Module FT22 — Government, Military, and Air-Gapped Deployment

Government, Military, and Air-Gapped Deployment

FedRAMP authorizes the cloud, not the weights. IL5/IL6 and air-gapped JWICS demand auditable open-data models — and the LoRA / merge supply chain is the attack surface that makes the five-step defensive playbook non-negotiable.

75
minutes
8
artifacts
6
sub-sections
The DoD Impact Levels are the compliance ladder every government AI deployment climbs. At IL5 and above the open-data argument from FT21 becomes load-bearing: you must audit weights AND training data, which forces the open-data choice (MiniCPM, OLMo, Tülu) and forbids opaque community merges. OWASP LLM03:2025 names LoRA adapter compromise as a first-class supply-chain vector; MasqLoRA (CVPR 2026) shows backdoors that survive quantization, merge, and weight-diff. The defense is a five-step playbook — open-data, source re-derivation, activation probing, behavioral evals, signed pinned mirror — wrapped around a four-verb air-gap design: pre-load, sever, bind, log.
Key Claims
Load-Bearing Claims

FedRAMP authorizes the cloud service, not the model weights. A FedRAMP Moderate authorization (~325 controls) certifies the provider's physical, personnel, and audit controls — it says nothing about whether the neural network you load is trustworthy, what it was trained on, or whether a merged LoRA has a backdoor. That gap is the entire module.

IL5/IL6 and air-gapped JWICS demand auditable open-data. At those tiers you must audit weights AND training data, which requires reproducibility, no hidden training-time exfiltration, and no embedded behavior you cannot account for. This forces open-data (MiniCPM, OLMo, Tülu, SmolLM3) over open-weights-only (Llama 3.x). Closed-weight is API-only and incompatible with air-gap by construction.

The LoRA / merge supply chain is the attack surface (OWASP LLM03:2025). OWASP explicitly names 'an attacker compromises the production of a LoRA adapter.' MasqLoRA (CVPR 2026) shows backdoors that survive quantization, merging, and weight-diff inspection; only activation probing (the FT17 diff-in-means toolkit, used defensively) catches this class.

The five-step defensive playbook is how you verify a model you did not train: prefer open-data, re-derive from source, activation-probe, behavioral-eval, sign-and-pin. Never `hf pull` inside the trust boundary; pull at an inbound gate, sign, mirror, verify on load.

Air-gap is a four-verb architecture, not 'network off': pre-load, sever, bind (loopback only), log. The llama.cpp / vLLM stacks from FT20 are the right substrate because of their minimal network posture.

The CDAO closed-vendor gap is real and structural. CDAO's announced partners (Anthropic, Google, OpenAI, xAI) are all closed-weight — none auditable, none deployable on JWICS. The open-weights curriculum is the engineering-side response to NTIA (2024).

After This Module
01
Recite the DoD Impact Levels table (IL2 through IL7+) and map each level to its FedRAMP baseline, data sensitivity class (CUI / SECRET / TS / SCI), and network (NIPRNet / SIPRNet / JWICS).
02
Explain why IL5/IL6 and air-gapped JWICS demand an auditable open-data model — and why standard FedRAMP cloud authorizations do not transfer to the model itself.
03
Articulate the LoRA / merge supply-chain risk: name OWASP LLM03:2025, the LoRA-specific backdoor research (Causal-Guided Detoxify, MasqLoRA, 'Down the Rabbit Hole'), and Anthropic's small-samples-poison finding.
04
Apply the five-step defensive playbook for verifying a model you did not train (open-data preference, source re-derivation, diff-in-means probing, behavioral evals, checksum/pinned-mirror).
05
Design an air-gapped deployment: pre-load, sever, bind locally, log everything — and justify why the llama.cpp / vLLM stacks from FT20 are the right substrate.
06
Place the CDAO closed-vendor gap in context of the open-weights curriculum response and the NTIA (2024) policy framing.
Artifacts
01
Teaching Document
~4,000 words; 6 sub-sections — the DoD IL ladder, why IL5/IL6 demand open-data, the LoRA supply-chain risk (OWASP LLM03 + research), the 5-step defensive playbook, air-gap deployment design, the CDAO closed-vendor gap. Flagship sensitive-domain module.
READ
02
Diagrams
6 Mermaid diagrams (dark #14141f / #5eead4) — the DoD IL ladder, why IL5/IL6 demand open-data, the LoRA supply-chain attack chain, the 5-step defensive playbook, the air-gapped deployment architecture, the CDAO closed-vendor gap.
READ
03
Slide Deck
14 reveal.js slides — exact head/style template; title 'Module FT22 — Government, Military, and Air-Gapped Deployment'; footer 'Course 3 — LLM Fine-Tuning Masterclass · FT22 · Pillar 7'.
READ
04
Teaching Script
~3,200-word teaching script (~50 min spoken) with [SLIDE N] cues covering all six sub-sections.
READ
05
Flashcards
29 flashcards (c3::ft22::*) spanning recall/application/analysis across ILs, supply chain, defensive playbook, and air-gap design.
TEST
06
Exam
15-question exam (50 min) — exact 3 recall / 6 application / 6 analysis Bloom distribution; covers IL mapping, open-data justification, supply-chain threats, defensive steps, air-gap design, and the CDAO gap.
TEST
07
Lab Spec
'The Air-Gap Checklist' — a deployment-design lab (no GPU) producing a complete, signable checklist for placing a fine-tuned model into an air-gapped IL5-equivalent environment; covers all 5 defensive steps + the 4-verb deployment design; includes template, verification procedures, deliverables, and solution key.
DO
08
Module Web Page
Single-file HTML hub
HERE