Blog Home / ...

Xacta Adaptability When Complying With Both the NIST AI RMF and the Upcoming NIST 800-53 Control Overlays for Securing AI Systems

Olive Santillan
Olive Santillan
April 7, 2026 • 4 min read

The Unique Nature of the NIST AI RMF

Just over two years ago, NIST released the AI Risk Management Framework (NIST AI RMF), which offers a means to reasonably manage risks that artificial intelligence could pose to individuals, organizations, and society.

While it is a very open framework that the Xacta® development team found relatively easy to parse and organize from a technical compliance standpoint, it does pose some difficulties when aligning it against other regulations an organization may already be complying with on an ongoing basis.

The NIST AI RMF is meant to stand on its own, rather than be adopted into an existing, established risk management framework (and, rightly so, given the AI regulatory landscape is in a state of flux). However, the standalone nature of this framework can make its adoption more challenging when an organization already has a deeply entrenched framework in place.

Additionally, the NIST AI RMF includes its own playbook, which provides guidance on achieving outcomes that facilitate dialogue, understanding, AI risk management, and responsible development of trustworthy AI systems.

As the NIST AI RMF was meant to encourage the creative and responsible use of AI, the rigor that regulatory compliance offers is understandably absent. Specific controls are not defined, and a more granular, detailed approach to controlling artificial intelligence is not part of this narrative.

The Flexibility of Xacta is Key to Both Current and Future Compliance with AI Standards

Thanks to the flexibility of the Xacta platform, the Xacta team has developed a NIST AI RMF workflow template that can:

  • Act as a standalone project, or
  • Be added on as a task to an existing traditional RMF workflow or a custom one.

The Xacta NIST AI RMF workflow template can be used to gather data on the use and management of AI within an organization and serve as a guide for an initial assessment.

In August 2025, NIST released a publication titled SP 800-53 Control Overlays for Securing AI Systems Concept Paper, which discusses how overlays (essentially customized security checklists that supplement existing controls and baselines) can soon be leveraged in tandem with 800-37 and 800-53 workflows.

While this process may not always be that easy or straightforward, the overlays do appear to integrate AI more closely with regulatory rigor and other NIST resources.

The overlays will be leveraging 3 key documents:

  • NIST SP 800-218A Secure Software Development Practices for Generative AI and Dual-Use Foundation Models: An SSDF Community Profile
  • NIST AI 800-1 Managing Misuse Risk for Dual-Use Foundation Models (still on second public draft)
  • NIST AI 100-2 E2025 Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations

These AI overlays will be developed by the Control Overlays for Securing AI Systems (COSAiS) project. They released a draft annotated outline in January 2026 detailing a sample set of control inclusions, parameters, and tailoring guidance in the typical overlay format.

Xacta’s Native Overlay Functionality: Built for This Use Case

Xacta 360 is perfectly suited to accommodate overlays for tandem compliance with the NIST AI RMF, NIST 800-53, and/or CNSS 1253. Tailoring, guidance, and parameters established in published overlays such as ePACS, Classified, INT A-B-C, CDS, and Privacy have been used alongside NIST 800-53 and CNSS 1253 Xacta 360 projects from Rev 4 onwards.

Xacta 360 overlays are compatible with both NIST 800-53B and CNSS baselines. Additionally, our overlay functionality is flexible enough to support the use of a full publication, such as NIST 800-161 (Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations) as an overlay, as it uses the same control nomenclature as 800-53 (with a handful of exceptions).

The NIST timeline indicates that drafts of the five planned publications in this document series will be released in Q3 of 2026, with the full set available by 2027. The draft outline defined certain initial control and control enhancement inclusions.

Based on the outline, Xacta 360’s overlay functionality can accommodate this series, enabling Xacta customers to use these overlays on their existing assessment projects with ease.

Whether you and your team want to approach AI risk management by starting from the ground up with NIST AI RMF, or supplementing your existing 800-37 framework with the forthcoming NIST AI 800-53 Control Overlays, you can leverage Xacta’s powerful functionality to accelerate compliance related to any AI-powered initiatives and maintain that compliance moving forward.

ComplianceCybersecurityXactaAI Risk ManagementNIST AI RMF
Olive Santillan
Olive Santillan
Content Manager, Xacta
Olive Santillan is Content Manager for Xacta at Telos Corporation.
Read full bio

Related Posts

Continuous Monitoring in Highly Regulated Industries: 2026 Best Practices for Security and Compliance
Patrick Sullivan • April 14, 2026
This blog post explores the shift from point-in-time compliance to continuous risk awareness, with...
 a person typing on a laptop
Claude’s Big Coding Leap: Why Enterprise Software (and Engineers) Will Thrive in the Era of AI Software Development
Stephen Horvath • February 11, 2026
This blog post examines Anthropic’s announcement around AI-generated code and what it truly means...
 abstract technology image
Next-Gen GRC: Automating the Risk Assessment Lifecycle in Xacta with Agentic AI
Hugh Barrett • February 4, 2026
This blog post explores Xacta’s progression from generative to agentic AI, outlining the...