FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatorydefenseITARCMMCDoD

DoD CIO Memo on AI Use and the Implications for Contractors

By Basel IsmailMay 11, 2026

DoD CIO Memo on AI Use and the Implications for Contractors

The DoD CIO's office has been quietly building a framework for how artificial intelligence gets used across defense workflows, and the November 2023 memo on Responsible AI (RAI) implementation timelines added real teeth to what had previously been aspirational guidance. If you're a contractor providing AI-enabled tools or services to DoD, the obligations flowing from this guidance are more concrete than you might expect.

What the Memo Actually Says

The memo, issued under the authority of DoD CIO John Sherman, builds on DoD Directive 3000.09 (updated in January 2023) and the DoD RAI Strategy from 2022. It establishes specific implementation milestones for AI governance across the department, including requirements for AI use case inventories, risk assessments, and testing and evaluation protocols. The key move here is that it ties these requirements to acquisition and procurement processes, which means contractors are now directly in scope.

Specifically, the memo reinforces that all AI capabilities, whether developed internally or procured from commercial vendors, must comply with the department's six RAI principles: responsible, equitable, traceable, reliable, and governable. (Yes, that's five words for six principles; the sixth is that AI should be used only for its intended purpose, which DoD treats as a standalone requirement.)

The practical effect is that DoD components are now required to maintain inventories of AI use cases and report them through the Chief Digital and AI Office (CDAO). For contractors, this means your AI tools and models are going to show up on someone's inventory, and that someone is going to need documentation from you about how they work.

The Contractor Obligations

Here's where it gets interesting for defense contractors and their legal teams. The obligations break down into a few categories:

Traceability and Auditability

DoD's RAI principle of "traceable" is doing a lot of heavy lifting. Contractors providing AI systems need to be able to demonstrate how their models reach outputs. This doesn't necessarily mean full explainability in the academic sense; DoD has been pragmatic about acknowledging that deep learning models aren't always interpretable at the weight level. But it does mean maintaining audit trails, documenting training data provenance, and being able to reconstruct decision pathways when asked.

DFARS 252.204-7012, which governs controlled unclassified information (CUI) handling, already imposes cybersecurity requirements on contractor information systems. The AI guidance layers on top of this. If your AI system processes CUI during training or inference, you're dealing with both the NIST SP 800-171 requirements and the RAI traceability requirements simultaneously. That intersection creates real compliance complexity.

Testing and Evaluation

The memo reinforces the requirement from DoDI 5000.02 that AI capabilities go through appropriate test and evaluation (T&E) before deployment. For contractors, this means building T&E hooks into your products. DoD's Director of Operational Test and Evaluation (DOT&E) published a separate FY2023 report flagging that many AI systems entering the acquisition pipeline lack adequate T&E infrastructure. If you're selling an AI tool to DoD and you don't have a robust testing framework baked in, expect pushback during the procurement process.

Data Governance

The CDAO's data governance framework, which the memo references, requires that AI systems use data that meets specific quality, provenance, and access control standards. Contractors need to document where their training data came from, whether it includes any DoD data (and if so, under what authority), and how data quality is maintained over time. This is particularly relevant for companies using foundation models or large language models, where training data composition is a live issue.

Continuous Monitoring

One of the less discussed but operationally significant requirements is ongoing monitoring of deployed AI systems. The memo aligns with the NIST AI Risk Management Framework (AI RMF 1.0, published January 2023) in calling for continuous assessment of AI system performance, drift, and bias. For contractors, this means the obligation doesn't end at delivery. If your contract includes an AI component, you should expect requirements for ongoing reporting on model performance and any significant changes to system behavior.

The CMMC Angle

It's worth noting how this intersects with the Cybersecurity Maturity Model Certification (CMMC) program, which finalized its rule in October 2024. CMMC Level 2 requires compliance with all 110 controls in NIST SP 800-171, and many of those controls (access control, audit and accountability, system and information integrity) apply directly to AI systems that handle CUI. The AI governance requirements from the CIO memo don't replace CMMC; they add to it.

Contractors at CMMC Level 3, which requires compliance with the additional controls in NIST SP 800-172, face an even more demanding landscape. The enhanced security requirements in 800-172 around system resilience and penetration-resistant architecture have direct implications for how AI systems are designed and deployed in classified or high-sensitivity environments.

What This Means Practically

If you're general counsel or a CISO at a defense contractor, the action items are fairly clear:

Inventory your AI. If DoD components are required to inventory their AI use cases, they're going to ask you to help them do it. Know what AI capabilities you're providing, where they're deployed, and what data they touch.
Document your training data. Provenance documentation for training data is becoming a baseline expectation. If you can't explain where your data came from and how it was curated, that's a gap.
Build T&E into your development lifecycle. Retrofitting testing infrastructure is expensive and slow. If you're developing AI for DoD, T&E should be part of your architecture from day one.
Plan for continuous monitoring obligations. Your contract may require ongoing performance reporting. Build the telemetry and monitoring infrastructure to support that.
Map the overlap with CMMC. Understand which NIST 800-171 and 800-172 controls apply to your AI systems specifically, and ensure your System Security Plan (SSP) addresses AI components explicitly.

One thing worth watching: the DoD is expected to issue additional acquisition guidance in 2025 that could formalize some of these requirements into standard contract language. The current obligations flow from policy memos and directives, which gives contracting officers some discretion in how they implement them. Standardized contract clauses would remove that discretion and make compliance more binary.

How FirmAdapt Addresses This

FirmAdapt's architecture was designed around the assumption that AI systems operating in regulated environments need built-in compliance infrastructure, not compliance bolted on after the fact. For defense contractors navigating the intersection of RAI requirements, CMMC, and DFARS, FirmAdapt provides traceability and audit logging at the model interaction level, which directly supports the documentation requirements flowing from the DoD CIO memo.

FirmAdapt also maintains data governance controls that align with both the CDAO's data quality standards and NIST SP 800-171 access control requirements. If your organization needs to demonstrate to a DoD customer that your AI system meets RAI principles and cybersecurity requirements simultaneously, having a platform that treats those as integrated rather than separate concerns makes the compliance burden considerably more manageable.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free