"What does the DoD Impact Levels (IL) framework determine for an LLM deployment?" "Four things at once: which FedRAMP baseline applies (Low/Moderate ~325 controls/High), what data class you may put in the prompt (unclassified/CUI/SECRET/TS-SCI), which network the box may sit on (NIPRNet/SIPRNet/JWICS), and whether the deployment is network-connected or air-gapped. Built by DISA; cited by GSA, FedRAMP, Microsoft, StackArmor, Second Front." c3::ft22::recall "Recite the DoD Impact Levels table — IL2 through IL7+." "IL2 = FedRAMP Moderate (~325 controls), unclassified non-public, NIPRNet. IL4 = Moderate + DoD overlays, CUI, NIPRNet. IL5 = FedRAMP High, CUI / NSS, NIPRNet/SIPRNet. IL6 = High + classified overlays, SECRET, SIPRNet. IL7+ = Beyond FedRAMP, TS/SCI, JWICS (air-gapped)." c3::ft22::recall "What is the single most important structural fact about FedRAMP and LLM weights?" "FedRAMP authorizes the CLOUD SERVICE (provider's controls: physical security, personnel clearance, audit logging, incident response) — NOT the model weights. It says nothing about whether the weights are trustworthy, what the model was trained on, or whether a merged LoRA has a backdoor. That gap is the subject of FT22." c3::ft22::recall "Name the three DoD networks and what each carries." "NIPRNet (unclassified — IL2/IL4/IL5). SIPRNet (SECRET — IL5/IL6). JWICS (TS/SCI — IL7+, air-gapped from the public internet; no HF pull, no API calls, model arrives on media)." c3::ft22::recall "What three properties must an IL5+ model satisfy, and why?" "(1) REPRODUCIBILITY — could re-derive from published corpus + code (in principle, even if you won't actually rerun a trillion-token pretrain). (2) NO HIDDEN TRAINING-TIME EXFILTRATION — corpus is published, you can diff it. (3) NO EMBEDDED BEHAVIOR YOU CAN'T ACCOUNT FOR — probe activations against the open-data reference. All three force the open-data choice." c3::ft22::application "Distinguish open-data, open-weights-only, and closed-weight models, and place each on the IL ladder." "OPEN-DATA (weights + corpus: MiniCPM, OLMo, Tülu, SmolLM3) — REQUIRED at IL5+. OPEN-WEIGHTS-ONLY (weights, no data: Llama 3.x, Mistral) — IL2–IL4 with documented due diligence, liability at IL5+. CLOSED-WEIGHT (neither: OpenAI, Anthropic, Gemini) — API-only, incompatible with air-gap by construction." c3::ft22::recall "State the re-derivability rule for IL5+." "If you cannot fully re-derive an artifact from its published source weights AND training recipe, you may NOT load it into an IL5+ environment. Rules out most community merges/LoRAs. Harsh but correct — an unauditable artifact is a contraband artifact." c3::ft22::application "Why is a community-merged model (e.g., 'Llama-3-Smaug-OpenHermes-blend-v4') a non-starter at IL5+?" "Its provenance is a chain of merges and LoRA applications you cannot reconstruct. Even if every link is well-intentioned, you cannot re-derive it from source. At IL5+ the re-derivability rule forbids loading it. The compositional backdoor risk (OpenReview 'Down the Rabbit Hole') compounds this: A+B merge can trigger a backdoor neither alone activates." c3::ft22::analysis "What does OWASP LLM03:2025 name, and why is it significant?" "Supply Chain Vulnerabilities. It explicitly names 'an attacker infiltrates a third-party supplier and compromises the production of a LoRA adapter, or a model-merge pipeline, such that the resulting artifact behaves normally under test but activates malicious behavior under a trigger.' First major standards body to name LoRA/merge as a first-class attack surface on par with vulnerable packages and poisoned data." c3::ft22::recall "Name OWASP LLM03:2025's three core supply-chain risks." "(1) POISONED MODELS — base/adapter/merge backdoored at the weight level. (2) VULNERABLE PACKAGES — transformers, peft, trl, safetensors, bitsandbytes dependency tree (subject to PyPI/npm typosquatting, account takeover — ultralytics/stellar-freighter-class incidents). (3) WEAK PROVENANCE — no signed manifests, no pinned mirrors, no checksum verification, ambiguous licensing." c3::ft22::recall "What does arXiv:2512.19297 (Causal-Guided Detoxify Backdoor on LoRA) demonstrate?" "A backdoor that SURVIVES the normal safety-eval pipeline by appearing to IMPROVE the model on benchmark dimensions — the adapter looks like a benign 'detoxify' fine-tune — while implanting a trigger-conditioned misbehavior. 'Causal-guided' = designed to causally steer behavior in a specific direction, not merely correlated. Defensive reviewer running benchmarks sees a better-behaving model." c3::ft22::analysis "What is MasqLoRA (CVPR 2026) and why does it matter?" "First systematic LoRA supply-chain backdoor framework. Shows an attacker controlling the adapter can implant backdoors that (a) SURVIVE QUANTIZATION, (b) SURVIVE MERGING into the base, (c) EVADE WEIGHT-DIFF inspection (malicious update is rank-compatible with legitimate). 'Masq' = the malicious LoRA masquerades as legitimate at every inspection level short of activation probing. Only diff-in-means catches it." c3::ft22::analysis "What does Anthropic's small-samples-poison research show, and what is the defense?" "A VERY SMALL number of poisoned samples can implant backdoors REGARDLESS OF MODEL SCALE — even single-digit-percentage poison rates produce reliable trigger-conditional behavior at fine-tuning. Scale does not buy immunity. The defense is NOT more data; the defense is VERIFIED data (open-data corpus you can audit), which loops back to the open-data argument." c3::ft22::analysis "What is LoRA's 'double vulnerability' (PMC healthcare review)?" "Clinical fine-tuning attacks BOTH the DATA (poisoned patient records used as training set) AND the ADAPTER (malicious LoRA distributed as a 'medical reasoning' enhancement). The two are INDEPENDENT attack surfaces, and EITHER is sufficient to compromise the model. Healthcare and defense share this exposure because both consume many third-party adapters from a community they don't control." c3::ft22::analysis "Recite the five-step defensive playbook for verifying a model you did not train." "(1) PREFER OPEN-DATA models (MiniCPM, OLMo, Tülu). (2) RE-DERIVE quants/LoRas from source — no opaque community artifacts, pinned toolchain. (3) DIFF-IN-MEANS / activation probing (FT17 abliteration toolkit, defensively) — the only check that survives MasqLoRA. (4) BEHAVIORAL EVALS — Promptfoo + Garak + your adversarial suite. (5) CHECKSUM/SIGN + pinned internal mirror — never hf pull inside the trust boundary." c3::ft22::recall "Why is diff-in-means / activation probing (Step 3) the only check that survives MasqLoRA?" "MasqLoRA is explicitly designed to evade WEIGHT-DIFF inspection (the malicious update is rank-compatible with the legitimate one) and to pass BEHAVIORAL benchmarks. Diff-in-means looks at ACTIVATIONS, not weights: build contrastive prompt pairs (trigger present vs absent), compute mean activation difference per layer, look for directions that activate on trigger but are near-zero on benign input. A clean model has a small interpretable salient set (refusal, format, language); a backdoored model has EXTRA directions with no documented training signal." c3::ft22::analysis "Why should you re-derive quants and LoRAs from source rather than trust opaque community artifacts?" "It eliminates the entire poisoned-quant and poisoned-adapter attack class by removing the opaque artifact from the trust chain. Take the published source weights (FP16/BF16), apply the published quantization recipe yourself (FT19) with pinned toolchain, and for LoRAs require published training data + recipe so you can re-derive. If you can't re-derive, you can't use it at IL5+." c3::ft22::application "What is the inbound-gate / pinned-mirror / verify-on-load trust boundary?" "Never hf pull inside the trust boundary. (1) INBOUND GATE — a network-connected staging host (NOT the deployment host): pull, record hash, sign with org key, store in INTERNAL MIRROR. (2) TRANSFER — one-way media for air-gap, verified internal network for IL2–IL6. (3) VERIFY ON LOAD — recompute hash, verify signature, refuse to load if either fails. Converts 'trust HF' into 'trust our signing infra + trust HF only at the gate where we can inspect.'" c3::ft22::application "Why are behavioral evals (Step 4) necessary but not sufficient?" "Promptfoo (prompt-injection/jailbreak/policy coverage) and Garak (NVIDIA's known-probe catalog) + your domain adversarial suite catch KNOWN failure modes and OBVIOUS backdoors. They do NOT catch a MasqLoRA-style attack designed to evade benchmarks. That's why Step 3 (activation probing) exists. Run them every time, on every artifact, before any IL4+ load." c3::ft22::application "Recite the four verbs of air-gapped deployment design." "PRE-LOAD (every artifact — weights, tokenizer, system prompt, eval, deps — loaded before severance). SEVER (network disabled; ip link show = no carrier, no default route, DNS unresolvable; test continuously). BIND (server binds 127.0.0.1 or Unix socket, never 0.0.0.0; harness co-located, loopback only). LOG (append-only local store; prompt + generation + load + config; the regulator's evidence)." c3::ft22::recall "Why are llama.cpp and vLLM the right inference substrate for air-gap?" "MINIMAL NETWORK POSTURE. llama-server is a single static binary — no container registry, no orchestrator, no service mesh, binds loopback by default — the most auditable inference server in the ecosystem. vLLM is more complex (Python/CUDA) but still single-process with a defined API surface; with a pinned mirror and frozen requirements.txt it's auditable. Neither is true of hosted closed-weight APIs — an API call is a network egress, incompatible with air-gap. The open-weights stack is not a cost choice at IL7+; it's the only choice that fits the architecture." c3::ft22::analysis "What is the CDAO closed-vendor gap?" "CDAO's announced frontier-model partners (Anthropic, Google, OpenAI, xAI) are ALL closed-weight — API-only, weights and training data not published, none auditable at the weight level, none deployable on JWICS. If every authorized government model is closed-weight, every IL5+/air-gapped deployment is impossible by construction. The open-weights curriculum is the response." c3::ft22::analysis "What is the open-weights response to the CDAO gap (three parts)?" "(1) Open-data models are AUDITABLE in a way closed models structurally cannot be — at IL5+/JWICS auditability is a deployment REQUIREMENT not a preference. (2) The capability gap is CLOSING — open frontier models within striking distance on most operational tasks; the fine-tuning in this course closes the residual gap on your specific task. (3) The SUPPLY CHAIN is the attack surface — closed API is trust dependency on publisher; verified open-data is trust dependency on your own process. Defense orgs have a strong prior toward the second." c3::ft22::analysis "What is the NTIA (2024) AI Open-Model Weights Report and why does it matter for FT22?" "The U.S. government's own policy acknowledgment that open-weight models ENABLE sensitive-domain use cases that closed models cannot serve. It explicitly notes open-weights enable IL5+/air-gap deployments. FT22 is the engineering-side reading of that report — the policy says open enables sensitive domains; this module says HOW (open-data, re-derivability, the defensive playbook, air-gap architecture)." c3::ft22::application "Why is 'assuming open means safe' an anti-pattern?" "Open-weights is NECESSARY for auditability at IL5+ but NOT SUFFICIENT. An open-weights model with a poisoned LoRA merged in is OPEN AND BACKDOORED. Open-data raises the floor (you can audit the corpus) but you still owe the five-step defensive playbook. 'It's open source' is not a security argument; it's the PRECONDITION for making a security argument." c3::ft22::analysis "Why is pulling directly from Hugging Face in production an anti-pattern?" "hf pull on the deployment host, inside the trust boundary. Even if the artifact is benign TODAY, you have no guarantee it's benign TOMORROW — the hub is mutable, accounts are compromised regularly (ultralytics/stellar-freighter-class incidents), and your deployment has no way to detect a swap. Always pull at an inbound gate, sign, mirror, verify on load." c3::ft22::application "Why does no behavioral evals before deployment qualify as an anti-pattern?" "'We ran the model on our task and it worked, so we shipped it.' Standard task-eval coverage is ~0% of the adversarial surface. Promptfoo and Garak exist for a reason; run them every time, on every artifact, before any IL4+ load. They are necessary, not sufficient — pair with activation probing (Step 3) because MasqLoRA-style attacks evade benchmarks by design." c3::ft22::application "What is CUI and why is it the dominant data class at IL4?" "Controlled Unclassified Information — non-classified but sensitive (export-controlled technical data, PII, law-enforcement-sensitive material). IL4 = Moderate + DoD overlays. Most operational DoD AI appetite lives at IL4 because most operational data is CUI, not classified. NIPRNet." c3::ft22::recall "How does FT22 relate to FT21 (HIPAA) and FT17 (abliteration)?" "FT21 made the open-data argument for HEALTHCARE; FT22 generalizes it to GOVERNMENT/DEFENSE and adds the IL ladder + air-gap architecture. FT17 used diff-in-means OFFENSIVELY (find the refusal direction so you can delete it — abliteration); FT22 reuses the SAME toolkit DEFENSIVELY (find unexpected steering directions a backdoor would implant). The toolkit is identical; the direction of use flips." c3::ft22::analysis