{ "schema_version": "0.1", "srf_version": "1.0", "industry": "defense", "description": "Defense control schema for the CoSAI AI Shared Responsibility Framework. Scoped to DoD components and the defense industrial base (DIB). Maps SRF layers and accountable personas to DoD Responsible AI (RAI) principles, DoDI 5000.90 (AI acquisition), DoDI 5000.89 (TEVV), CMMC 2.0, NIST SP 800-171 Rev 3, NIST AI RMF 1.0, and the DISA Cloud Computing SRG. Controls are parameterized by impact level (IL4/IL5/IL6) and NSS tier (non-nss/nss/both).", "regulatory_context": "DoD AI governance is anchored by the DoD Responsible AI Strategy and Implementation Pathway (June 2022), which established five RAI principles: Responsible, Equitable, Traceable, Reliable, Governable (RETR-G). DoDI 5000.90 (December 2020) requires AI transparency cards and acquisition safeguards; DoDI 5000.89 (November 2021) mandates TEVV planning before operational deployment. CMMC 2.0 (32 CFR Part 170, effective December 2024) governs contractor cybersecurity posture for CUI but does not address AI governance; this schema adds the AI layer CMMC lacks. Cloud deployments require a DISA Provisional Authorization (PA) at the required IL; the CC SRG defines what the CSP must implement. This schema covers the component and contractor side of those splits. IL6 systems operate in classified cloud environments (AWS C2S, Azure Government Secret, Oracle NSR) where commercial paths do not apply.", "id_convention": "SRF-{layer}-{ACQ|TEVV|OPS|OVR}-{seq}", "mapping_status_note": "DoDI section references, CC SRG section numbers, and CMMC practice cross-references marked TBD require verification against primary PDFs and public.cyber.mil before publishing. Do not substitute invented IDs.", "generated": "2026-06-12", "lifecycle_stages": [ "acquisition", "tevv", "ops", "human-oversight-remedy" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "nss_tiers": [ "non-nss", "nss" ], "il_levels": [ "IL4", "IL5", "IL6" ], "responsibility_split_values": { "dod-component": "The DoD component is solely responsible.", "disa": "DISA owns this control through the PA or authorization process.", "contractor": "The defense contractor (DIB member) is solely responsible.", "csp": "The cloud service provider is solely responsible.", "shared": "Responsibility is split; the accountable party must document the split." }, "controls": [ { "id": "SRF-L1-ACQ-001", "layer": "L1", "component": "Governance and Processes", "title": "AI Use Case Registry and CDAO Reporting", "description": "The DoD component must maintain a current registry of all AI systems in development or operation, record each system's operating model, impact level, NSS determination, accountable program manager, and TEVV status, and report to CDAO on the schedule established by the DoD AI Inventory directive. Unregistered systems must be identified and added within 30 days of discovery.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Governable principle; DoD RAI Strategy Implementation Pathway Section TBD", "dodi_5000_90": "TBD: AI system registration and reporting requirements", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "ai_registry_coverage_pct", "description": "Percentage of known production AI systems appearing in the current CDAO-reported registry.", "evidence": { "ocsf_class": "Governance document artifact. Registry publication and update events may map to audit_activity (3002) if the registry system emits SIEM events.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_AI_REGISTRY_COVERAGE_PCT", "param_type": "tier-configurable", "window": "quarterly", "breach_action": "identify-unregistered-systems; notify-program-manager; escalate-to-CDAO" } }, { "id": "SRF-L1-ACQ-002", "layer": "L1", "component": "Governance and Processes", "title": "Responsible AI Officer Designation", "description": "Each DoD component deploying AI systems must designate a Responsible AI Officer (or equivalent role under CDAO guidance) responsible for RAI principle adherence, incident escalation, and annual compliance attestation. The designation must be documented, current, and communicated to CDAO.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Governable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.2", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "rai_officer_designation_current", "description": "Binary: a named RAI Officer (or equivalent) is designated, documented, and has been confirmed active within the prior annual cycle.", "evidence": { "ocsf_class": "Governance document. Designation memo is a static artifact; periodic review events may map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "flag-gap-to-CDAO; initiate-designation-within-30-days" } }, { "id": "SRF-L1-ACQ-003", "layer": "L1", "component": "Governance and Processes", "title": "AI Governance Board with CDAO Oversight Link", "description": "The component must establish an AI Governance Board (or equivalent body) with a defined charter, meeting cadence, quorum requirements, and a documented reporting line to CDAO. The Board must review high-risk AI use cases before operational deployment and record decisions.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Governable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 2.2", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "governance_board_meeting_cadence_met", "description": "Binary: the Board has met at its chartered cadence in the prior period, quorum was achieved, and decisions were recorded.", "evidence": { "ocsf_class": "Governance artifact. Meeting minutes and decision records are static documents; may map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "quarterly", "breach_action": "schedule-missed-meeting; notify-RAI-officer; document-gap" } }, { "id": "SRF-L1-ACQ-004", "layer": "L1", "component": "Governance and Processes", "title": "DoD RAI Compliance Plan (Five-Principle Assessment)", "description": "Before deploying an AI system, the component must produce a written RAI compliance plan assessing the system against all five DoD RAI principles (Responsible, Equitable, Traceable, Reliable, Governable). The plan must name the accountable official for each principle, identify gaps, and set remediation timelines.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Equitable", "Traceable", "Reliable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "All five RAI principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.3", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "rai_compliance_plan_complete", "description": "Binary: a RAI compliance plan exists for the system, covers all five principles, and was reviewed within the prior annual cycle.", "evidence": { "ocsf_class": "Governance document artifact. Plan review events may map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "block-deployment; notify-RAI-officer; produce-plan-within-60-days" } }, { "id": "SRF-L1-ACQ-005", "layer": "L1", "component": "Governance and Processes", "title": "AI Acquisition Requirements per DoDI 5000.90", "description": "Contracting officers and program managers must document AI-specific acquisition requirements in the solicitation or contract in accordance with DoDI 5000.90. Requirements include transparency card delivery, TEVV access, data rights, and vendor incident notification obligations.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD: AI acquisition requirements sections", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "ai_acq_requirements_documented", "description": "Binary: every AI contract or task order includes the required DoDI 5000.90 clauses as verified by the contracting officer.", "evidence": { "ocsf_class": "Contract document artifact. Acquisition events may map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-contract", "breach_action": "flag-contract-for-modification; notify-contracting-officer" } }, { "id": "SRF-L1-ACQ-006", "layer": "L1", "component": "Governance and Processes", "title": "AI Supply Chain Risk Assessment", "description": "Before acquiring an AI system or foundation model, the program must conduct a supply chain risk assessment covering the provenance of training data, model weights, third-party components, and hosting infrastructure. The assessment must identify foreign-origin components and apply appropriate ITAR/EAR and supply chain risk management controls.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.11.1", "3.11.2" ], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD: CMMC supply chain risk practice reference", "nist_800_171": "3.11.1", "nist_ai_rmf": "MAP 5.1", "cc_srg": "N/A", "owasp_llm": "LLM03" }, "threshold": { "metric": "supply_chain_risk_assessment_complete", "description": "Binary: a supply chain risk assessment exists for every AI system in the registry, covers required provenance dimensions, and was completed before contract award.", "evidence": { "ocsf_class": "Governance document artifact. Candidate OCSF class: audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-acquisition", "breach_action": "block-contract-award; notify-PM; escalate-to-program-security-officer" } }, { "id": "SRF-L1-ACQ-007", "layer": "L1", "component": "Governance and Processes", "title": "Operator and Commander AI Training Program", "description": "The component must establish a training program covering AI capabilities, limitations, failure modes, and RAI principles for every operator and commander using or authorizing AI-assisted decisions. Training completion must be tracked and refreshed at least annually or upon significant model update.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Equitable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.2.1", "3.2.2" ], "mappings": { "dod_rai_strategy": "Responsible and Equitable principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.2.1", "nist_ai_rmf": "GOVERN 4.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "ai_training_completion_pct", "description": "Percentage of designated operators and commanders who have completed current AI training within the required refresh cycle.", "evidence": { "ocsf_class": "Training completion records. May map to audit_activity (3002) if the learning management system emits completion events.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_TRAINING_COMPLETION_PCT", "param_type": "tier-configurable", "window": "annual", "breach_action": "restrict-system-access-for-untrained-personnel; notify-supervisor" } }, { "id": "SRF-L1-OPS-008", "layer": "L1", "component": "Governance and Processes", "title": "AI Incident Reporting to CDAO", "description": "The component must report AI incidents (unexpected outputs, operator overrides of consequential decisions, system failures, and adversarial attacks) to CDAO within the required reporting window. An incident response procedure must be documented, tested annually, and linked to the system's ATO.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.6.1", "3.6.2" ], "mappings": { "dod_rai_strategy": "Governable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.6.1", "nist_ai_rmf": "RESPOND 1.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "incident_report_timeliness_pct", "description": "Percentage of AI incidents reported to CDAO within the required window from time of discovery.", "evidence": { "ocsf_class": "security_finding (2001) or incident (6002). Incident records must capture system ID, time of discovery, description, and operator action taken.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_INCIDENT_REPORT_TIMELINESS_PCT", "param_type": "tier-configurable", "window": "rolling-90-day", "breach_action": "escalate-to-RAI-officer; submit-late-report-with-explanation" } }, { "id": "SRF-L1-ACQ-009", "layer": "L1", "component": "Governance and Processes", "title": "NSS Boundary Classification Determination", "description": "Before deployment, the component must produce and retain a written NSS boundary determination memo signed by the authorizing official. The memo must cite 44 USC 3552(b)(6), document the factors considered, state whether the system is NSS or non-NSS, and specify the resulting security requirements (CNSSI 1253 baseline for NSS; NIST 800-53 for non-NSS).", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.7", "cc_srg": "TBD: CC SRG NSS boundary documentation requirements", "owasp_llm": "N/A" }, "threshold": { "metric": "nss_determination_memo_exists", "description": "Binary: a signed NSS boundary determination memo exists in the ATO package for every AI system in the registry.", "evidence": { "ocsf_class": "Governance document artifact. Signed determination memo is a static ATO artifact.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "block-ATO; notify-AO; produce-determination-memo" } }, { "id": "SRF-L1-TEVV-010", "layer": "L1", "component": "Governance and Processes", "title": "TEVV Plan Existence and Approval Before Operational Deployment", "description": "A Test, Evaluation, Verification and Validation (TEVV) plan per DoDI 5000.89 must be documented and approved by the authorizing official before the AI system reaches operational deployment. The plan must specify test objectives, acceptance criteria, responsible testers, and re-validation triggers.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Reliable", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Reliable and Traceable principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD: TEVV plan requirements section", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MEASURE 2.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "tevv_plan_approved_before_deployment", "description": "Binary: an approved TEVV plan exists in the program record for every AI system at or beyond initial operational capability.", "evidence": { "ocsf_class": "Governance document artifact. TEVV plan approval is a static milestone record.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "block-deployment; notify-PM; escalate-to-AO" } }, { "id": "SRF-L2-ACQ-001", "layer": "L2", "component": "Data and Feedback", "title": "CUI Classification and Marking on AI Inputs and Outputs", "description": "All data inputs to and outputs from the AI system that contain Controlled Unclassified Information must be classified and marked per 32 CFR Part 2002 and the CUI Registry before use or release. The component must verify that AI-generated outputs do not aggregate or synthesize CUI in ways that elevate the effective classification.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Responsible", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.1.3" ], "mappings": { "dod_rai_strategy": "Traceable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.1.3", "nist_ai_rmf": "MAP 1.6", "cc_srg": "TBD: CUI data handling section", "owasp_llm": "LLM06" }, "threshold": { "metric": "cui_marking_compliance_pct", "description": "Percentage of AI data assets in scope confirmed as correctly marked per CUI Registry requirements.", "evidence": { "ocsf_class": "data_security_finding (2004). Data classification scan results may emit findings against unclassified or mismarked objects.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_CUI_MARKING_COMPLIANCE_PCT", "param_type": "tier-configurable", "window": "quarterly", "breach_action": "quarantine-unclassified-assets; notify-ISSO; remediate-within-10-days" } }, { "id": "SRF-L2-OPS-002", "layer": "L2", "component": "Data and Feedback", "title": "IL-Level Data Boundary Enforcement and Tenant Isolation", "description": "The platform must enforce data boundaries such that IL4 data cannot flow to IL5 or IL6 environments, and IL5 non-NSS data cannot flow to IL5 NSS or IL6 partitions. For cloud deployments, tenant isolation must be verified against the DISA PA for the applicable IL. Any cross-boundary data flow must trigger an alert.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.1.3", "3.13.1" ], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.1.3", "nist_ai_rmf": "MEASURE 2.6", "cc_srg": "TBD: IL boundary enforcement section", "owasp_llm": "LLM06" }, "threshold": { "metric": "cross_boundary_data_flow_alerts", "description": "Number of unresolved cross-IL boundary data flow alerts in the monitoring period. Zero-tolerance: any unresolved alert is a breach.", "evidence": { "ocsf_class": "network_activity (4001) or data_security_finding (2004). Cross-boundary flows must generate a finding with source and destination classification tags.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_CROSS_BOUNDARY_ALERTS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "block-data-flow; alert-ISSO; open-security-incident" } }, { "id": "SRF-L2-ACQ-003", "layer": "L2", "component": "Data and Feedback", "title": "Training Data Authority-to-Use Documentation", "description": "The component must document the authority to use each training dataset, including data rights clauses, any restrictions on use for AI training, ITAR/EAR applicability, and PII/PHI presence. Documentation must be retained for the life of the system and updated when training data sources change.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Responsible", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Traceable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD: data rights and training data provisions", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MAP 1.6", "cc_srg": "N/A", "owasp_llm": "LLM03" }, "threshold": { "metric": "training_data_atu_documented_pct", "description": "Percentage of training datasets in use for which authority-to-use documentation is complete and current.", "evidence": { "ocsf_class": "Governance document artifact. Data catalog entries with authority-to-use records may map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_ATU_DOCUMENTED_PCT", "param_type": "tier-configurable", "window": "annual", "breach_action": "suspend-use-of-undocumented-data; notify-data-steward; remediate-within-30-days" } }, { "id": "SRF-L2-OPS-004", "layer": "L2", "component": "Data and Feedback", "title": "Data Egress Controls per Classification Level", "description": "The system must enforce data egress controls that prevent AI outputs containing CUI or classified information from leaving the authorized environment. For IL6 systems, egress must be blocked at the classified enclave boundary. For IL4/IL5, controls must match the DISA PA requirements and be validated during TEVV.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.1.3", "3.13.5" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.1.3", "nist_ai_rmf": "MANAGE 2.4", "cc_srg": "TBD: data egress controls section", "owasp_llm": "LLM06" }, "threshold": { "metric": "unauthorized_egress_events", "description": "Number of unauthorized data egress events detected per monitoring period. Zero-tolerance.", "evidence": { "ocsf_class": "network_activity (4001). Egress events must log source environment, destination, data classification, and detection method.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_UNAUTHORIZED_EGRESS_EVENTS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "block-egress; alert-ISSO; open-security-incident; notify-AO" } }, { "id": "SRF-L2-OPS-005", "layer": "L2", "component": "Data and Feedback", "title": "Adversarial Input Detection (Prompt Injection and Data Poisoning)", "description": "The system must deploy detection controls for prompt injection attacks and data poisoning attempts. Detection must cover both the inference-time layer (malicious user inputs) and the training pipeline (poisoned data sources). Alerts must be generated and routed to the security operations center.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Reliable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.14.1", "3.14.2" ], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.14.1", "nist_ai_rmf": "MEASURE 2.6", "cc_srg": "TBD", "owasp_llm": "LLM01" }, "threshold": { "metric": "adversarial_detection_coverage_pct", "description": "Percentage of AI inference endpoints covered by active prompt injection detection controls.", "evidence": { "ocsf_class": "security_finding (2001). Adversarial input events must log the detected pattern, endpoint, and response action.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_ADVERSARIAL_DETECTION_PCT", "param_type": "tier-configurable", "window": "continuous", "breach_action": "block-input; alert-SOC; escalate-to-cybersecurity-team" } }, { "id": "SRF-L2-OPS-006", "layer": "L2", "component": "Data and Feedback", "title": "Bias and Disparate Impact Monitoring on Consequential Decisions", "description": "For AI systems that make or inform personnel, benefits, or enforcement decisions, the component must conduct periodic bias and disparate impact analyses disaggregated by protected characteristics as applicable. Results must be reviewed by the RAI Officer and remediated if disparate impact exceeds established thresholds.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Equitable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops" ], "lifecycle_stage": "ops", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Equitable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MEASURE 2.5", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "bias_analysis_current", "description": "Binary: a bias and disparate impact analysis has been completed within the prior review cycle for every in-scope consequential AI use case.", "evidence": { "ocsf_class": "Governance document artifact. Analysis reports may map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_BIAS_ANALYSIS_CURRENT", "param_type": "tier-configurable", "window": "annual", "breach_action": "notify-RAI-officer; schedule-analysis; document-gap" } }, { "id": "SRF-L2-OPS-007", "layer": "L2", "component": "Data and Feedback", "title": "AI Decision Log Retention per NARA Requirements", "description": "The component must retain logs of AI system decisions, operator overrides, and model version identifiers in accordance with NARA records schedules applicable to the underlying decision type. Retention periods must be configured before system deployment and reviewed when NARA schedules are updated.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Traceable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.3.1" ], "mappings": { "dod_rai_strategy": "Traceable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.3.1", "nist_ai_rmf": "GOVERN 1.5", "cc_srg": "TBD", "owasp_llm": "N/A" }, "threshold": { "metric": "decision_log_retention_compliant", "description": "Binary: decision logs are retained for the required period as verified by the records manager and ISSO.", "evidence": { "ocsf_class": "audit_activity (3002). Log retention compliance may be verified via audit of log storage configuration and retention policy.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "notify-records-manager; extend-retention-period; document-gap" } }, { "id": "SRF-L2-ACQ-008", "layer": "L2", "component": "Data and Feedback", "title": "Contractor Data Isolation from DoD Data Planes", "description": "Contractor-operated AI systems must be architected so that contractor infrastructure does not have persistent access to DoD data planes beyond the scope of the contract. Data isolation requirements must be specified in the contract, verified during TEVV, and audited annually.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "contractor", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.1.3", "3.13.1" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.1.3", "nist_ai_rmf": "MAP 5.2", "cc_srg": "TBD", "owasp_llm": "N/A" }, "threshold": { "metric": "contractor_data_isolation_verified", "description": "Binary: contractor data isolation architecture has been verified in the most recent TEVV cycle or annual audit.", "evidence": { "ocsf_class": "audit_activity (3002). Isolation verification may include network segmentation scan results and access log review.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "notify-contracting-officer; restrict-contractor-access; open-security-incident" } }, { "id": "SRF-L3-TEVV-001", "layer": "L3", "component": "Application and Orchestration", "title": "TEVV Plan Execution per DoDI 5000.89", "description": "The TEVV plan must be executed before operational deployment, producing a TEVV report documenting test results, acceptance criteria outcomes, identified failure modes, and the disposition decision (approve, conditional, or reject). The TEVV report must be signed by the authorizing official and retained in the ATO package.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Reliable", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Reliable and Traceable principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD: TEVV execution and reporting sections", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MEASURE 2.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "tevv_report_signed_before_deployment", "description": "Binary: a signed TEVV report exists in the ATO package for every system at or beyond initial operational capability.", "evidence": { "ocsf_class": "Governance document artifact. TEVV report is a static milestone record in the ATO package.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "block-deployment; notify-PM; escalate-to-AO" } }, { "id": "SRF-L3-TEVV-002", "layer": "L3", "component": "Application and Orchestration", "title": "AI Impact Assessment Before Operational Deployment", "description": "The component must complete an AI impact assessment documenting the decision or operational context, potential failure modes, consequences of incorrect outputs, affected populations, and mitigation measures. The assessment must be reviewed and approved before initial operational capability.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Responsible", "Equitable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Responsible and Equitable principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MAP 2.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "impact_assessment_approved", "description": "Binary: an approved AI impact assessment exists in the program record for every system before initial operational capability.", "evidence": { "ocsf_class": "Governance document artifact. Assessment approval is a static milestone record.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "block-deployment; notify-PM; schedule-assessment" } }, { "id": "SRF-L3-OVR-003", "layer": "L3", "component": "Application and Orchestration", "title": "Human Oversight Gate for Use-of-Force-Adjacent Decisions", "description": "AI systems that inform or recommend use-of-force-adjacent decisions must incorporate a mandatory human oversight gate that prevents autonomous action. The gate must require affirmative authorization from a qualified commander or operator before any decision is executed. DoD Directive 3000.09 compliance is required for autonomous and semi-autonomous weapon functions.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Responsible", "Governable", "Reliable" ], "operating_models": [ "Program-Embedded", "Agent-Ops" ], "lifecycle_stage": "human-oversight-remedy", "responsibility_split": "dod-component", "nss_applicability": "nss", "il_applicability": [ "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Governable and Responsible principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MANAGE 1.3", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "human_gate_bypass_events", "description": "Number of logged instances where a use-of-force-adjacent decision was executed without affirmative human authorization. Zero-tolerance.", "evidence": { "ocsf_class": "audit_activity (3002). Override and authorization events must log operator identity, timestamp, decision context, and authorization action.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_HUMAN_GATE_BYPASS_EVENTS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "halt-system; notify-commander; open-safety-incident; report-to-CDAO" } }, { "id": "SRF-L3-OVR-004", "layer": "L3", "component": "Application and Orchestration", "title": "Operator Interface Override Capability", "description": "Every AI-assisted operational system must provide qualified operators with a clearly labeled, immediately accessible mechanism to override or disable AI outputs without requiring technical knowledge. Override events must be logged with operator identity, timestamp, and reason code.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Governable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "human-oversight-remedy", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Governable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MANAGE 1.3", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "override_capability_verified", "description": "Binary: operator override capability has been verified during TEVV and confirmed operational in the most recent system check.", "evidence": { "ocsf_class": "audit_activity (3002). Override events must log operator identity, timestamp, and reason code.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-TEVV-cycle", "breach_action": "restrict-AI-assisted-operations; notify-PM; remediate-before-next-operational-use" } }, { "id": "SRF-L3-OVR-005", "layer": "L3", "component": "Application and Orchestration", "title": "Remedy and Appeal Mechanism for Adverse Administrative Decisions", "description": "For AI systems that inform personnel, benefits, or administrative decisions with adverse consequences, the component must provide a documented remedy and appeal mechanism. Affected individuals must be informed of the mechanism. Appeals must be reviewed by a human official with authority to override the AI-informed decision.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Equitable", "Responsible", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops" ], "lifecycle_stage": "human-oversight-remedy", "responsibility_split": "dod-component", "nss_applicability": "non-nss", "il_applicability": [ "IL4", "IL5" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Equitable and Governable principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MANAGE 4.2", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "remedy_mechanism_documented", "description": "Binary: a remedy and appeal procedure is documented, published to affected populations, and has a named review official for every in-scope administrative AI system.", "evidence": { "ocsf_class": "Governance document artifact. Appeal outcomes may map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "suspend-adverse-decisions; notify-RAI-officer; publish-procedure-within-30-days" } }, { "id": "SRF-L3-OPS-006", "layer": "L3", "component": "Application and Orchestration", "title": "Agentic Task Boundary Enforcement", "description": "Agentic AI systems must operate within documented task boundaries that restrict the range of actions the agent can take autonomously. The boundary specification must be reviewed and approved before deployment. Any attempt to execute an action outside the boundary must be blocked and logged.", "accountable_persona": "agentic-platform-provider", "dod_rai_principles": [ "Governable", "Reliable" ], "operating_models": [ "Agent-Ops" ], "lifecycle_stage": "ops", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.1.1", "3.1.2" ], "mappings": { "dod_rai_strategy": "Governable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "TBD", "nist_800_171": "3.1.1", "nist_ai_rmf": "MANAGE 1.3", "cc_srg": "TBD", "owasp_llm": "LLM08" }, "threshold": { "metric": "boundary_violation_events", "description": "Number of out-of-boundary action attempts not blocked per monitoring period. Zero-tolerance.", "evidence": { "ocsf_class": "security_finding (2001). Boundary violation events must log the attempted action, agent identity, and blocking action.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_BOUNDARY_VIOLATION_EVENTS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "suspend-agent; alert-SOC; notify-PM" } }, { "id": "SRF-L3-OPS-007", "layer": "L3", "component": "Application and Orchestration", "title": "Prompt Injection Detection at Application Layer", "description": "The application layer must implement prompt injection detection to identify adversarial instructions embedded in user inputs or retrieved documents. Detection must operate before inputs reach the model and must generate security findings routed to the SOC.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Reliable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.14.2" ], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.14.2", "nist_ai_rmf": "MEASURE 2.6", "cc_srg": "TBD", "owasp_llm": "LLM01" }, "threshold": { "metric": "prompt_injection_detection_coverage_pct", "description": "Percentage of AI inference endpoints with active application-layer prompt injection detection.", "evidence": { "ocsf_class": "security_finding (2001). Detection events must log the attack pattern, endpoint, and blocking action.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_PROMPT_INJECTION_DETECTION_PCT", "param_type": "tier-configurable", "window": "continuous", "breach_action": "block-input; alert-SOC; notify-ISSO" } }, { "id": "SRF-L3-ACQ-008", "layer": "L3", "component": "Application and Orchestration", "title": "Shared Service Inheritance Chain Documentation", "description": "Where an AI system inherits security controls from a DISA-managed shared service or interagency platform, the inheritance chain must be documented in the ATO package. Documentation must identify each inherited control, the providing service, the PA or ATO that covers it, and any residual component responsibility.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Traceable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Traceable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "TBD: inheritance documentation requirements", "owasp_llm": "N/A" }, "threshold": { "metric": "inheritance_chain_documented", "description": "Binary: every inherited control in the ATO package identifies the providing service and the authorizing PA or ATO.", "evidence": { "ocsf_class": "Governance document artifact. ATO inheritance documentation is a static record.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-ATO-cycle", "breach_action": "flag-incomplete-ATO; notify-ISSO; remediate-before-ATO-approval" } }, { "id": "SRF-L3-OPS-009", "layer": "L3", "component": "Application and Orchestration", "title": "Plain-Language Output Explanation for Operators", "description": "AI systems that present recommendations to operators must provide a plain-language explanation of the factors driving the output, stated at a level comprehensible to a qualified operator without technical AI knowledge. Explanations must be surfaced in the operator interface alongside the recommendation.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Traceable", "Reliable", "Equitable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Traceable and Equitable principles; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MANAGE 2.2", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "explanation_availability_pct", "description": "Percentage of AI recommendations presented to operators accompanied by a plain-language explanation as verified by TEVV usability testing.", "evidence": { "ocsf_class": "Governance artifact. TEVV usability test results document explanation presence and operator comprehension.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_EXPLANATION_AVAILABILITY_PCT", "param_type": "tier-configurable", "window": "per-TEVV-cycle", "breach_action": "notify-PM; remediate-interface-before-next-TEVV" } }, { "id": "SRF-L4-ACQ-001", "layer": "L4", "component": "AI Platform", "title": "DISA Provisional Authorization at Required IL Before Deployment", "description": "The cloud service or AI platform must hold a current DISA Provisional Authorization (PA) at the impact level required for the data being processed before the component may use it for DoD data. The component must verify the PA is current and covers the services in use before deployment and at each annual review.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS" ], "lifecycle_stage": "acquisition", "responsibility_split": "disa", "nss_applicability": "non-nss", "il_applicability": [ "IL4", "IL5" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "TBD: PA requirement section", "owasp_llm": "N/A" }, "threshold": { "metric": "disa_pa_current", "description": "Binary: the platform holds a current DISA PA at or above the required IL as verified against the DISA PA list.", "evidence": { "ocsf_class": "Governance document artifact. PA currency can be verified against public.cyber.mil PA listings.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_DISA_PA_CURRENT", "param_type": "zero-tolerance", "window": "annual", "breach_action": "block-deployment; notify-PM; identify-alternative-PA-platform" } }, { "id": "SRF-L4-ACQ-002", "layer": "L4", "component": "AI Platform", "title": "STIG Baseline Configuration Enforcement", "description": "The platform and all AI-hosting components must be configured to the applicable DISA Security Technical Implementation Guide (STIG) baseline. STIG compliance must be verified during TEVV and continuously monitored. Open STIG findings must be tracked with accepted risk or remediation plans signed by the AO.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Reliable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.4.1", "3.4.2" ], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.4.1", "nist_ai_rmf": "MANAGE 2.4", "cc_srg": "TBD: STIG compliance requirements", "owasp_llm": "N/A" }, "threshold": { "metric": "stig_open_findings_cat1", "description": "Number of open Category I (high) STIG findings without accepted risk signed by the AO. Zero-tolerance.", "evidence": { "ocsf_class": "vulnerability_finding (2002). STIG scan results from DISA ACAS must log finding ID, severity, system, and remediation status.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_STIG_OPEN_CAT1_FINDINGS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "notify-ISSO; remediate-or-accept-risk-within-30-days; report-to-AO" } }, { "id": "SRF-L4-ACQ-003", "layer": "L4", "component": "AI Platform", "title": "IL-Appropriate Cloud Region Enforcement", "description": "The platform must enforce that DoD data is processed only in cloud regions that meet the applicable IL requirements: commercial regions for IL4, government-only regions for IL5, and classified cloud only for IL6. Region enforcement must be verified during TEVV and monitored continuously.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS" ], "lifecycle_stage": "acquisition", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MANAGE 2.4", "cc_srg": "TBD: cloud region requirements by IL", "owasp_llm": "N/A" }, "threshold": { "metric": "out_of_region_processing_events", "description": "Number of data processing events detected in a non-authorized region. Zero-tolerance.", "evidence": { "ocsf_class": "network_activity (4001). Region enforcement events must log the data classification, region, and enforcement action.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_OUT_OF_REGION_EVENTS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "block-processing; alert-ISSO; notify-AO; open-security-incident" } }, { "id": "SRF-L4-OPS-004", "layer": "L4", "component": "AI Platform", "title": "CUI and Classified Data Encryption to NSA-Approved Standards", "description": "CUI data at IL4/IL5 must be encrypted at rest and in transit using FIPS 140-3 validated cryptography. IL6 classified data must be encrypted using NSA-approved cryptography (Suite B or Commercial National Security Algorithm Suite). Encryption key management must comply with CNSSI 1300 or equivalent.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.13.8", "3.13.10" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.13.8", "nist_ai_rmf": "MANAGE 2.4", "cc_srg": "TBD: encryption requirements by IL", "owasp_llm": "N/A" }, "threshold": { "metric": "encryption_compliance_pct", "description": "Percentage of data stores and transport channels confirmed compliant with the required cryptographic standard.", "evidence": { "ocsf_class": "data_security_finding (2004). Encryption compliance scans must log store or channel ID, standard verified, and validation status.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_ENCRYPTION_COMPLIANCE_PCT", "param_type": "tier-configurable", "window": "quarterly", "breach_action": "quarantine-non-compliant-store; notify-ISSO; remediate-within-30-days" } }, { "id": "SRF-L4-OPS-005", "layer": "L4", "component": "AI Platform", "title": "Audit Log Completeness per DISA Requirements", "description": "The platform must generate and retain audit logs meeting DISA requirements for the applicable IL. Logs must cover authentication events, API calls, data access, configuration changes, and AI inference requests. Log completeness must be verified quarterly and after any platform update.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Traceable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.3.1", "3.3.2" ], "mappings": { "dod_rai_strategy": "Traceable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.3.1", "nist_ai_rmf": "GOVERN 1.5", "cc_srg": "TBD: audit logging requirements by IL", "owasp_llm": "N/A" }, "threshold": { "metric": "audit_log_completeness_pct", "description": "Percentage of required event types with confirmed log generation, as verified by the most recent completeness audit.", "evidence": { "ocsf_class": "audit_activity (3002). Log completeness verification events must record the event types checked and the verification outcome.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_AUDIT_LOG_COMPLETENESS_PCT", "param_type": "tier-configurable", "window": "quarterly", "breach_action": "notify-ISSO; remediate-logging-gaps; notify-AO" } }, { "id": "SRF-L4-OPS-006", "layer": "L4", "component": "AI Platform", "title": "API Gateway Authentication and Authorization", "description": "All AI platform APIs must require authentication using DoD PKI or equivalent credential and enforce attribute-based or role-based authorization before any AI inference or data access is permitted. Unauthenticated requests must be rejected and logged. Privileged API calls require multi-factor authentication.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.5.3", "3.5.5" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.5.3", "nist_ai_rmf": "MANAGE 2.4", "cc_srg": "TBD: API authentication requirements", "owasp_llm": "LLM09" }, "threshold": { "metric": "unauthenticated_api_request_pct", "description": "Percentage of AI platform API requests that bypassed authentication controls. Zero-tolerance.", "evidence": { "ocsf_class": "authentication (3002) or api_activity (6003). Failed and unauthenticated requests must log source IP, endpoint, and rejection reason.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_UNAUTH_API_REQUESTS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "block-request; alert-SOC; notify-ISSO" } }, { "id": "SRF-L4-ACQ-007", "layer": "L4", "component": "AI Platform", "title": "CMMC Level 2 Assessment for Contractor-Owned CUI Platforms", "description": "Defense contractors operating AI platforms that process CUI must obtain a third-party CMMC Level 2 assessment (C3PAO assessment) covering the 110 NIST SP 800-171 practices before processing DoD CUI. Assessment results must be submitted to SPRS and referenced in the contract.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "contractor", "nss_applicability": "non-nss", "il_applicability": [ "IL4", "IL5" ], "cmmc_practices": [ "3.12.1", "3.12.2", "3.12.3", "3.12.4" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "32 CFR Part 170, Level 2 requirements", "nist_800_171": "3.12.1", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "cmmc_l2_assessment_current", "description": "Binary: the contractor holds a current C3PAO-assessed CMMC Level 2 certification with results in SPRS.", "evidence": { "ocsf_class": "Governance document artifact. CMMC assessment results are submitted to SPRS by the C3PAO.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_CMMC_L2_CURRENT", "param_type": "zero-tolerance", "window": "triennial", "breach_action": "block-CUI-processing; notify-contracting-officer; initiate-assessment" } }, { "id": "SRF-L4-ACQ-008", "layer": "L4", "component": "AI Platform", "title": "CMMC Level 3 Assessment for Higher-Value Contractor Platforms", "description": "Defense contractors operating AI platforms for programs designated as requiring CMMC Level 3 must obtain a DIBCAC-led government assessment covering the NIST SP 800-172 enhanced practices. The assessment must be current and referenced in the contract before any higher-value program data is processed.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "contractor", "nss_applicability": "both", "il_applicability": [ "IL5", "IL6" ], "cmmc_practices": [ "3.12.1", "3.12.2", "3.12.3", "3.12.4" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "32 CFR Part 170, Level 3 requirements", "nist_800_171": "3.12.1", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "cmmc_l3_assessment_current", "description": "Binary: the contractor holds a current DIBCAC-assessed CMMC Level 3 certification for the designated program.", "evidence": { "ocsf_class": "Governance document artifact. DIBCAC assessment results are government records.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_CMMC_L3_CURRENT", "param_type": "zero-tolerance", "window": "triennial", "breach_action": "block-higher-value-program-data; notify-contracting-officer; initiate-assessment" } }, { "id": "SRF-L4-OPS-009", "layer": "L4", "component": "AI Platform", "title": "Continuous Vulnerability Scanning via DISA ACAS", "description": "AI platform hosts and containers must be continuously scanned using DISA-approved tools (Assured Compliance Assessment Solution, ACAS) and findings must be tracked and remediated per DISA remediation timelines. Scan coverage must include all AI inference and supporting infrastructure nodes.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Reliable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.11.2", "3.11.3" ], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.11.2", "nist_ai_rmf": "MANAGE 2.4", "cc_srg": "TBD: continuous monitoring requirements", "owasp_llm": "N/A" }, "threshold": { "metric": "acas_scan_coverage_pct", "description": "Percentage of AI platform nodes covered by ACAS scans within the required scan cadence.", "evidence": { "ocsf_class": "vulnerability_finding (2002). ACAS scan results must log node ID, scan date, findings, and remediation status.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_ACAS_COVERAGE_PCT", "param_type": "tier-configurable", "window": "weekly", "breach_action": "notify-ISSO; expand-scan-scope; report-gap-to-AO" } }, { "id": "SRF-L4-OPS-010", "layer": "L4", "component": "AI Platform", "title": "Mission-Critical AI Availability SLA", "description": "AI systems supporting mission-critical operations must have a documented availability SLA, a tested failover or degraded-mode procedure, and a recovery time objective (RTO) approved by the operational commander. Availability must be monitored continuously and reported against the SLA.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Reliable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MEASURE 2.7", "cc_srg": "TBD", "owasp_llm": "N/A" }, "threshold": { "metric": "availability_sla_compliance_pct", "description": "Percentage of monitoring periods in which the system met its approved availability SLA.", "evidence": { "ocsf_class": "availability (3003) or infrastructure_status. Availability monitoring must log uptime, degraded-mode events, and failover activations.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_AVAILABILITY_SLA_PCT", "param_type": "tier-configurable", "window": "monthly", "breach_action": "notify-operational-commander; activate-degraded-mode; open-availability-incident" } }, { "id": "SRF-L5-ACQ-001", "layer": "L5", "component": "Model", "title": "Model Transparency Card per DoDI 5000.90", "description": "The model provider must deliver a transparency card documenting the model's intended use, training data scope, known limitations, performance bounds, failure modes, and version identifier. The card must be delivered before contract award for AI systems subject to DoDI 5000.90 and updated when the model is significantly updated.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Traceable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "contractor", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Traceable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD: AI transparency card requirements", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "transparency_card_delivered", "description": "Binary: a transparency card has been delivered for every AI system subject to DoDI 5000.90 and is current for the deployed model version.", "evidence": { "ocsf_class": "Governance document artifact. Transparency card is a contractual deliverable; delivery event maps to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-model-version", "breach_action": "block-deployment; notify-contracting-officer; request-card-from-vendor" } }, { "id": "SRF-L5-OPS-002", "layer": "L5", "component": "Model", "title": "Vendor Model Drift Disclosure SLA", "description": "The vendor or model provider must contractually commit to disclosing any model updates or behavioral changes that may affect performance, accuracy, or safety within the defined disclosure window. The component must monitor for drift and trigger re-validation when a disclosure is received.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Reliable", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MEASURE 2.8", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "drift_disclosure_sla_compliance_pct", "description": "Percentage of model updates where the vendor provided timely disclosure within the contractual SLA window.", "evidence": { "ocsf_class": "Governance artifact. Vendor disclosure records and disclosure receipt timestamps map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_DRIFT_DISCLOSURE_SLA_PCT", "param_type": "tier-configurable", "window": "rolling-12-month", "breach_action": "notify-contracting-officer; initiate-contract-remedy; trigger-re-validation" } }, { "id": "SRF-L5-ACQ-003", "layer": "L5", "component": "Model", "title": "Model Artifact Signing and Bill of AI Materials", "description": "All AI model artifacts deployed on DoD platforms must be cryptographically signed by the provider. The component must maintain a Bill of AI Materials (BoAIM) listing model identifiers, version hashes, training data provenance, and third-party component dependencies for every model in production.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Traceable", "Responsible" ], "operating_models": [ "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.14.3" ], "mappings": { "dod_rai_strategy": "Traceable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.14.3", "nist_ai_rmf": "MAP 5.1", "cc_srg": "N/A", "owasp_llm": "LLM03" }, "threshold": { "metric": "boaim_current_and_signed", "description": "Binary: a current BoAIM exists for every production model, artifact signatures are verified, and the BoAIM was reviewed within the prior annual cycle.", "evidence": { "ocsf_class": "Governance document artifact. Signature verification events map to audit_activity (3002) or software_info (1006).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "notify-PM; re-verify-signatures; update-BoAIM-within-30-days" } }, { "id": "SRF-L5-OPS-004", "layer": "L5", "component": "Model", "title": "Vulnerability Disclosure SLA and Patch Cadence", "description": "The model or platform provider must commit to a vulnerability disclosure SLA and patch release cadence in the contract. Critical vulnerabilities must be disclosed within 24 hours of discovery and patched or mitigated within the contractual window. The component must apply patches within its own remediation timeline after vendor release.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Reliable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.14.1" ], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.14.1", "nist_ai_rmf": "MANAGE 2.4", "cc_srg": "TBD", "owasp_llm": "N/A" }, "threshold": { "metric": "critical_vuln_patch_timeliness_pct", "description": "Percentage of critical model vulnerabilities patched or mitigated within the contractual window from vendor disclosure.", "evidence": { "ocsf_class": "vulnerability_finding (2002). Patch events must log CVE or finding ID, disclosure date, patch date, and applier identity.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_CRITICAL_PATCH_TIMELINESS_PCT", "param_type": "tier-configurable", "window": "rolling-90-day", "breach_action": "notify-ISSO; apply-emergency-patch; report-to-AO" } }, { "id": "SRF-L5-ACQ-005", "layer": "L5", "component": "Model", "title": "Model Portability to Avoid Vendor Lock-In", "description": "Contracts for AI systems must include data rights and model portability provisions that allow the component to transition to an alternative model without losing operational capability. Portability must be verified through a portability exercise or documented portability plan approved by the program manager.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Reliable", "Governable" ], "operating_models": [ "AI-SaaS", "AI-PaaS" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Governable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD: data rights and portability provisions", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "portability_plan_approved", "description": "Binary: a portability plan or portability exercise result is documented and approved in the program record.", "evidence": { "ocsf_class": "Governance document artifact. Portability plan is a program management record.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_PORTABILITY_PLAN_APPROVED", "param_type": "tier-configurable", "window": "per-contract", "breach_action": "notify-contracting-officer; add-portability-clause-at-next-modification" } }, { "id": "SRF-L5-OPS-006", "layer": "L5", "component": "Model", "title": "Re-Validation Trigger on Model Version Change", "description": "Any change to the deployed model version must trigger a re-validation cycle proportional to the scope of the change. The re-validation plan must be documented before the new version is deployed to operational environments. Major version changes require full TEVV; minor updates require at minimum a regression test against the prior TEVV acceptance criteria.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Reliable", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "ops", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Reliable principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD: re-validation requirements", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MANAGE 3.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "revalidation_completed_before_deployment", "description": "Binary: a re-validation record exists for every model version change, proportional to change scope, completed before production deployment.", "evidence": { "ocsf_class": "Governance document artifact. Re-validation records and version change events map to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-model-version", "breach_action": "block-deployment; notify-PM; complete-revalidation" } }, { "id": "SRF-L5-ACQ-007", "layer": "L5", "component": "Model", "title": "Personnel Security Clearance for IL6 Model Infrastructure Access", "description": "Personnel with administrative or maintenance access to AI model infrastructure in IL6 classified environments must hold the required personnel security clearance. The component must verify clearance levels before granting access and review access rosters quarterly. Access must be terminated immediately upon clearance lapse.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Responsible", "Governable" ], "operating_models": [ "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "nss", "il_applicability": [ "IL6" ], "cmmc_practices": [ "3.9.1", "3.9.2" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.9.1", "nist_ai_rmf": "GOVERN 1.6", "cc_srg": "TBD: IL6 personnel clearance requirements", "owasp_llm": "N/A" }, "threshold": { "metric": "uncleared_il6_access_events", "description": "Number of IL6 model infrastructure access events by personnel without a verified active clearance. Zero-tolerance.", "evidence": { "ocsf_class": "access_activity (3001). Access events must log user identity, clearance verification status, and access granted or denied.", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "TIER_UNCLEARED_IL6_ACCESS", "param_type": "zero-tolerance", "window": "continuous", "breach_action": "revoke-access; notify-security-officer; open-security-incident; report-to-AO" } }, { "id": "SRF-L5-ACQ-008", "layer": "L5", "component": "Model", "title": "Supply Chain Risk Assessment for AI Components and Foundation Model Providers", "description": "Before selecting a foundation model or AI component provider, the component must assess supply chain risk covering country of origin of training data and model weights, ownership structure, export control status, and any foreign government relationships. Assessments must be updated when ownership or control of the provider changes.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Responsible", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Program-Embedded" ], "lifecycle_stage": "acquisition", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.11.1" ], "mappings": { "dod_rai_strategy": "Responsible principle; Implementation Pathway Section TBD", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.11.1", "nist_ai_rmf": "MAP 5.1", "cc_srg": "N/A", "owasp_llm": "LLM03" }, "threshold": { "metric": "model_scrm_assessment_complete", "description": "Binary: a supply chain risk assessment for each model provider has been completed before contract award and updated within the prior annual cycle.", "evidence": { "ocsf_class": "Governance document artifact. Assessment completion maps to audit_activity (3002).", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "block-contract-award; notify-PM; complete-assessment" } }, { "id": "SRF-L1-OVR-011", "layer": "L1", "component": "Governance and Processes", "title": "Human Oversight Escalation Chain Documented and Rehearsed", "description": "The DoD component must document and rehearse a human oversight escalation chain for every AI system used in decisions affecting personnel, operations, or lethal force. The chain must name the operator, supervising officer, program manager, and the CDAO reporting path. For NSS systems, the chain must include the Authorizing Official. The chain must be tested at least annually through a tabletop exercise or equivalent.", "accountable_persona": "ai-system-governance", "dod_rai_principles": [ "Responsible", "Governable", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "human-oversight-remedy", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Responsible principle; Governable principle", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "GOVERN 5.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "oversight_escalation_chain_rehearsed", "description": "Binary: a documented escalation chain exists for every AI system in the registry that falls within scope, and a tabletop exercise or equivalent rehearsal is recorded in the prior annual period.", "evidence": { "ocsf_class": "Governance document artifact", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "Escalate to CDAO liaison and program manager. Conduct tabletop within 30 days. Update ATO package." } }, { "id": "SRF-L2-TEVV-009", "layer": "L2", "component": "Data and Input", "title": "Training and RAG Data Integrity Verification Before Deployment", "description": "Before a model or RAG pipeline is promoted to any operational environment, the data provider must verify that all training and retrieval data sources have passed quality and provenance checks: authority-to-use documented, CUI markings validated at the required IL, and a data lineage record retained. For IL5 and IL6 systems, a formal data integrity sign-off by the Chief Data Officer or delegated data authority is required before the TEVV plan closes.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Responsible", "Traceable", "Reliable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.11.1", "3.11.3" ], "mappings": { "dod_rai_strategy": "Traceable principle; Reliable principle", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "TBD", "nist_800_171": "3.11.1", "nist_ai_rmf": "MAP 2.2", "cc_srg": "TBD", "owasp_llm": "LLM03" }, "threshold": { "metric": "data_integrity_signoff_before_deployment", "description": "Binary: a data integrity verification record exists for every data source in scope, signed by the data authority, before the TEVV plan is closed and the system is promoted to IOC.", "evidence": { "ocsf_class": "Governance document artifact", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "Block promotion to IOC. Data authority must complete sign-off. Log gap in TEVV report." } }, { "id": "SRF-L2-OVR-010", "layer": "L2", "component": "Data and Input", "title": "AI Decision Log Human Review Cadence for High-Stakes Operations", "description": "For AI systems making or informing high-stakes decisions (personnel actions, logistics prioritization, target data triage), the data provider and system owner must conduct periodic human reviews of AI decision logs to detect anomalous patterns, data drift, or systematic bias. Review frequency scales with impact level: IL4 quarterly, IL5 monthly, IL6 continuous with a formal review no less than weekly. Findings must be reported to the CDAO liaison.", "accountable_persona": "data-provider", "dod_rai_principles": [ "Responsible", "Equitable", "Traceable" ], "operating_models": [ "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "human-oversight-remedy", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.3.1", "3.3.2" ], "mappings": { "dod_rai_strategy": "Equitable principle; Traceable principle", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.3.1", "nist_ai_rmf": "MEASURE 2.5", "cc_srg": "TBD", "owasp_llm": "N/A" }, "threshold": { "metric": "decision_log_review_cadence_met", "description": "Percentage of required review periods in the window during which a completed human review of AI decision logs is on record. IL4: quarterly (4 reviews/year), IL5: monthly (12/year), IL6: weekly (52/year).", "evidence": { "ocsf_class": "2004", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": ">=", "param": "TIER_DECISION_LOG_REVIEW_COVERAGE_PCT", "param_type": "tier-configurable", "window": "annual", "breach_action": "Notify CDAO liaison and program manager. Complete overdue reviews. Assess whether anomalous patterns were missed during the gap period." } }, { "id": "SRF-L3-TEVV-010", "layer": "L3", "component": "Application and Use Case", "title": "Red Team and Adversarial Robustness Test Before Deployment", "description": "For AI systems at IL5 NSS or IL6, a structured red team exercise testing adversarial inputs, prompt injection, and model manipulation must be completed before initial operational capability and before any major capability change. For IL4 and IL5 Non-NSS systems, a documented adversarial robustness assessment is required; a full red team exercise is recommended. Results must be retained in the TEVV package and reviewed by the program manager and ISSO.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Reliable", "Traceable", "Responsible" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.11.2", "3.14.1" ], "mappings": { "dod_rai_strategy": "Reliable principle; Traceable principle", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "TBD", "nist_800_171": "3.11.2", "nist_ai_rmf": "MEASURE 2.6", "cc_srg": "TBD", "owasp_llm": "LLM01" }, "threshold": { "metric": "adversarial_robustness_assessment_complete", "description": "Binary: an adversarial robustness assessment (or red team report for IL5 NSS / IL6) is on file in the TEVV package before the system reaches IOC and before each major capability change. No critical-severity findings may remain open at IOC.", "evidence": { "ocsf_class": "2003", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "Block IOC. Program manager and ISSO must remediate critical findings and re-run assessment. Document in TEVV report." } }, { "id": "SRF-L3-TEVV-011", "layer": "L3", "component": "Application and Use Case", "title": "Bias and Equitable Treatment Assessment Before Deployment", "description": "Before initial operational capability, the application developer must complete a bias and equitable treatment assessment for every AI system that affects personnel decisions, benefits, or civil liberties. The assessment must test for disparate impact across protected characteristics to the extent data availability allows, document residual bias risk, and be reviewed by the RAI Officer. For systems where population-level demographic data is unavailable, a proxy-metric approach must be documented with rationale.", "accountable_persona": "application-developer", "dod_rai_principles": [ "Equitable", "Responsible", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "dod-component", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Equitable principle", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MEASURE 2.2", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "bias_assessment_complete_before_ioc", "description": "Binary: a bias and equitable treatment assessment is on file in the program record, reviewed by the RAI Officer, and completed before the system reaches IOC. Residual bias risks must be documented with mitigations or acceptance rationale.", "evidence": { "ocsf_class": "Governance document artifact", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-system", "breach_action": "Block IOC until assessment is complete and reviewed by RAI Officer. Document gap in TEVV report." } }, { "id": "SRF-L4-TEVV-011", "layer": "L4", "component": "AI Platform (Runtime and Infrastructure)", "title": "Platform Security Configuration Validated Against CC SRG Baseline Before ATO", "description": "Before an authority to operate is granted, the platform engineering team and ISSO must verify that the cloud platform configuration conforms to the applicable CC SRG baseline for the target impact level. This includes STIG compliance for OS and middleware, network segmentation validation, and audit logging configuration. For IL6 systems, validation must be performed on the classified network by cleared personnel and documented in the classified ATO package. Findings at CAT I must be remediated before ATO is granted.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Reliable", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.4.1", "3.4.2", "3.12.1" ], "mappings": { "dod_rai_strategy": "Reliable principle", "dodi_5000_90": "TBD", "dodi_5000_89": "N/A", "cmmc_2_0": "TBD", "nist_800_171": "3.4.1", "nist_ai_rmf": "MANAGE 2.2", "cc_srg": "TBD", "owasp_llm": "N/A" }, "threshold": { "metric": "cc_srg_baseline_validation_complete", "description": "Binary: a completed CC SRG baseline validation report is on file in the ATO package, no CAT I findings remain open, and the ISSO has signed off before the ATO is granted.", "evidence": { "ocsf_class": "2004", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-ATO-cycle", "breach_action": "Block ATO. Remediate CAT I findings. ISSO re-validates and updates ATO package." } }, { "id": "SRF-L4-OVR-012", "layer": "L4", "component": "AI Platform (Runtime and Infrastructure)", "title": "Platform-Level Emergency Stop Capability Tested", "description": "Every AI platform hosting systems that directly inform or execute operational decisions must implement a platform-level emergency stop capability: a mechanism that allows an authorized operator to halt all AI-driven decision outputs within a defined response time. The mechanism must be tested annually and after any major platform change. Test results must be retained in the program record. For IL6 and Program-Embedded operating models, the response time requirement is more stringent and must be documented in the program's operational requirements.", "accountable_persona": "ai-platform-provider", "dod_rai_principles": [ "Governable", "Responsible" ], "operating_models": [ "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "human-oversight-remedy", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [ "3.1.1" ], "mappings": { "dod_rai_strategy": "Governable principle; Responsible principle", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "3.1.1", "nist_ai_rmf": "GOVERN 5.2", "cc_srg": "TBD", "owasp_llm": "N/A" }, "threshold": { "metric": "emergency_stop_test_current", "description": "Binary: a documented emergency stop test result is on file, conducted within the prior annual period (or after most recent major platform change, whichever is more recent), confirming the stop mechanism operates within the required response time.", "evidence": { "ocsf_class": "Governance document artifact", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "annual", "breach_action": "Notify program manager and CDAO liaison. Conduct emergency stop test within 30 days. Document result in program record." } }, { "id": "SRF-L5-TEVV-009", "layer": "L5", "component": "Model", "title": "Model Behavioral Baseline Documented Before Initial Deployment", "description": "Before a model is promoted to any operational environment, the model provider or program team must document a behavioral baseline: key performance metrics on representative test sets, accuracy and reliability measurements at the target operating conditions, and known limitations and failure modes. The baseline must be retained in the TEVV package and the BoAIM. Subsequent model versions must be compared against this baseline to detect significant behavioral drift before re-deployment.", "accountable_persona": "model-provider", "dod_rai_principles": [ "Reliable", "Traceable" ], "operating_models": [ "AI-SaaS", "AI-PaaS", "Agent-Ops", "Program-Embedded" ], "lifecycle_stage": "tevv", "responsibility_split": "shared", "nss_applicability": "both", "il_applicability": [ "IL4", "IL5", "IL6" ], "cmmc_practices": [], "mappings": { "dod_rai_strategy": "Reliable principle; Traceable principle", "dodi_5000_90": "TBD", "dodi_5000_89": "TBD", "cmmc_2_0": "N/A", "nist_800_171": "N/A", "nist_ai_rmf": "MEASURE 1.1", "cc_srg": "N/A", "owasp_llm": "N/A" }, "threshold": { "metric": "model_behavioral_baseline_documented", "description": "Binary: a model behavioral baseline document is on file in the TEVV package and referenced in the BoAIM before the model is promoted to any operational environment. Known limitations and failure modes are explicitly listed.", "evidence": { "ocsf_class": "Governance document artifact", "attribute": "TBD", "ocsf_version": "1.8.0" }, "operator": "==", "param": "true", "param_type": "verification", "window": "per-model-version", "breach_action": "Block promotion to operational environment. Model provider or program team must complete baseline documentation and update BoAIM." } } ] }