Navigating NIST’s New Cybersecurity AI Frontier

Navigating NIST’s New Cybersecurity AI Frontier

Navigating NIST’s New Cybersecurity AI Frontier

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/navigating-nists-new-cybersecurity-ai-frontier

Publish Date: 2026-07-05 05:13:00

Source Domain: www.govtech.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

Over the past several years, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) (now at version 2.0) has been a primary framework used by federal, state and local governments and the private sector regarding best practices and actions needed to address system risk for cybersecurity programs across the country.But recent developments in AI and quantum computing are changing the risk paradigm while redefining what steps must be taken by enterprises to address this new normal.As Chuck Brooks recently wrote for Forbes, in what he calls “the acceleration era,” there is a need to focus on five strategic pillars to increase resilience and trust. Adaptive Risk ManagementResilience via DesignTrust-Centered GovernanceCrypto-Agility and Quantum ReadinessHuman Capital and CollaborationNIST UPDATES AND ROAD MAPThere has been extensive work this spring to bring updates to NIST guidance. These updates are outlined in detail at this website, which focuses on its new “Cyber AI Profile” based on the CSF.The website describes this new update this way:“Discussions with many in the cybersecurity community strongly suggest that there would be value in developing guidance based on the CSF to address the cybersecurity risks related to AI development and use. Thus, NIST through the National Cybersecurity Center of Excellence (NCCoE) is considering developing a Community Profile that is based on the CSF for the domain of ‘cybersecurity of AI and AI for cybersecurity’ (a ‘Cyber AI Profile’).”The diagram below shows the steps in the process and outlines the steps to come. Opportunities for public comment are included, and more drafts will be coming.

NIST CHANGES IN THE NEWSThe Federal News Network recently wrote this about the NIST Cyber Center process and changes to incorporate AI guidance:“The National Institute of Standards and Technology expects to advance high profile standards work around a ‘Cyber AI Profile’ and securing artificial intelligence agents this summer, amid a flurry of federal activity aimed at addressing both the risks and opportunities for AI and cybersecurity.“NIST’s National Cybersecurity Center of Excellence (NCCoE) is now running six distinct projects focused on the intersection of AI and cyber. But Cherilyn Pascoe, director of the NCCoE, said AI is popping up across the center’s work, which focuses on practical guidance to advance secure technologies in collaboration with government agencies, industry and academia.“‘I think AI is going to be part, if not a leading part, of every project going forward at the center,’ Pascoe said in an interview. ‘It is becoming so foundational to cybersecurity.’“Recent advancements in AI models like Anthropic’s Claude Mythos have shown the ability to quickly find software vulnerabilities and create cyber exploits much faster than humans.“President Donald Trump earlier this month signed an executive order aimed at addressing those risks. The Cybersecurity and Infrastructure Security Agency subsequently released an AI-focused, governmentwide directive for agencies to prioritize the highest risk software vulnerabilities.”In addition, NIST published this blog post with reflections from the second NIST Cyber AI Profile Workshop:“During workshop discussions, participants expressed support for the development of the Cyber AI Profile and appreciated that it is filling gaps in much needed guidance. Participants emphasized the need for both enterprise risk management and implementation level resources, especially to benefit smaller organizations or organizations overwhelmed with addressing strategic adoption, integration, and use of AI (while continuing operational cybersecurity risk management activities). Below are some key themes we heard from participants during the workshop [see the blog post for more details on each item]:Agentic AI: Agentic AI may require special considerations with respect to all three Focus Areas outlined in the Profile (and more agentic AI examples need to be included).Longevity of Profile and Innovation: Participants requested that the Profile not include guidelines that are too specific.Need for Consistent AI Taxonomy: Participants stated that the Cyber AI Profile is on track to provide a consistent, industry-agnostic AI taxonomy that will enable organizations across industries to communicate clearly about a wide range of AI topics.Use Cases: Participants said that it would be helpful to include use cases (e.g., operational technology (OT) cybersecurity) and illustrative examples in the Profile.Ideas for Enhancing the Usability of the Profile: Participants suggested creating a more flexible format for filtering the profile (i.e., workbook) as well as providing a machine-readable format and increasing the use of hyperlinks.AI Governance and Accountability: AI governance remains top of mind and current approaches are varied.Guidelines on Testing and Evaluation: Participants voiced a common challenge in testing and managing AI systems and tools. Performance metrics, certifications, and benchmarking were discussed as means to support AI system testing and evaluation.Cybersecurity’s Role in Trustworthiness of AI Decisions: Participants highlighted how cybersecurity can help with challenges in adopting AI.Transparency, Integrity, and Accountability: Participants mentioned that considerations in the Profile should highlight the need to enhance transparency and accountability to support cybersecurity objectives.Continued Need for Human-in-the-Loop for Cybersecurity: Participants expressed that human-in-the-loop (HITL) processes and training remain critical at this time in AI adoption.”This video also describes ongoing activities with NIST and AI.

FINAL THOUGHTSThere was always an expectation that the NIST CSF would evolve over time, as has been the case moving from the initial version to version 2.0.However, developments in AI and quantum computing are accelerating the need for rapid updates and new thinking regarding risk mitigation.Knowledge of, and participation in, these Cyber AI Profile working groups, as well as commenting on draft updates, is a good use of time for state and local government professionals who want to continue to stay current with relevant guidance and best practices.