DoD Artificial Intelligence Cybersecurity Risk Management Tailoring Guide : Department of Defense , July 14 , 2025
DoD Artificial Intelligence Cybersecurity Risk Management Tailoring Guide : Department of Defense , July 14 , 2025
From the document: "Over the last few years, the DoD has prioritized digital modernization and adoption of artificial intelligence (AI) through various high-profile efforts. Throughout this period there has been a need to manage cybersecurity risk in AI systems. Consistent with Deputy Secretary of Defense direction via policy memorandums, DoD Instruction (DoDI) 8510.01 policy requirements, and integration of cybersecurity activities in the Adaptive Acquisition Pathways, this cybersecurity risk management tailoring guidance identifies the cybersecurity risk management activities, tools, teams, and processes that cybersecurity professionals need to integrate in the AI lifecycle. The content in this document is tailoring guidance and best practices. Policy requirements are cited where appropriate. DoD Components may implement cybersecurity risk management requirements in a manner they choose consistent with DoDI 8500.01, DoDI 8510.01, and Executive Order 13800.
As in the normal system development lifecycle, cybersecurity professionals need to be integrated as early as possible, so each lifecycle phase appropriately considers cybersecurity risks and mitigations. This in turn will allow for the best system posture, including informed test and evaluation (T&E), and support for an affirmative system cybersecurity assessment and authorization determination. Failure to appropriately integrate the following use case information and cybersecurity practices will jeopardize an AI systems’ mitigation against cybersecurity risks and could impact operational use of AI systems.
Because AI system missions will vary, mission and system owners need to establish security objectives as early as possible. Cybersecurity professionals and even wider AI teams should reference Section 3, Security Requirements for AI Systems, and Appendix B, System Security Requirements Mapping Tables, as they progress through the AI lifecycle to ensure appropriate cybersecurity considerations are being applied to the AI system. While Section 3 describes the system risk management processes throughout the AI system lifecycle, Appendix B contains tables and lists outlining security priorities for cybersecurity professionals and data scientists or data engineers to consider when creating an AI system (i.e., infrastructure layer and AI model). Users should use this tailoring guide to accompany the Chief Digital and AI Officer Responsible AI Toolkit and the DoD Strategy and Implementation Plan for Information and Communications Technology and Services Supply Chain Risk Management (ICT-SCRM) Assurance."
Authors - Chief Information OfficerRelated Resources
