Government, Military, and Air-Gapped Deployment
FedRAMP authorizes the cloud, not the weights. IL5/IL6 and air-gapped JWICS demand auditable open-data models — and the LoRA / merge supply chain is the attack surface that makes the five-step defensive playbook non-negotiable.
FedRAMP authorizes the cloud service, not the model weights. A FedRAMP Moderate authorization (~325 controls) certifies the provider's physical, personnel, and audit controls — it says nothing about whether the neural network you load is trustworthy, what it was trained on, or whether a merged LoRA has a backdoor. That gap is the entire module.
IL5/IL6 and air-gapped JWICS demand auditable open-data. At those tiers you must audit weights AND training data, which requires reproducibility, no hidden training-time exfiltration, and no embedded behavior you cannot account for. This forces open-data (MiniCPM, OLMo, Tülu, SmolLM3) over open-weights-only (Llama 3.x). Closed-weight is API-only and incompatible with air-gap by construction.
The LoRA / merge supply chain is the attack surface (OWASP LLM03:2025). OWASP explicitly names 'an attacker compromises the production of a LoRA adapter.' MasqLoRA (CVPR 2026) shows backdoors that survive quantization, merging, and weight-diff inspection; only activation probing (the FT17 diff-in-means toolkit, used defensively) catches this class.
The five-step defensive playbook is how you verify a model you did not train: prefer open-data, re-derive from source, activation-probe, behavioral-eval, sign-and-pin. Never `hf pull` inside the trust boundary; pull at an inbound gate, sign, mirror, verify on load.
Air-gap is a four-verb architecture, not 'network off': pre-load, sever, bind (loopback only), log. The llama.cpp / vLLM stacks from FT20 are the right substrate because of their minimal network posture.
The CDAO closed-vendor gap is real and structural. CDAO's announced partners (Anthropic, Google, OpenAI, xAI) are all closed-weight — none auditable, none deployable on JWICS. The open-weights curriculum is the engineering-side response to NTIA (2024).