NIST AI Risk Management Framework for Defence Suppliers

NIST AI Risk Management Framework — bundled with Level 2

The NIST AI Risk Management Framework (AI RMF 1.0) is the voluntary framework published by the U.S. National Institute of Standards and Technology to help organizations manage AI risks. While voluntary, it has become the de facto baseline for federal AI procurement and is referenced by the Colorado AI Act, the White House AI Executive Order, and allied defence AI governance programs.

Solymus bundles NIST AI RMF evidence capture with CPCSC Level 2 at no additional cost. The same KMS-signed event that satisfies an ITSP.10.171 control also satisfies an AI RMF function — Govern, Map, Measure, or Manage.

The four AI RMF functions

Govern

Policies, procedures, and accountability structures. Evidence: policy publication events, role assignments, training completion receipts, internal audit records.

Map

Context, risks, and impacts identified. Evidence: risk assessment records, impact analysis documents, stakeholder consultation logs, system context documentation.

Measure

Analyze and assess identified risks. Evidence: evaluation results, bias testing records, performance metrics over time, red-team findings, adversarial testing logs.

Manage

Allocate risk resources, prioritize, respond. Evidence: mitigation action records, incident response logs, change approval receipts, decommissioning records.

AI RMF + CPCSC cross-walk

Solymus uses patent-pending Cryptographic Cross-Walk Data Structures: a single evidence payload can satisfy controls across multiple frameworks simultaneously. Upload a bias testing record once, and Solymus maps it to NIST AI RMF Measure 2.11 and ITSP.10.171 SA-11 in the same receipt. One SHA-256 digest. One KMS signature. Multi-framework coverage.

Why NIST AI RMF matters for Canadian suppliers

U.S. federal contracts — AI RMF alignment is increasingly referenced in DoD, DHS, and GSA procurement
CMMC cross-border — suppliers pursuing CMMC 2.0 certification often need AI RMF evidence for AI-enabled systems
Colorado AI Act — the first U.S. state law regulating high-risk AI references AI RMF as a safe harbor
Allied interoperability — Five Eyes AI governance discussions reference AI RMF as common baseline
Insurance and M&A — cyber insurance underwriters and acquirers increasingly require AI RMF evidence

What Solymus captures

Model cards with cryptographic receipts. Training data provenance records. Evaluation metrics sealed by KMS. Human intervention events. Model version hashes chained into the Merkle ledger. Every signed event is independently verifiable via the public /public/verify/{event_id} endpoint — no platform access required.

Evidence retention

Level 1 retains evidence for 365 days during the 2026 promotional window (7 days standard). Level 2 retains for 365 days. Level 3 retains indefinitely. NIST AI RMF recommends retention for the full lifecycle of the AI system plus any applicable regulatory minimum — Level 2 and Level 3 meet or exceed this recommendation for most defence procurement contexts.

NIST AI RMF evidence — cross-walked to ITSP.10.171