Where 5000.90 sits
DoD Instruction 5000.90 ("Cybersecurity for Acquisition Decisions in the Adaptive Acquisition Framework") and its AI-related companion instruction establish the specific AI-system acquisition responsibilities layered on top of the DoD Adaptive Acquisition Framework (DoDI 5000.02). For AI and autonomous systems, 5000.90 pulls in the DoD Responsible AI (RAI) principles published in 2020, the RAI Strategy and Implementation Pathway, and the specific T&E expectations for AI capabilities.
DoD Instruction 5000.90 establishes acquisition policy for AI-enabled systems. It requires AI readiness reviews, responsible AI assessments, and T&E planning for ML components. Systems that skip these reviews cannot receive operational authorization.
In plain English: if you are acquiring, developing, or transitioning an AI capability for a DoD program, 5000.90 is part of the stack the program manager reads.
The five RAI principles
- Responsible. Personnel exercise judgment and care while remaining responsible for development, deployment, and use of AI capabilities.
- Equitable. Deliberate steps to minimize unintended bias.
- Traceable. AI engineering is transparent, auditable, and supported by data and design provenance.
- Reliable. AI capabilities have explicit, well-defined uses; safety, security, and effectiveness are tested across those uses.
- Governable. Capabilities allow human operators to detect and avoid unintended consequences and to disengage systems that exhibit unintended behavior.
These five words turn up in memos, evaluation criteria, and proposal templates. Use them in your technical volume and program documentation. Program managers look for them.
Equitable and Governable are the most under-addressed in typical proposals. Explicitly calling them out by name, with a one-paragraph implementation plan each, differentiates a proposal at review.
The acquisition pathways
DoDI 5000.02 defines six acquisition pathways. AI capabilities typically move through three of them.
| Pathway | Used when | AI-relevant notes |
|---|---|---|
| Software Acquisition Pathway (SWP) | Software-intensive capabilities | Default for most AI/ML. Iterative delivery, minimum-viable-capability releases, continuous ATO tie-ins. |
| Middle Tier of Acquisition (MTA) | Rapid prototyping (MTA-RP) or rapid fielding (MTA-RF), five-year ceiling | Useful for fielding a Phase III transition from SBIR into an operational prototype. |
| Urgent Capability Acquisition (UCA) | Two-year window for urgent operational needs | Rare for AI systems, but used for capabilities responding to active threats. |
T&E expectations for AI
Test and Evaluation for AI looks different from T&E for conventional systems. 5000.90 and the DOT&E AI T&E framework emphasize:
- Data quality and representativeness evaluation before model training.
- Performance evaluation across relevant operational cohorts, not just aggregate metrics.
- Robustness testing against adversarial, out-of-distribution, and degraded inputs.
- Human-machine teaming evaluation — how operators interact with the AI, including failure modes.
- Continuous evaluation after deployment, not only at acceptance.
- Traceability from training data to deployed model, including version pinning and change management.
For a prototype, this does not mean a massive T&E investment. It means your evaluation plan is written down, the metrics are specific, and the plan is reviewed with the program's T&E lead before you claim capability.
What SBIR teams need to do
An SBIR Phase I proposal for DoD does not need to be a 5000.90 compliance document. It does need to show you understand how the capability will meet RAI principles and how it will be evaluated. Concrete moves:
- Name the five RAI principles in the technical volume and describe, for each, a specific design or process choice that supports it.
- Include a short evaluation plan section — metrics, datasets, cohort splits, adversarial testing approach.
- Describe human-machine teaming — who the operator is, what decisions the AI supports, where the human stays in the loop.
- Describe traceability — version pinning, change management, audit logging.
- For Phase II, add a more detailed T&E plan and identify the likely DOT&E or service T&E engagement point.
Continuous ATO and 5000.90
The Software Acquisition Pathway is designed for iterative delivery, which conflicts with traditional one-shot ATO practices. DoD has moved steadily toward Continuous ATO (cATO), where a program maintains authorization posture across frequent releases via automated evidence. 5000.90's T&E expectations align with cATO's continuous-evaluation posture. If your program is on SWP, aim for cATO from the start — it is the delivery rhythm 5000.90 assumes.
Common 5000.90 gaps in SBIR proposals
- RAI principles listed as a single sentence without specific implementation mapping.
- No evaluation plan, or a plan that measures aggregate accuracy without cohort breakdowns.
- No discussion of human-machine teaming or when the human is in, on, or out of the loop.
- Traceability described as "we use Git" without addressing model-version pinning, training-data provenance, or change management.
- No connection between the prototype and the T&E approach a transition partner would need to extend.
Bottom line
DoDI 5000.90 does not invent compliance theater. It insists that AI programs actually address the five RAI principles, that T&E covers AI-specific failure modes, and that acquisition pathway choices match the program's delivery model. For SBIR teams, the win is to read the instruction and write proposals that reflect it — not by quoting the document, but by addressing what it asks.
Frequently asked questions
DoD Instruction 5000.90 is the cybersecurity and AI-related instruction layered on the Adaptive Acquisition Framework. It brings the DoD Responsible AI principles and specific T&E expectations into acquisition.
Responsible, Equitable, Traceable, Reliable, Governable. Published by DoD in 2020. Referenced throughout 5000.90 and downstream program documentation.
Most commonly the Software Acquisition Pathway (SWP). Middle Tier of Acquisition (MTA-RP or MTA-RF) is also common for rapid prototyping transitions. Urgent Capability Acquisition is rare for AI.
Proposals should reflect RAI principles, include an evaluation plan, and describe human-machine teaming and traceability. They do not need to be compliance documents themselves.
The Software Acquisition Pathway assumes iterative delivery. Continuous ATO (cATO) is the authorization approach that matches iterative delivery. 5000.90's T&E expectations align with cATO's continuous-evaluation posture.
Naming RAI principles without specific implementation mapping, and evaluation plans that report aggregate metrics without cohort breakdowns or adversarial testing.