The cybersecurity landscape must evolve as technology advances to address new challenges and leverage emerging opportunities. At VE3, we recognize that artificial intelligence (AI) and machine learning (ML) introduce unique complexities and prospects in cybersecurity and risk management. The National Institute of Standards and Technology (NIST) has established a robust foundation with its Special Publication 800-53 Revision 5 (800-53r5) and the Risk Management Framework (RMF). However, in the context of AI/ML systems, there are opportunities to refine and extend these frameworks. Below, we outline several areas where NIST’s guidelines could be enhanced to better address the security needs of AI/ML systems.
1. Extending NIST 800-53r5 Controls to AI/ML Systems
NIST 800-53r5 emphasizes access control, traditionally applied to individuals and roles. However, with AI/ML, it is crucial to expand this definition to consider AI models and data entities subject to access controls. Treating models and data as “first-class citizens” would enable more granular control over access. For example, during model training, access controls could ensure that only isolated and protected data is used, minimizing risks such as data breaches or unintended exposure. This refinement would align with the principle of least privilege, which is foundational to NIST’s guidelines, but extend it to cover the full lifecycle of AI/ML systems, from data collection to model deployment.
2. Bridging Gaps Between Map, Measure, and Manage Phases in NIST RMF
The NIST RMF outlines the Map, Measure, and Manage phases, providing a comprehensive approach to risk management. However, there is an opportunity to enhance the framework by better defining the interfaces and orchestration between these phases. For instance, clearer communication protocols between the Map phase (identifying and categorizing information systems) and the Measure phase (assessing and measuring risk) could enable more seamless and automated processes. This is particularly important for compliance with regulations like the EU AI Act, which requires robust risk management frameworks. Standardizing these interfaces could help organizations automate RMF processes more effectively, reducing manual intervention and improving overall efficiency.
3. Leveraging Generative AI for Automated Orchestration of Cybersecurity Controls
Integrating generative AI (GenAI) into cybersecurity control orchestration could be transformative. GenAI could automate responses to identified vulnerabilities, such as applying appropriate controls in the Manage phase once a risk is detected in the Measure phase. There should be a standardized language for reports generated during each RMF phase to support this. This standardization would enhance the effectiveness of GenAI, using techniques like Retrieval-Augmented Generation (RAG) and function-calling APIs to streamline the automation process. Automating the orchestration of cybersecurity controls improves response times and ensures consistency and adherence to established security policies.
4. Developing a Comprehensive Catalog of Cyber Attacks and Defence Mechanisms
While NIST provides general guidance on cybersecurity, it does not specifically address particular cyber-attacks and their corresponding defence mechanisms. Creating a comprehensive catalogue that details specific types of attacks and effective countermeasures would be a valuable resource for organizations. This catalogue could complement NIST’s broader guidelines by offering more actionable and targeted advice on defending against evolving threats. It would also support organizations in developing a more proactive cybersecurity posture, equipped with the knowledge needed to anticipate and mitigate specific risks.
5. Providing Reference Implementations for NIST Controls
Actionable guidance is needed to enhance the usability of NIST guidelines, such as reference implementations of the APIs required to support the Map, Measure, and Manage phases of the RMF. Additionally, providing APIs for implementing specific NIST controls would offer practical tools that organizations can use to align more closely with NIST recommendations. Reference implementations would bridge the gap between theoretical frameworks and practical applications, enabling organizations to adopt and integrate NIST guidelines into their cybersecurity practices more easily.
Conclusion
VE3 is committed to advancing cybersecurity frameworks to meet the needs of evolving technologies. By identifying the gaps outlined above and proposing innovative solutions, we strive to contribute to a more secure and resilient future for AI/ML and other emerging technologies. These suggestions begin our efforts to refine our strategies and support the wider cybersecurity community. Through ongoing collaboration and innovation, we believe we can strengthen the security of AI/ML systems and create a safer digital landscape. Contact VE3 or explore our expertise in developing responsible,& effective AI and cybersecurity solutions that make a difference.