COMPOSITEAPPS
Active AI-RMF · Army OT · Commander Risk Acceptance
Signed · Intact
What you’re looking at · Army OT RMF / eMASS flow

An OT finding, a mission-critical capability, and the commander’s signed risk acceptance — produced by the composite runtime, synced to eMASS.

Standard Army OT flow: a finding opens a POA&M in eMASS. Policy says decommission on CVSS > 7.0. Mission says keep it operational. The commander has to decide, on the record, whether to accept the risk. Below is the artifact a composite-arbitrated review produces — with the Advocate / Defender / Arbiter transcript embedded, the commander’s signature captured, the POA&M updated in eMASS, and the ATO posture preserved under a time-bounded acceptance.

CUI // CTI · FOR OFFICIAL USE ONLY · EXERCISE COMPOSITE THUNDER II
Risk Acceptance Determination · Active AI-RMF

Continue operation of Tactical Ground Station TGS-2 under commander risk acceptance.

R
§1 · System & finding
System
Tactical Ground Station 03-BDE-SIG-2 (TGS-2) · Firmware v3.4.1 · OT enclave
Finding
CVE-2026-1847 · OT-adjacent vulnerability in embedded RTOS · CVSS 7.4
POA&M ID
PAM-2026-0420-047 · eMASS package GP-03-ARMY-OT-0018
Vendor remediation
Patch v3.4.2 in test · ETA 30 days
Detected
2026-04-20 · 03:12Z · AOC automated scan
Originating authority
Signal Officer, 3BCT / 3ID
Current ATO posture
Auto-decommission trigger at 0600Z · 22 APR 2026 per standing order
§2 · Mission context
Operation
Exercise COMPOSITE THUNDER II · ongoing · 8 consecutive training days
Role
Primary C2 relay for BN-TOC-1 through BN-TOC-3
§3 · Policy posture
Army OT standing order directs automatic decommission of systems with active CVE at CVSS > 7.0 after a 72-hour monitoring window. Current posture triggers automatic decommission at 0600Z · 22 APR 2026.

Policy permits time-bounded commander risk acceptance under compensating controls and a mitigation milestone, documented to the POA&M in eMASS. This determination is that acceptance.
§4 · Composite Core determination · Active AI-RMF arbitration
Continue-ops Advocate
Keep TGS-2 operational
Mission rises to commander operational priority. Three compensating controls available: network segmentation, updated monitoring signature, and a time-bounded operating window tied to vendor patch v3.4.2. Hardware class has 174 operating days without a security event. Decommission introduces measurable continuity cost (36-hour C2 dark period).
Decommission Defender
Take TGS-2 offline
CVE-2026-1847 has a published exploit path. Exposure window compounds with elapsed time. Policy is the default posture the commander inherits unless he actively overrides it. Alternate asset availability, while inconvenient, is not zero — a 36-hour dark period is bounded, exploitation in the wild is not.
Arbiter · Glass-Box
Recommend: risk-accepted continued operation
Balanced analysis favors time-bounded continued operation under three compensating controls, with mandatory re-assessment at the 48-hour mark and mitigation milestone when patch v3.4.2 is validated. Confidence 0.86. Alternative course — decommission with logistical impact plan — available on commander’s request.
§5 · Commander’s decision
One choice. Signed on the record.
Decommission per standing order · reconstitute to alternate asset
Accept risk · time-bounded continued operation under specified conditions
Risk acceptance terms
· Duration: 96 hours — until 0600Z · 24 APR 2026 (mandatory re-assessment at 0600Z · 22 APR 2026 / 48-hour mark)
· Compensating controls: network segmentation enforced · monitoring signature updated · operator watchstander 24/7
· Mitigation milestone: vendor patch v3.4.2 applied and validated before re-certification
· Kinetic authority: unchanged · risk acceptance applies to operational posture of TGS-2 only
· Reversion: automatic decommission at expiration unless re-signed
§6 · Signatures
Commander · risk-accepting authority
COL J. Rodriguez
Commander, 3BCT / 3ID
/signed/ 2026-04-20 04:32Z
Signal officer · technical concurrence
MAJ S. Patel
3BCT S6
/concurrence/ 2026-04-20 04:28Z
ISSM · security concurrence
CW3 M. Lee
3BCT / 3ID ISSM
/concurrence/ 2026-04-20 04:30Z
§7 · eMASS / POA&M integration
SynceMASS package GP-03-ARMY-OT-0018 · POA&M entry PAM-2026-0420-047 updated at 2026-04-20 04:32:14Z
StatusRisk accepted · time-bounded · expiration 0600Z 24 APR 2026
ATOPosture INTACT under signed acceptance · no re-accreditation required
MilestonesM1 re-assessment 0600Z 22 APR · M2 patch v3.4.2 validated · M3 re-certification by ISSM
EVIDENCE HASH sha256:7c9a5218b4e3f1806d2a9f7e304b58cc19ae6d4521bf3e9a8c14762509f4e836b
Authority chain: 10 U.S.C. §3014 · DoDI 8510.01 (RMF) · AR 25-2 (Army Cybersecurity) · Army OT standing order 2025-14 · eMASS package GP-03-ARMY-OT-0018
Reconstructible years later by anyone with the right clearance.
Policy said decommission. Mission said operational. The commander accepted risk — on the record — and the ATO stayed intact. That’s Active RMF. Not a slide. A runtime.
CompositeApps, Inc. · Veteran-led · FedRAMP High · VA National ATO
home  ·  policy → operations  ·  active review  ·  fusion  ·  engagement  ·  long.nguyen@compositeapps.net