This is the fourth blog in a series of Covington blogs on cybersecurity policies, executive orders (“EOs”), and other actions of the new Trump Administration. This blog describes key cybersecurity developments that took place in May 2025.
CISA Releases AI Data Security Guidance
On May 22, the Cybersecurity and Infrastructure Security Agency (“CISA”), which sits within the Department of Homeland Security (“DHS”), released guidance for AI system operators regarding managing data security risks. We wrote about the guidance here.
The associated press release explains that the guidance provides “best practices for system operators to mitigate cyber risks through the artificial intelligence lifecycle, including consideration on securing the data supply chain and protecting data against unauthorized modification by threat actors.” CISA published the guidance in conjunction with the National Security Agency, the Federal Bureau of Investigation, and cyber agencies from Australia, the United Kingdom, and New Zealand. This guidance is intended for organizations using AI systems in their operations, including Defense Industrial Bases, National Security Systems owners, federal agencies, and Critical Infrastructure owners and operators. This guidance builds on the Joint Guidance on Deploying AI Systems Security released by CISA and several other U.S. and foreign agencies in April 2024.
The guidance’s stated goals include raising awareness of the potential data security risks of AI systems, providing best practices for securing AI, and establishing a strong foundation for data security in AI systems. The first part of the guidance outlines a set of cybersecurity best practices that are specific to AI systems, after which the guidance provides additional detail on three separate risk categories for AI systems (data supply chain risks, maliciously modified data, and data drift) and describes mitigation recommendations for each risk category. The guidance demonstrates that companies should focus on the security aspects of AI systems as they are being stood up, particularly given the rapid pace of AI adoption.
NIST Drafts Revision to IR 8259: IoT Cybersecurity Guidance
On May 13, NIST announced the first revision to NIST IR 8259 as well as NIST IR 8572 its workshop summary report. These updates provide timely cybersecurity guidance for the evolving Internet of Things (“IoT”) industry. IoT products have exploded in number in recent years, and they do not fit into traditional categories of information technology. For background, in 2020, Congress passed the Internet of Things Cybersecurity Improvement Act. The legislation tasked NIST with developing cybersecurity guidelines to manage and secure IoT effectively and reviewing its guidance every five years. As part of that review, NIST held two working group sessions over the previous six months and identified three key challenges. NIST then drafted revision 1 of the NIST IR 8259 that incorporated the working group feedback. The proposed draft expands the scope of the guidance from “IoT Devices” to “IoT Products and Product Components” which could include backends, companion applications, and specialty networking hardware. Further, the revision focused on providing guidance to support IoT product cybersecurity through end-of-life. Some of the updates focus on adding guidance “to help manufacturers anticipate product deployment and usage, clarify data management across IoT components, and share enhanced language on lifecycle and support expectations.” Finally, NIST held a public forum discussion on June 18 to discuss the new draft as well as planned updates to NIST SP-213.