Government, Military, and Air-Gapped Deployment

Module FT22 · Course 3 — LLM Fine-Tuning Masterclass

75 minutes · DoD Impact Levels · the open-data requirement · the LoRA supply-chain risk · the air-gap checklist

IL5/IL6 and air-gapped JWICS demand auditable open-data models. Here is why, and how.

Pillar 7 — Sensitive Domains

The thesis, restated for this tier

FedRAMP authorizes the cloud service. It does not authorize the weights.

At IL5+, IL6, and air-gapped JWICS you must audit:

  • The model's weights (what behavior is embedded)
  • The model's training data (what it saw)
  • The supply chain that produced the artifact you load

This forces the open-data choice. And it makes the LoRA / merge supply chain the attack surface.

DoD Impact Levels — the ladder

ILFedRAMP baselineData classNetwork
IL2Moderate (~325)Unclassified, non-publicNIPRNet
IL4Moderate + DoD overlaysCUINIPRNet
IL5FedRAMP HighCUI / NSSNIPRNet / SIPRNet
IL6High + classified overlaysSECRETSIPRNet
IL7+Beyond FedRAMPTS / SCIJWICS (air-gapped)

A ladder of escalating trust. IL7+ is, by construction, beyond commercial cloud.

Why IL5/IL6 demand open-data

You must be able to audit the model's weights AND training data.

Three properties follow, all non-negotiable at IL5+:

PropertyWhat it means
ReproducibilityYou could re-derive from corpus + code (in principle)
No hidden training-time exfiltrationInspect the corpus; flag anomalies
No embedded behavior you can't account forProbe activations (FT17 toolkit, defensively)
The re-derivability rule: if you cannot fully re-derive an artifact from published source weights + recipe, you may not load it into IL5+.

Open-data vs open-weights vs closed

TypeYou getExamplesIL fit
Open-dataWeights + corpusMiniCPM · OLMo · Tülu · SmolLM3Required at IL5+
Open-weights-onlyWeights, no dataLlama 3.x · MistralIL2–IL4 w/ due diligence
Closed-weightNeither (API)OpenAI · Anthropic · GeminiIncompatible w/ air-gap

Open-data = auditable. Open-weights-only = trust the publisher. Closed = API-only, off-JWICS by construction.

The LoRA / merge supply-chain risk

OWASP LLM03:2025 — Supply Chain Vulnerabilities. Explicitly names: "an attacker infiltrates a third-party supplier and compromises the production of a LoRA adapter."

Three core risks OWASP names:

  • Poisoned models — backdoored at the weight level
  • Vulnerable packages — transformers, peft, safetensors, bitsandbytes
  • Weak provenance — no signatures, no pinned mirrors

First time a major standards body has named LoRA adapters and merges as a first-class attack surface.

The LoRA-specific backdoor research

WorkWhat it shows
arXiv:2512.19297
Causal-Guided Detoxify
Backdoor that looks like a benign detoxify fine-tune; passes benchmarks
MasqLoRA (CVPR 2026)First systematic LoRA backdoor framework. Survives quant, merge, weight-diff
"Down the Rabbit Hole" (OpenReview)Compositional risk: A + B merge can activate backdoor neither alone triggers
Anthropic small-samples-poisonFew poisoned samples implant backdoors regardless of scale
PMC healthcare reviewLoRA's "double vulnerability" — data + adapter, either sufficient

The threat is not theoretical. MasqLoRA is explicitly designed to evade every check short of activation probing.

The defensive playbook — 5 steps

1. Prefer open-data models (MiniCPM, OLMo, Tülu)
2. Re-derive quants/LoRAs from source — no opaque community artifacts
3. Diff-in-means / activation probing (FT17 toolkit, defensively)
4. Behavioral evals — Promptfoo + Garak + your suite
5. Checksum/sign + pinned internal mirror — never hf pull in prod

Apply in order. Skip none at IL5+. Step 3 is the only check that survives the MasqLoRA attack class.

Air-gapped deployment — the 4 verbs

Pre-load

Every artifact — weights, tokenizer, eval, deps — loaded before severance.

Sever

Network disabled. ip link show = no carrier. Test continuously.

Bind

Server binds 127.0.0.1 or Unix socket — never 0.0.0.0. Loopback only.

Log

Append-only local store. Prompt + generation + load + config.

Why llama.cpp / vLLM (FT20): minimal network posture. llama-server is a single static binary that binds loopback by default. The open-weights stack is not a cost choice at IL7+ — it's the only choice that fits the architecture.

The CDAO closed-vendor gap

CDAO's announced frontier-model partners:

The partners

  • Anthropic (closed)
  • Google (closed)
  • OpenAI (closed)
  • xAI (closed)

The consequence

All API-only. None auditable at the weight level. None deployable on JWICS.

The gap: if every authorized government model is closed-weight, every IL5+ / air-gapped deployment is impossible by construction. The open-weights curriculum is the response.

The open response is not "open is better today." It is: open-data is auditable, the gap is closing, and the supply chain is the attack surface. NTIA (2024) makes the policy case; this module makes the engineering one.

Anti-patterns

Trusting community merges for classified work. An opaque Llama-X-Smaug-OpenHermes-vN whose provenance you cannot reconstruct. Violates the re-derivability rule; exposes you to MasqLoRA.
Pulling from HF in production. hf pull inside the trust boundary. The hub is mutable; accounts are compromised regularly. Always pull at an inbound gate, sign, mirror, verify on load.
No behavioral evals. Task-eval coverage is ~0% of the adversarial surface. Promptfoo + Garak every time, on every artifact.
Assuming "open" means "safe." Open is a precondition for auditing, not the audit itself. An open-weights model with a poisoned LoRA merged in is open AND backdoored.

The synthesis with this course

The open-data model is auditable.
The open-weights stack is air-gap-able.
The fine-tuning in this course is what closes the residual capability gap on your specific task.

Put together: a fine-tuned open-data model, re-derived from source, probed and evaled, signed and mirrored, pre-loaded onto an air-gapped host and bound to loopback — running inside the harness from Course 1.

The model steers; the harness bounds. At IL5+, both are auditable — because you chose open-data and verified the supply chain.

What you can now do

  1. Recite the DoD Impact Levels (IL2 → IL7+) and map each to baseline, data class, and network.
  2. Explain why IL5/IL6/JWICS force the auditable open-data choice.
  3. Name the LoRA supply-chain risk (OWASP LLM03:2025, MasqLoRA, small-samples-poison) and its three core vectors.
  4. Apply the 5-step defensive playbook to any model you did not train.
  5. Design an air-gapped deployment: pre-load, sever, bind, log.
  6. Place the CDAO closed-vendor gap in context of the open-weights response.

Next: FT23 — Synthesis: Uncensor the Model, Harness the Model