Case Study: AI/ML-Enhanced RMF Automation
TerraCoders proposed a modular, AI/ML-powered platform to streamline and automate the Risk Management Framework (RMF) process for the Department of the Air Force. This effort was submitted under SBIR topic AF254-D0802 and targeted reducing the manual burden of Authority to Operate (ATO) workflows while improving control fidelity, audit readiness, and explainability.
Challenge
RMF remains a time-consuming and resource-intensive effort across IL4–IL7 systems. Redundant documentation, fragmented evidence collection, and inconsistent interpretations delay delivery and risk noncompliance.
Our Approach
- Developed AI/ML microservices to parse STIG, ACAS, and RMF artifacts (SSPs, POA&Ms)
- Integrated explainability engine with confidence scoring and source traceability
- Designed role-based UI dashboards for ISSMs, SCAs, and AOs
- Supported structured export formats (OSCAL, JSON, YAML) for eMASS ingestion
- Built continuous monitoring simulation for testbed validation
Prototype Capabilities
- Containerized AI/ML agents with modular pipelines
- Automated control mapping with evidence linkage
- RBAC UI with explainable recommendations and dashboards
- Simulated ATO workflows and report generation
Outcomes & Next Steps
The proposed system is designed to reach TRL 6 with deployment to IL4+ environments, compatible with Platform One and Iron Bank requirements. Future work includes integrating the parser and AI agents into the TerraSail platform for broader adoption across DoD and FedRAMP-aligned projects.