Compliance Officer
Enterprise Architect
CISO
Industry relevance
Financial Services
Government
Healthcare
MAY 8, 2026
NIST now explicitly includes AI systems in its National Checklist Program — meaning AI tooling without a configuration baseline is a named compliance gap.
NIST published the final SP 800-70 Revision 5 on May 8, 2026 via CSRC, updating the National Checklist Program for IT Products. Revision 5 introduces expanded coverage for cloud platforms, IoT, and AI systems; enhanced mapping to NIST CSF 2.0 outcomes and SP 800-53 controls; explicit support for automated checklist formats; and detailed guidance for tailoring checklists to stand-alone, enterprise, and legacy environments. The document is intended for both checklist users and developers who participate in the National Checklist Program.
GOVERNANCE IMPLICATION
The explicit expansion to AI systems brings AI tooling into scope for organizations subject to FISMA or FedRAMP-aligned audit processes. Configuration baselines for AI deployments are now a named expectation in federal compliance conversations, not an emerging concern. Governance Debt accumulates when AI deployments proceed without a defined configuration baseline — SP 800-70r5 is the document that makes that baseline a formal National Checklist Program obligation.
SCENARIO
A federal contractor's compliance team is preparing a System Security Plan update for a FISMA-required contract. SP 800-70r5 is published with AI systems now explicitly in scope for the National Checklist Program. During the SSP review, the contracting officer asks which NCP checklist was used to validate the AI-assisted document processing tool deployed six months earlier. The compliance team has no answer because AI tools were not considered in-scope for configuration baseline compliance when the tool was deployed.
THE GOVERNANCE QUESTION
Has your AI tooling deployment been assessed against a named configuration baseline, and if not, what is the documented rationale?
CONTROL GAP
Enterprise AI deployments routinely occur without a defined configuration baseline because AI systems have historically been outside the scope of configuration management frameworks. SP 800-70r5 creates a named program obligation that most organizations are not yet tracking.
REGULATORY RELEVANCE
NIST Ai RMF
FFIEC
PRIMARY SOURCE
Final NIST SP 800-70r5 is available
NIST Computer Security Division
May 8, 2026
Read the primary source →(opens in new tab)CONTINUE READING
MAY 4, 2026
ComplianceNIST published SP 800-234 final on May 4, 2026 via CSRC, introducing a High-Performance Computing security overlay built on the NIST SP 800-53B moderate baseline. The document tailors 60 SP 800-53 security controls with supplemental HPC guidance. The publication explicitly identifies HPC as infrastructure for large-scale simulations, big data analysis, and the training of AI and machine learning models. Audience includes IT security managers, compliance officers, HPC system administrators, and agency program managers responsible for securing HPC environments.
APRIL 14, 2026
ComplianceMicrosoft's April 14, 2026 Patch Tuesday addressed CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server that allows an unauthenticated network attacker to perform spoofing and gain read and write access to sensitive information. The vulnerability is under active exploitation in the wild. CISA added it to the Known Exploited Vulnerabilities catalog on April 14 with a mandatory remediation deadline of April 28, 2026 for Federal Civilian Executive Branch agencies. The same Patch Tuesday release also addressed CVE-2026-33825, a Microsoft Defender elevation of privilege vulnerability rated CVSS 7.8 that was publicly disclosed before the patch shipped.
APRIL 9, 2026
ComplianceNIST released a concept note on April 7, 2026 for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, published on the NIST AI Risk Management Framework page at nist.gov. The profile is intended to guide critical infrastructure operators toward specific risk management practices when engaging AI-enabled capabilities. This represents the first sector-specific extension of the NIST AI RMF 1.0, originally published in January 2023, beyond the 2024 Generative AI Profile that extended coverage to LLMs and agentic systems. Public feedback on the concept note is being solicited.