FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

The Defense Industrial Base CISO's AI Tool Inventory Template

By Basel IsmailMay 13, 2026

The Defense Industrial Base CISO's AI Tool Inventory Template

If you are a CISO in the defense industrial base, you probably already know that your AI tool sprawl is worse than you think. Shadow IT was a headache before generative AI. Now it is a compliance crisis. Every engineer who spins up a ChatGPT session to summarize a requirements document, every program manager who feeds schedule data into an AI assistant, every contracts team member who uses an AI redlining tool; each of these creates a potential CMMC and ITAR exposure that you need to track.

The problem is that most organizations do not have a structured way to catalog these tools against the specific regulatory requirements that matter in a DIB context. So here is a practical template framework, built around the intersection of CMMC Level 2/Level 3 requirements and ITAR (22 CFR Parts 120 through 130), that you can adapt to your environment.

Why a Generic Software Inventory Will Not Cut It

Your existing asset management process, probably aligned to NIST SP 800-171 Rev 2 control 3.4.1 (system inventory), was designed for traditional software. AI tools introduce categories of risk that a standard CMMC asset inventory does not capture. Where does the model process data? Is it fine-tuned on your inputs? Does the vendor retain prompts or outputs? Can the tool's behavior change without a software update you would normally catch in your change management process?

Under ITAR, the stakes are particularly sharp. Technical data as defined in 22 CFR 120.33 and defense services under 22 CFR 120.32 cannot be disclosed to foreign persons without authorization. If an AI tool routes data through servers outside the United States, or if the vendor's workforce includes foreign nationals without proper licensing, you may have an unauthorized export on your hands. The Directorate of Defense Trade Controls does not care that the disclosure was accidental or that "the tool just does that." Penalties under the Arms Export Control Act (22 USC 2778) can reach $1,213,564 per violation as of the 2024 adjustment, plus potential criminal liability.

The Template: Seven Fields That Actually Matter

Beyond the standard fields you would include in any software inventory (tool name, vendor, version, license type, business owner), here are the fields specific to AI tools in a DIB/ITAR environment.

1. Data Classification Exposure

For each tool, document the highest classification level of data it could plausibly encounter. Not just what it is "supposed to" handle, but what users could feed into it. Map this to your CUI categories (per the CUI Registry and NIST SP 800-171) and flag any tool that could touch ITAR-controlled technical data. Be specific: "Tool has access to shared drives containing DFARS 252.204-7012 covered contractor information systems" is more useful than "handles CUI."

2. Data Residency and Routing

Where does the AI process inputs? Where are outputs stored? Does the vendor use subprocessors, and if so, where are they located? For ITAR purposes, you need to confirm that no technical data transits or resides on infrastructure outside the United States, or that you have the appropriate TAA or export license if it does. Get this in writing from the vendor. Their marketing page saying "enterprise grade security" means nothing.

3. Model Training and Data Retention

Does the vendor use your inputs to train or fine-tune models? This is a critical ITAR question. If your engineers' prompts containing technical data about a defense article become part of a model that is then accessible to foreign persons, you have a potential deemed export under 22 CFR 120.17. Document the vendor's contractual commitments on data retention and model training, not just their FAQ page.

4. Foreign Person Access

Can foreign nationals employed by the vendor access your data, prompts, or outputs? Under ITAR, this includes foreign nationals working in the United States without proper export authorization. Your vendor questionnaire should explicitly ask about the citizenship and access controls of personnel who can view customer data, including for support and debugging purposes.

5. CMMC Practice Mapping

Map each tool to the specific CMMC Level 2 practices it affects. At minimum, you are looking at AC.L2-3.1.1 (authorized access control), SC.L2-3.13.1 (boundary protection), and MP.L2-3.8.1 (media protection). But AI tools often implicate practices that are less obvious: AU.L2-3.3.1 (audit events) if the tool does not produce adequate logs, or SI.L2-3.14.1 (flaw remediation) if the vendor's model updates do not go through your change management process. For organizations pursuing CMMC Level 3 (based on NIST SP 800-172), the enhanced security requirements around supply chain risk in 3.16.2e and 3.16.3e are directly relevant.

6. Integration Scope

Document how the tool connects to your environment. API integrations, browser extensions, SSO connections, file system access. An AI tool that reads from your SharePoint instance containing CUI is fundamentally different from a standalone tool where users manually paste text. The integration scope determines your boundary assessment for CMMC and your exposure surface for ITAR.

7. Authorization and Review Cadence

Record who authorized the tool, when, under what conditions, and when the next review is scheduled. AI tools change faster than traditional software. A model update can alter behavior, data handling, or output characteristics without any change to the installed software version. Quarterly reviews are the minimum defensible cadence; monthly is better for tools touching ITAR data.

Putting It Together

In practice, this template works best as a living document tied to your system security plan. When a C3PAO assessor shows up for your CMMC Level 2 assessment, they are going to ask about your system boundary. AI tools that process CUI are inside that boundary whether you have formally documented them or not. The assessor will find them. It is much better to have a structured inventory that demonstrates you have thought through the ITAR and CMMC implications than to scramble through a discovery exercise during the assessment.

A few implementation notes from organizations that have done this well. First, pair the inventory with a user-facing acceptable use policy that specifically addresses AI tools. NIST SP 800-171 control 3.1.2 (transaction and function control) gives you the hook. Second, integrate the inventory with your supply chain risk management process under CMMC Level 2 practice SR.L2-3.17.1. Third, consider running a 30-day network analysis to identify AI tool traffic you do not know about. DNS logs and proxy data will surface tools that never went through procurement.

One more thing worth noting: the Department of Defense's own AI adoption strategy, updated in November 2023, explicitly acknowledges the tension between rapid AI adoption and security requirements. The DIB is expected to navigate this tension, not avoid AI altogether. A good inventory is what lets you say "yes, responsibly" instead of "no, categorically."

How FirmAdapt Addresses This

FirmAdapt's architecture was built around the assumption that regulated organizations need AI capabilities without creating the compliance gaps described above. Data processed through FirmAdapt does not leave controlled environments, is not used for model training, and is subject to audit logging that maps directly to CMMC practice requirements. For ITAR-sensitive workflows, FirmAdapt provides the data residency and access control documentation that your inventory template demands, so you are not chasing vendor security questionnaires that arrive six weeks late with vague answers.

For DIB CISOs building out their AI tool inventories, FirmAdapt is designed to be the tool that makes the inventory exercise straightforward rather than adversarial. The compliance controls are built into the platform, which means your inventory entry for FirmAdapt can reference concrete, auditable commitments rather than marketing language. If you are preparing for a CMMC assessment and trying to rationalize your AI tool landscape, it is worth evaluating how a compliance-first platform simplifies that process.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free