OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Trusted AI and Autonomy; Advanced Computing and Software; Sustainment & Logistics The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws. OBJECTIVE: Research, evaluate, and ultimately develop a methodology for tailoring and streamlining the Risk Management Framework (RMF) process for industrial automation environments to accelerate technology adoption, improve mission readiness/supply, and greatly reduce time required for certification across all RMF stakeholders. DESCRIPTION: Organic Industrial Base (OIB) modernization and other engineering initiatives within the Department of Defense (DoD) and United States Air Force (USAF) have changed the way Air Force Sustainment Center (AFSC) Industrial Depot Maintenance (IDM) Shop Floors and similar environments are operating, the types of systems present, and how they need to communicate today and into the future. The Operational Technology (OT) systems and use cases within the IDM are becoming increasingly sophisticated and automated, with consequent need for establishing secure connectivity between these systems to collect data and maintain up-to-date systems. In many cases, data and connectivity even need to cross the boundary into traditional Informational Technology (IT) networks. The impact, mission importance, and cybersecurity maturity of these systems can also vary widely, making it a challenge to assess the relevant controls. This convergence of OT and IT systems and networks, the wide range of mission impact, and the gaps in understanding for connected OT systems requires a new blueprint for assessing risk in these highly integrated environments to create a layered defense risk management strategy. Authorities to Operate (ATOs) must define how these hybrid OT/ IT systems may connect and communicate. Key drivers for ATO efficiency in Organic Industrial Base (OIB) OT environments include the following: enhanced guidance of system categorization using innovative approaches like model-based systems engineering and artificial intelligence; automating the selection of OT security controls selection and overlays; allowing Security Control Assessors (SCAs), Authorizing Officials (AOs), Authorizing Official Designated Representatives (AODRs), and other security stakeholders to easily align their standards and baselines for this new realm of OT to IT connectivity; and building a fully traceable, auditable models where security risk assessors can see a holistic view of system components within and across boundaries The ATO process for the Department of Defense (DoD) is often the most costly and time-consuming aspect to delivering a new system to the mission. While these systems are changing rapidly, there has also been an investment by the DoD and National Institute of Standards and Technology (NIST) to address OT specific security concerns. By tailoring and automating currently manual processes such as Enterprise Mission Assurance Support Services (eMASS) artifact generation and auditability, AFSC and other DoD entities will accelerate zero trust OT adoption, improve mission readiness/supply, and greatly reduce time required for certification across all stakeholders. PHASE I: For this D2P2 topic, evaluators are expecting a significant level of automation of RMF Steps 1 and 2, with an ability to support the use of generative AI for Step 3 (e.g., the ability to feed directly into Ask Sage's ATO-in-a-Box). Specifically, the candidate proposal should (1) make use of a widely-used model-based systems enginerering (MBSE) tool to fully create the enclave to be authorized, including information flows and PPS, (2) automatically populate an ITCSC template using information from that model, (3) automatically recommend a baseline controls selection, (4) automatically create a HW/SW list, PPSM, and recommended STIGs list, and (5) automatically update (2) through (5) with any changes to (1). PHASE II: In addition to the requirements listed in the Phase 1 description, the candidate solution must also (1) create an API interface that connects the candidate solution to a DoD-authorized generative ATO solution (e.g., NIPRGPT, Ask Sage), (2) have a GUI, with which the ISSM/ISSO will interact to answer RMF Step 3 questions not covered by the aforementioned SBIR Phase 1 requirements, (3) produce the full complement of eMASS test results, control family artifacts, and evidence recommendations to support an RMF Step 4 assessment, (4) guide assessors through RMF Step 4 by documenting whether controls are fully, partially, or not met, (5) guide authorizers through the development of a succint but sufficiently comprehensive executive summary, (6) support the change management and continuous monitoring process through GUI interaction with the ISSO/ISSM. Finally, the candidate proposal must *not* require a direct connection to the enclave to be assessed, due to security considerations for some OT systems. PHASE III DUAL USE APPLICATIONS: Refine the prototype application for great applicability, integration, and efficiency. Achieve production-ready state for delivering at scale to the Air Force, other related federal agencies, and private industry. REFERENCES: 1. Stouffer, et al. NIST Special Publication: NIST SP 800-82r3 Guide to Operational Technology (OT) Security September 2023, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf 2. Sherman. DOD INSTRUCTION 8510.01 RISK MANAGEMENT FRAMEWORK FOR DOD SYSTEMS July 2022, https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/851001p.pdf 3. Hawkins, et al. Art of the Possible Handbook AFSCH60-101 , August 2023, https://static.e-publishing.af.mil/production/1/af_sustainment_ctr/publication/afsch60-101/afsch60-101.pdf KEYWORDS: Risk Management Framework (RMF), Authority to Operate (ATO), Operation Technology (OT), Continuous Cyber-Readiness, Zero Trust
