"I still believe that traditional cybersecurity standards are still valuable, and they’re applicable here … There is a lot of guidance in the cybersecurity space … the NIST Cybersecurity Framework 853 … they all enable agencies to think strategically and make informed decisions from foundational cybersecurity frameworks," said Cheri Pascoe, setting the tone for a recent discussion about how artificial intelligence is reshaping — and not reshaping — federal cybersecurity practice.
Cheri Pascoe on emergent AI risks
Cheri Pascoe, Director of the National Cybersecurity Center of Excellence at NIST, framed AI not as a single problem but as a set of new attack surfaces layered over existing ones. Pascoe identified several specific vectors she sees as among the "largest impacts" of AI on cybersecurity: new Zero Day attacks and emerging threats, unforeseen supply chain vulnerabilities, rapid sophistication of identity access and management threats such as spoofing and deep fakes, and the introduction of agentic AI and its ability to self-authenticate. Those enumerated risks place stress on detection, attribution, and trust models that many agencies already rely on.
Kynan Carver on defensive opportunities
Kynan Carver, Vice President, Cybersecurity at Maximus, counseled a complementary view: AI introduces novel risks but also generates concrete defensive leverage. Carver pointed to AI’s potential to enhance cybersecurity by improving compliance and governance workflows, strengthening threat detection, reducing alert fatigue, and facilitating secure software development. In his framing, AI tools can augment human teams and processes even as adversaries explore new capabilities.
NIST Cybersecurity Framework 2.0 and Framework 853
Pascoe is leading a revision of the NIST Cybersecurity Framework to a 2.0 version intended to reflect "our rapidly changing technology environment." She emphasized that the revision does not discard existing standards; rather, it builds on them. Pascoe referenced the body of guidance in the cybersecurity space and cited the "NIST Cybersecurity Framework 853" as an enabling set of materials that help agencies think strategically and make informed decisions from foundational cybersecurity frameworks. The message from NIST’s senior center official: update and adapt, but preserve the strategic value of established frameworks.
Zero Trust, cyber hygiene, and federal implementation
Carver tied these ideas to operational posture when he described the federal pivot to Zero Trust as a move toward "a proactive defense posture." He argued that the standards NIST is producing will assist agencies in achieving that posture. Carver reiterated a simple, recurrent theme: "good cyber hygiene, good cyber practices are still fundamental and necessary to prosecute the operation and also maintain standardization across the federal government as these technologies are fully implemented." In short, Zero Trust and baseline hygiene remain the scaffolding on which agencies will layer AI-driven capabilities and protections.
What this means for technologists, policymakers, and federal agencies
- Technologists and security teams: Expect to prioritize detection and mitigation work for the specific AI-related risks Pascoe named — Zero Day discovery, supply chain blind spots, identity spoofing and deep fakes, and the novel problem of agentic AI self-authentication — while piloting AI-driven tools to reduce alert fatigue and accelerate secure development, as Carver suggested.
- Policymakers and standards bodies: The immediate focus is revision and standardization. With Pascoe leading work on the NIST Framework 2.0, regulators and standards designers will be watching how existing guidance such as Framework 853 is extended to address agentic AI and the new threat patterns described in the discussion.
- Federal agencies and procurement officials: Many agencies are "at the beginning of their AI use case evaluation and implementation journey." Pascoe and Carver’s shared prescription — double down on fundamentals, apply established frameworks, and follow Zero Trust requirements — gives agencies a staged strategy for adopting AI without abandoning established controls.
The net of the conversation is a disciplined one: treat AI as both a source of risk and a tool, but do not let the novelty of AI displace core practices. Pascoe’s effort to update the NIST Cybersecurity Framework, paired with Carver’s operational emphasis on Zero Trust and hygiene, presents a clear next step for the federal enterprise. How the revised Framework 2.0 will reconcile guidance on agentic AI self-authentication and the specific emergent risks Pascoe listed remains a concrete, named task the federal community must resolve.




