The National Institute of Standards and Technology (NIST) offers a wealth of resources to assist Chief Information Security Officers (CISOs) and security managers in protecting their technologies. Two notable frameworks from NIST, the NIST Cybersecurity Framework and the NIST Artificial Intelligence Risk Management Framework, focus on addressing cybersecurity risks associated with AI systems. While these frameworks share similarities, they also possess distinct differences that set them apart.
The NIST Cybersecurity Framework (CSF), previously known as the Framework for Improving Critical Infrastructure Cybersecurity, serves as the standard for cybersecurity risk management. Established in response to Executive Order 13636 in 2013, the CSF provides organizations with a structured approach to managing cybersecurity risks and communicating them effectively to executive leadership. Originally released in 2014, the CSF comprised five core functions: Identify, Protect, Detect, Respond, and Recover. In 2024, an updated version of the CSF, known as CSF 2.0, included an additional function—Govern—to enhance organizations’ governance, risk, and compliance (GRC) capabilities and promote a top-down approach to risk management.
In contrast, the NIST Artificial Intelligence Risk Management Framework (AI RMF) was introduced in 2023 with the goal of instilling public trust in the design, development, use, and evaluation of AI technologies and systems. This framework revolves around four key functions: Govern, Map, Manage, and Measure, which aim to establish GRC capabilities specifically tailored to AI systems. While the CSF and AI RMF share overarching objectives, the AI RMF has a narrower focus on the development of AI software and is designed to support activities such as design, deployment, testing, evaluation, verification, and validation of AI systems.
Despite their differences, both frameworks offer organizations a flexible way to manage cybersecurity risks effectively. Many organizations find value in implementing both the CSF and AI RMF together to cover a comprehensive range of risks. The integration of these frameworks can be facilitated by focusing on the governance functions outlined in each framework and aligning them with the organization’s risk management strategies.
For CISOs and security managers looking to utilize these frameworks collaboratively, establishing a small committee to address technology risks on a recurring basis can serve as a practical starting point. This committee can leverage templates to identify, assess, and manage risks associated with AI systems, considering unique cybersecurity challenges such as deepfakes, data leaks, and AI hallucinations. By mapping AI systems to identified risks and implementing mitigation strategies, organizations can enhance their overall cybersecurity posture and ensure effective risk management.
In conclusion, the NIST CSF and AI RMF offer valuable resources for organizing and communicating technology risk portfolios, particularly in the context of AI systems. While implementing these frameworks together may seem daunting, leveraging a dedicated team of professionals can simplify the process and tailor risk management strategies to fit the organization’s specific needs. By harnessing the guidance provided by these NIST frameworks, organizations can navigate the complex landscape of cybersecurity risks associated with AI technologies with confidence and efficiency.