75 minutes · DoD Impact Levels · the open-data requirement · the LoRA supply-chain risk · the air-gap checklist
IL5/IL6 and air-gapped JWICS demand auditable open-data models. Here is why, and how.
Pillar 7 — Sensitive Domains
At IL5+, IL6, and air-gapped JWICS you must audit:
This forces the open-data choice. And it makes the LoRA / merge supply chain the attack surface.
| IL | FedRAMP baseline | Data class | Network |
|---|---|---|---|
| IL2 | Moderate (~325) | Unclassified, non-public | NIPRNet |
| IL4 | Moderate + DoD overlays | CUI | NIPRNet |
| IL5 | FedRAMP High | CUI / NSS | NIPRNet / SIPRNet |
| IL6 | High + classified overlays | SECRET | SIPRNet |
| IL7+ | Beyond FedRAMP | TS / SCI | JWICS (air-gapped) |
A ladder of escalating trust. IL7+ is, by construction, beyond commercial cloud.
Three properties follow, all non-negotiable at IL5+:
| Property | What it means |
|---|---|
| Reproducibility | You could re-derive from corpus + code (in principle) |
| No hidden training-time exfiltration | Inspect the corpus; flag anomalies |
| No embedded behavior you can't account for | Probe activations (FT17 toolkit, defensively) |
| Type | You get | Examples | IL fit |
|---|---|---|---|
| Open-data | Weights + corpus | MiniCPM · OLMo · Tülu · SmolLM3 | Required at IL5+ |
| Open-weights-only | Weights, no data | Llama 3.x · Mistral | IL2–IL4 w/ due diligence |
| Closed-weight | Neither (API) | OpenAI · Anthropic · Gemini | Incompatible w/ air-gap |
Open-data = auditable. Open-weights-only = trust the publisher. Closed = API-only, off-JWICS by construction.
Three core risks OWASP names:
First time a major standards body has named LoRA adapters and merges as a first-class attack surface.
| Work | What it shows |
|---|---|
| arXiv:2512.19297 Causal-Guided Detoxify | Backdoor that looks like a benign detoxify fine-tune; passes benchmarks |
| MasqLoRA (CVPR 2026) | First systematic LoRA backdoor framework. Survives quant, merge, weight-diff |
| "Down the Rabbit Hole" (OpenReview) | Compositional risk: A + B merge can activate backdoor neither alone triggers |
| Anthropic small-samples-poison | Few poisoned samples implant backdoors regardless of scale |
| PMC healthcare review | LoRA's "double vulnerability" — data + adapter, either sufficient |
The threat is not theoretical. MasqLoRA is explicitly designed to evade every check short of activation probing.
hf pull in prodApply in order. Skip none at IL5+. Step 3 is the only check that survives the MasqLoRA attack class.
Pre-load
Every artifact — weights, tokenizer, eval, deps — loaded before severance.
Sever
Network disabled. ip link show = no carrier. Test continuously.
Bind
Server binds 127.0.0.1 or Unix socket — never 0.0.0.0. Loopback only.
Log
Append-only local store. Prompt + generation + load + config.
llama-server is a single static binary that binds loopback by default. The open-weights stack is not a cost choice at IL7+ — it's the only choice that fits the architecture.
CDAO's announced frontier-model partners:
The partners
The consequence
All API-only. None auditable at the weight level. None deployable on JWICS.
The open response is not "open is better today." It is: open-data is auditable, the gap is closing, and the supply chain is the attack surface. NTIA (2024) makes the policy case; this module makes the engineering one.
Llama-X-Smaug-OpenHermes-vN whose provenance you cannot reconstruct. Violates the re-derivability rule; exposes you to MasqLoRA.
hf pull inside the trust boundary. The hub is mutable; accounts are compromised regularly. Always pull at an inbound gate, sign, mirror, verify on load.
Put together: a fine-tuned open-data model, re-derived from source, probed and evaled, signed and mirrored, pre-loaded onto an air-gapped host and bound to loopback — running inside the harness from Course 1.
Next: FT23 — Synthesis: Uncensor the Model, Harness the Model