perspectives and expertise, and that it meets the needs of organizations seeking to manage AI-related cybersecurity challenges. The public comment period and virtual workshop will provide opportunities for further input and feedback, helping to refine the profile and ensure its effectiveness.
Expansion of Existing Guidance
The AI-specific CSF profile is NIST’s latest publication focused on helping organizations manage AI’s benefits and drawbacks. In 2023, the agency released an AI Risk Management Framework, and in 2024 it released a generative AI profile for the framework. In August, NIST published a document intended to help organizations secure their AI systems using the agency’s existing and widely adopted security controls catalog. These publications demonstrate NIST’s ongoing commitment to providing guidance on managing the benefits and drawbacks of AI. Multiple presidents have tasked NIST with developing security guidance for AI, including President Joe Biden, who ordered NIST to publish standards for AI security testing and synthetic content, and President Donald Trump, who rescinded some of those directives and added others, including instructions for NIST to help other agencies evaluate their AI models.
Conclusion and Future Directions
In conclusion, the Cybersecurity Framework Profile for Artificial Intelligence is an important resource for organizations seeking to manage AI-related cybersecurity challenges. The profile provides a comprehensive and structured approach to addressing the cybersecurity concerns related to AI, and its development reflects NIST’s ongoing commitment to providing guidance on managing the benefits and drawbacks of AI. As AI continues to evolve and become increasingly integrated into organizations’ operations, the need for effective cybersecurity measures will only continue to grow. The AI-specific CSF profile is an important step in this direction, and its release is a significant development in the ongoing effort to ensure the safe and secure use of AI.