DLA26BZ02-NV006 — AI-Assisted RMF Pre-Adjudication for Research, Development, and Rapid Prototyping Environments

Award Maximum: $100,000 Period of Performance: 12 months Phase Type: Phase I

OBJECTIVE: The Defense Logistics Agency (DLA) seeks to determine whether AI-enabled, human-attested analysis can improve Risk Management Framework (RMF) documentation quality and reduce rework cycles in research, development, and rapid prototyping contexts. R&D teams frequently submit incomplete or inconsistent RMF artifacts, leading to delays and inefficient use of limited cybersecurity assessor resources. The objective is to evaluate the feasibility of an AI-assisted, artifact-centric analysis capability that enables RMF pre-adjudication, allowing project teams to identify and correct deficiencies before formal cybersecurity review without automating authorization decisions or reducing governance rigor.

DESCRIPTION: DLA seeks SBIR project opportunities for an AI-assisted pre-adjudication tool that analyzes draft RMF artifacts to assess their readiness for formal cybersecurity review. Proposed solutions should operate on submitted artifacts (e.g., control implementation statements, system architecture documents) as primary inputs rather than relying on conversational user interfaces.

The proposed capability should be able to:

• Identify missing, inconsistent, or weak control implementation statements.

• Distinguish between the presence of a control narrative and the sufficiency and clarity of supporting evidence.

• Generate structured, confidence-scored analytical feedback to help R&D teams improve documentation quality.

• Incorporate an explicit human attestation mechanism to preserve accountability and prevent reliance on unreviewed AI outputs.

Proposed approaches should demonstrate familiarity with RMF assessment practices, including how assessors evaluate documentation sufficiency, inherited controls, and architectural maturity in early-stage systems. The goal is to reduce RMF package rejection and rework rates without altering existing RMF authority structures.

PHASE I: Not to exceed a duration of 12 months and cost of $100,000.

Phase I efforts will focus on a controlled, research-oriented demonstration of AI-assisted RMF pre-adjudication suitable for R&D environments, without requiring an Authority to Operate (ATO). Activities will include deploying a prototype in a government-approved R&D sandbox, ingesting draft or historical RMF artifacts, and performing automated analysis to identify gaps and inconsistencies. The prototype will generate structured, confidence-scored feedback and must implement an explicit human attestation mechanism where findings require human approval.

Expected Phase I deliverables include: a functional prototype; documentation of methods and limitations; a demonstration that analytical findings can be traced to source text; a quantitative and qualitative assessment of potential reductions in rework; and recommendations for Phase II.

PHASE II: Not to exceed a duration of 24 months and cost of $1,000,000.

Depending on Phase I results, Phase II efforts may expand validated capabilities to support broader adoption across R&D and innovative organizations. This may include scaling pre-adjudication support across multiple programs, integrating with enterprise RMF workflows while preserving cybersecurity authority, correlating documentation analysis with evolving system configurations, and supporting continuous documentation improvement in high-velocity development environments. Phase II will further evaluate how AI-assisted pre-adjudication contributes to faster innovation cycles without increasing cybersecurity risk.

PHASE III DUAL USE APPLICATIONS: This technology has significant dual-use and commercialization potential. AI-assisted, artifact-centric RMF pre-adjudication is applicable across DoW laboratories, innovation organizations, and acquisition programs. It also addresses governance challenges in civilian agencies and regulated commercial sectors that manage early-stage systems subject to formal security review. Phase III would focus on transitioning a production-level product for integration into enterprise RMF workflows, enabling government and commercial entities to improve documentation quality and accelerate innovation while preserving human authority and accountability.