In August 2025, NIST opened a project most defense and federal contractors still haven't put on their radar: SP 800-53 Control Overlays for Securing AI Systems (COSAiS). The premise is deliberately unglamorous. Instead of inventing a new AI security standard, NIST is extending the control catalog that federal systems already run on. For any organization holding an Authorization to Operate, a FedRAMP authorization, or a CUI obligation that flows from a DoD contract, SP 800-53 is the catalog underneath all of it.
The project is moving. NIST published the concept paper on August 14, 2025, and on January 8, 2026 released an annotated outline (discussion draft) of the first overlay — Control Overlays for Securing AI Systems: Using and Fine-Tuning Predictive AI — ahead of the Cyber AI Profile Workshop #2 on January 14, 2026, with feedback requested by February 13, 2026 to feed the initial public draft. The overlays are coming. The question for the defense industrial base is whether your controls will be ready for the first one that touches your workforce directly.
What COSAiS Actually Is
NIST is not starting from scratch. The overlays leverage SP 800-53 alongside three other NIST artifacts: SP 800-218A (secure software development practices for generative AI and dual-use foundation models), Draft NIST AI 800-1 (managing misuse risk for dual-use foundation models), and NIST AI 100-2e2025 (the adversarial machine learning taxonomy).
The value of an overlay is not novelty. As NIST puts it, control overlays "offer organizations or communities of interest ways to further customize the controls (or control baselines) for a specific technology or type of system, mission space, environment of operation, to meet specific requirements."
That phrase — mission space — is why this matters for defense. NIST isn't asking cleared contractors to learn a new framework. It is tailoring the one they already operate under.
The project scopes five use cases:
- Adapting and Using Generative AI – Assistant / Large Language Model (LLM)
- Using and Fine-Tuning Predictive AI
- Using AI Agent Systems (AI Agents) – Single Agent
- Using AI Agent Systems (AI Agents) – Multi-Agent
- Security Controls for AI Developers
Across all five, NIST states the overlays are "focused on protecting the confidentiality, integrity, and availability of information and users." For a defense contractor, "confidentiality of information" is not an abstraction. It is Controlled Unclassified Information, export-controlled technical data, and program-sensitive material.
Why It Lands on the Defense Industrial Base First
SP 800-53 is the federal control catalog. Federal Risk Management Framework authorizations are built on it, FedRAMP baselines are drawn from it, and the CUI protection requirements that flow into DoD contracts trace back to the same control family. NIST itself notes that "many organizations are already implementing SP 800-53 controls and have the institutional processes in place to plan control implementations for their organizations, missions, and systems."
Defense contractors are squarely inside that population. They already maintain 800-53-derived control sets, already undergo assessment against them, and already produce the evidence assessors demand. When NIST publishes an AI overlay, it does not arrive as optional guidance for a greenfield system. It arrives as a tailoring of controls these organizations are already obligated to implement. The lift is not "adopt a new standard." It is "extend an existing, audited control set to cover AI."
The Use Case That Hits Your Workforce
Of the five, the one that touches the most employees on day one is the first: Adapting and Using Generative AI – Assistant / Large Language Model (LLM). NIST's stated purpose for it is plain: "Generative AI creates new content (e.g., text, images, audio, video) based on user prompts by learning from large datasets and identifying patterns in the datasets."
Read that through the lens of a cleared workforce. The "user prompts" are the analyst pasting a passage from a program document into ChatGPT to summarize it, the contracts specialist dropping a draft into Copilot to tighten the language, the engineer asking Gemini to debug code that references a controlled system. Each of those is a generative-AI-assistant interaction — exactly the use case NIST is writing an SP 800-53 overlay for. And each one is a confidentiality decision made at the prompt box, by a human, in a browser, in real time.
The Overlay Will Specify Controls. The Evidence Is the Deployer's Problem.
Here is the gap that exists today, before the generative-AI overlay is even drafted. An SP 800-53 overlay for using generative-AI assistants will, by NIST's own framing, select and tailor controls for the confidentiality, integrity, and availability of information and users at that boundary. In 800-53 terms, that touches control families such as Access Control (AC), Audit and Accountability (AU), and System and Information Integrity (SI) — applied to what your workforce submits to an LLM.
You cannot satisfy an audit-and-accountability control for AI usage with a policy PDF. An assessor will ask: which users sent which data to which AI tool, against which policy, and where is the immutable record? FedRAMP authorizes the cloud service on the far end of the API. It does not capture what your employee typed into it, whether CUI crossed the boundary, or whether the interaction was logged in a form an assessor can review. That evidence has to be generated on your side — at the browser, at the moment of submission.
What to Build Before the Overlay Finalizes
The predictive-AI overlay is already in annotated-outline form; the generative-AI-assistant overlay follows in the same series. The defense contractors who watched CMMC take years from NDAA mandate to enforcement know the pattern: the organizations ready on day one are the ones who built the controls before the assessment requirement was final.
Concretely, that means standing up three things now:
- Pre-submission policy enforcement that blocks CUI and program-sensitive data from leaving the browser into any AI tool — sanctioned or not.
- A user-attributable, immutable audit trail spanning every AI surface your workforce actually uses, not just the one platform IT approved.
- Policy authored in your regulator's language — data classes, retention periods, oversight requirements — rather than the model vendor's internal risk tiers.
Those are the artifacts an SP 800-53 AI overlay will expect you to demonstrate. NIST is telling the federal ecosystem exactly where AI security controls are headed, and it is building them on the catalog you already run on. The overlay will define what you have to prove. The infrastructure to prove it is yours to build.
Containment.AI enforces AI governance policies at the browser layer in real time — blocking CUI before it leaves the prompt box, producing user-attributable audit trails across ChatGPT, Claude, Copilot, Gemini, and Perplexity, and generating the evidence federal and defense assessors ask for. See how it works for defense →
Sources: NIST SP 800-53 Control Overlays for Securing AI Systems (COSAiS) — project overview and COSAiS Use Cases, NIST Computer Security Resource Center (updated January 8, 2026).