FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMC

Defense Primes and the Sub-tier Visibility Problem When AI Tools Are Everywhere

By Basel IsmailMay 14, 2026

Defense Primes and the Sub-tier Visibility Problem When AI Tools Are Everywhere

A Tier 1 defense prime can spend two years getting its own CMMC Level 3 certification buttoned up, invest millions in enclave architectures and continuous monitoring, and still have its CUI exposure defined by a machine shop in Ohio that just gave its employees access to a generative AI tool nobody in the security office evaluated. This is the sub-tier visibility problem, and AI adoption across the defense industrial base is making it significantly worse.

The Structural Problem: CMMC Flows Down, Visibility Does Not

DFARS 252.204-7012 has required safeguarding of covered defense information and cyber incident reporting since 2017. CMMC 2.0, with its phased rollout beginning in Q1 2025 under the 32 CFR Part 170 final rule published in October 2024, layers a certification and assessment framework on top of those existing requirements. The flowdown obligation is clear: primes must include DFARS 7012 in subcontracts where CUI is involved, and subs must flow it further down.

In theory, this creates a chain of accountability. In practice, a Tier 1 prime contracting with 300+ suppliers across four or five tiers has limited mechanisms to verify what is actually happening at Tier 3 or Tier 4. Self-attestation at CMMC Level 1 is the norm for many of these lower-tier suppliers. The prime gets a score in SPRS, maybe a System Security Plan if they push for it, and a contractual commitment. That was already a thin basis for assurance before generative AI tools started proliferating.

Why AI Makes This Worse

The specific concern is straightforward. A sub-tier supplier handling CUI, even in limited scope (think technical drawings, specifications, test data), adopts an AI tool that processes, stores, or trains on that data. The tool might be a commercial LLM accessed through a browser. It might be an AI-powered CAD assistant. It might be an "AI-enhanced" ERP module the vendor rolled out in an update nobody flagged.

Each of these scenarios creates potential DFARS 7012 violations. CUI processed through a commercial AI service that lacks FedRAMP Moderate authorization (or equivalent, per the DFARS 7012 cloud requirements) is a compliance failure. CUI used as training data for a model hosted outside approved boundaries is a data spillage event. And the prime, contractually responsible for flowdown and increasingly under scrutiny from DCMA and the DoD CIO's office, has no reliable way to know it happened.

The DoD CIO's Responsible AI Strategy, updated in June 2022, and the more recent DoD Directive 3000.09 on autonomous systems both emphasize governance and traceability for AI in defense contexts. But these frameworks focus on AI the DoD itself deploys or acquires. The gap is AI that sub-tier suppliers adopt independently for their own operations while handling defense information.

Real Numbers, Real Exposure

The DIB comprises roughly 300,000 companies, per DoD estimates. A 2024 CyberAB analysis suggested that fewer than 15% of companies in the DIB had completed even a preliminary CMMC readiness assessment. Meanwhile, a Salesforce survey from late 2023 found that 28% of employees using generative AI at work said their employer had no formal policy governing its use. Overlay those two data points on the sub-tier supplier base and the exposure becomes concrete.

Consider a real scenario that multiple primes have described in industry working groups: a Tier 3 machine shop uses an AI-powered quoting tool that ingests technical data packages to generate cost estimates. The tool is SaaS-based, hosted on AWS commercial (not GovCloud), and the vendor's terms of service include a clause permitting use of customer data for model improvement. The machine shop never flagged this to their Tier 2 integrator, who never flagged it to the prime. The CUI in those technical data packages is now in an unauthorized environment, potentially being used for training, with no incident report filed.

What Primes Are Starting to Require

Several Tier 1 primes have begun implementing additional assurance mechanisms beyond the baseline DFARS/CMMC flowdown. These are emerging practices, not yet standardized, but they point toward where the industry is heading.

AI Tool Inventories as Part of SSP Reviews

Some primes are requiring sub-tier suppliers to maintain and disclose inventories of AI tools that interact with, process, or could be exposed to CUI. This goes beyond the standard software inventory in NIST SP 800-171 control 3.4.1. It specifically targets AI and ML tools, including browser-based services and embedded AI features in existing software. Lockheed Martin's supplier cybersecurity requirements, for instance, have been progressively tightened since 2020, and industry sources indicate AI-specific questionnaires are being piloted.

Contractual Prohibitions and Pre-Approval Requirements

A growing number of prime-sub agreements now include explicit clauses prohibiting the use of generative AI tools on CUI without prior written approval. This is a blunt instrument, but it creates a clear contractual basis for enforcement. Raytheon (now RTX) and Northrop Grumman have both been cited in industry forums as moving toward this approach for sensitive programs.

Third-Party Attestation for AI Governance

Some primes are exploring whether to require sub-tier suppliers to obtain third-party attestation of their AI governance practices, potentially aligned with NIST AI RMF (AI 100-1) or ISO/IEC 42001, the AI management system standard published in December 2023. This is early stage, and the cost burden on small suppliers is a real concern. But for programs involving ITAR-controlled or classified-adjacent data, primes are increasingly willing to impose it.

Continuous Monitoring and Data Flow Mapping

The most sophisticated approach involves requiring suppliers to implement data flow mapping that specifically accounts for AI tool interactions. Where does CUI go when it enters the supplier's environment? Does any automated process, AI or otherwise, transmit it outside the authorization boundary? This aligns with CMMC Level 2's focus on NIST 800-171 control family 3.1 (Access Control) and 3.13 (System and Communications Protection), but applies them with AI-specific granularity.

The Audit Problem

Even with these emerging requirements, enforcement is difficult. C3PAOs conducting CMMC assessments are evaluating the organization being assessed, not its supply chain. A Tier 3 supplier could pass a CMMC Level 2 assessment while using an unauthorized AI tool, if the assessor doesn't specifically probe for it and the supplier's SSP doesn't disclose it. The assessment methodology under 32 CFR Part 170 does not yet include AI-specific evaluation criteria, though the CyberAB has acknowledged this gap in public comments.

Primes are left in a position where contractual requirements and periodic audits are their primary tools, and neither scales well across hundreds or thousands of sub-tier relationships. The result is a reliance on trust and attestation at exactly the moment when the attack surface is expanding through AI adoption.

Where FirmAdapt Fits

FirmAdapt's architecture was designed around the assumption that regulated organizations need AI tools that operate within defined compliance boundaries by default, not through after-the-fact policy overlays. For defense suppliers at any tier, this means AI capabilities that process data within authorization boundaries consistent with DFARS 7012 and CMMC requirements, with auditable logs of what data was processed, where, and by which model components.

For primes trying to solve the sub-tier visibility problem, a supplier running FirmAdapt can provide concrete evidence of compliant AI usage: data flow records, model interaction logs, and boundary enforcement documentation that maps directly to NIST 800-171 controls. It does not eliminate the need for contractual governance or assessment, but it gives both the supplier and the prime something more substantive than a self-attestation checkbox to work with.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free