The National Institute of Standards and Technology (NIST) is developing a new “Community Profile” based on the NIST Cybersecurity Framework (CSF) that will provide guidance on the cybersecurity risks related to AI development and use.
A Community Profile is guidance for a specific community that is organized around the common taxonomy of NIST’s CSF. The new “Cyber AI Profile” will support the cybersecurity community as it adopts AI for cybersecurity and explores the cybersecurity of AI.
“We’re developing what we call the ‘Cyber AI Profile,’ which is a Cybersecurity Framework profile for AI,” Kat Megas, the program manager for cybersecurity, privacy, and AI at NIST, said on Wednesday at the Public Sector Cyber Risk Conference hosted by Qualys and GovExec.
“What we proposed, and what we held a workshop on and have heard feedback on, is that it would be helpful to the community to see a profile for AI based on the Cybersecurity Framework,” she added.
NIST held a workshop on April 3 at its National Cybersecurity Center of Excellence (NCCoE) to hear feedback on the proposed idea of creating the Cyber AI Profile. Last week, NIST announced it was moving forward with the new profile in a blog post co-authored by Megas and Victoria Yan Pillitteri, the manager of the Security Engineering and Risk Management Group at NIST.
At last month’s workshop, Megas said that “transparency was one of the key takeaways” NIST heard from the cybersecurity leaders and professionals during the breakout sessions.
“The one thing holding them back from adopting, even just adopting AI in cybersecurity, was that need for transparency and that need to kind of understand how was that model trained … what are the different components,” Megas said. “So again, I think hopefully the Cyber AI Profile as we work on it over the next couple of months is going to identify the importance of this.”
Megas encouraged members of the audience at Wednesday’s event to sign up for NIST’s Community of Interest (COI) on the Cyber AI Profile to provide additional feedback.
“We’ve already had the workshop. The plan going forward, though, is to hold Community of Interest meetings,” Megas said. “Hopefully we can hold those every couple of weeks [or] monthly.”
Megas said that stakeholders have asked NIST to avoid its usual approach of holding a workshop, going quiet for several months, and then releasing a draft for public comment. Instead, NIST plans to hold regular COI meetings to share updates as it develops the Cyber AI Profile and keep the process transparent.
“What we’re hoping to do is have these community events as meetings at regular intervals, kind of previewing and socializing content as we’re able to develop it, and then invite feedback from the community, flushing out things such as community priorities,” Megas said.
She also noted that NIST is interested in public comment on high-level overlay use cases for organizations developing AI and using AI. Control overlays are a set of NIST SP 800-53 controls designed and tailored to address specialized requirements, technologies, or unique missions – similar to a profile, but more technical.
“If you are interested and you think there’s value in NIST looking at creating overlays for AI, one thing we’re looking at is making those practical and being use case-specific,” Megas said. “We need to hear from the community because hearing from the community is a real driver for our work. We only want to work on things that are useful for the community. So, please do let us know.”
While NIST won’t be able to work on all of the use cases, Megas explained the agency wants to know which use cases are the most important and which ones it should focus on first for the overlays.
“We’re really excited to kick off this effort on developing overlays for AI,” Yan Pillitteri said during a different session at Wednesday’s event. “We issued a blog post last week announcing this effort, that will be scaled up with a Community of Interest, and we want to hear from stakeholders like you. What are those major use cases that you are interested in?”
“Aside from efforts like that, I’m really excited for this summer where we plan to announce some big, big efforts through our National Cybersecurity Center of Excellence on how do we empower risk management,” Yan Pillitteri teased.
While she did not offer details on the coming changes, Yan Pillitteri explained, “the Risk Management Framework, the 800-53 controls aren’t going to go away, but they’re going to adapt to meet the current needs.”
“And we’re going to continue to bring additional resources to address the training, the issues of understanding the culture and the value of risk management,” she said. “So, it’s adapting the good stuff we have and coming up with some new innovative ways to reach our customer base.”