SP 800-53 Control Overlays for Securing AI Systems

FAQs

Jump to:

General

What are control overlays for secure AI systems?

Control overlays enable organizations and communities of interest to customize the controls (or control baselines) for a specific technology, system, mission space, and environment of operation. Controls can be selected from the SP 800-53 control catalog, modified to address unique risks or applications, and supplemented to provide application-specific guidance for implementers. The parameter values for assignment and selection operations can also be set.

Using the SP 800-53 controls provides a common technical foundation for identifying cybersecurity outcomes, and developing overlays allows for customization and the prioritization of the most critical controls to consider for AI systems.

What is the difference between the NIST AI RMF and the NIST RMF (SP 800-37)?

The NIST RMF (SP 800-37r2) provides a disciplined, structured, and flexible process for managing security and privacy risk. It is designed to be technology neutral so that the methodology can be applied to any type of information system without modification.

The NIST AI RMF is intended to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

Because the security of AI systems is closely intertwined with the security of the IT infrastructure on which they run and operate, the frameworks can be used concurrently.

Am I required to use these overlays for my AI system?

Organizations are not required to use the provided overlays.

The overlays are provided as a resource that can be used as a starting point for cybersecurity considerations for organizations using AI and AI developers.

How often will the AI overlays be updated?

Based on feedback, NIST will start the first use case with the goal of issuing a public draft for comment in early FY26, one use case at a time. A public workshop will also be held in the Q1 FY26 for ongoing stakeholder engagement. Plans for the overlays, working drafts and related topics will discussed as part of a community effort in the NIST AI Overlay Slack Collaboration channel.

Feedback on the overlays can also be sent to [email protected].

AI RMF with COSAIS

Do the AI Overlays support the AI Risk Management Framework Playbook?

The overlays will be designed to address specific risks to different types of AI usage in conjunction with an organization’s cybersecurity risk management program and existing control implementation.

Organizations may utilize the AI RMF Playbook and the Control Overlays for Securing AI Systems by borrowing as many – or as few – suggestions as apply to their industry use case or interests.

NIST RMF with COSAIS

How are SP 800-53 controls applied to an AI system?

The controls needed to manage risks to AI systems and components will be similar to those required for any type of software. Many organizations are already familiar with SP 800-53 controls and have institutional processes in place to plan for and assess their implementation. These controls offer both the flexibility to meet unique requirements and a level of specificity that allows for consistent technical implementation.

Project Links

Overview FAQs Publications

Additional Pages

Overlays Securing AI Systems Slack Collaboration COSAiS Use Cases

Contacts

Control Overlays for Securing AI Systems Project
[email protected]

Group

Security Engineering and Risk Management

Topics

Security and Privacy: controls, risk assessment

Technologies: artificial intelligence

Activities and Products: groups

Related Projects

Cybersecurity and Privacy Reference Tool
NIST Risk Management Framework
OLIR

SP 800-53 Control Overlays for Securing AI Systems COSAiS

Project Links

FAQs

General

AI RMF with COSAIS

NIST RMF with COSAIS

Project Links

Additional Pages

Contacts

Group

Topics

Related Projects

Additional Pages

Contacts

Group

Topics

Related Projects