CMMC- and ITAR-ready AI, deployed inside your accredited enclave
Defense primes, DIB subcontractors, aerospace suppliers, MRO shops, and federal program teams handling CUI, ITAR/EAR-controlled technical data, or classified workloads face hard limits on commercial cloud AI — for many program networks, the regulations that govern the data leave no cloud path at all. This page describes how Onsite AI is deployed inside the customer's accredited boundary, the specific technical capabilities the deployment provides, and where its compliance claims begin and end.
Last reviewed: July 2026
Compliance scope
Onsite AI is not itself CMMC certified, and no software product is ITAR compliant on its own. CMMC certifies organizations, not products, and ITAR governs how a US-person organization handles controlled technical data. A product provides the technical capabilities the customer's SSP author and assessor map to the applicable controls.
Onsite AI does not hold a FedRAMP High authorization, a DoD Impact Level 4/5/6 provisional authorization, StateRAMP, or an authorization to operate on any specific government network. The deployment ships on customer-owned hardware inside a boundary the customer accredits. Enforcement of ITAR's US-persons access rule stays with the customer through personnel security, identity-provider group policy, and physical access to the enclave. No claim is made about pre-authorization for any classification level; deployments in classified environments are governed by the customer's Authorizing Official under the applicable authorization framework.
This page does not enumerate specific NIST SP 800-171 or 800-172 control numbers Onsite AI “meets.” Controls are met by an organization operating a system; the sections below describe the technical mechanisms the customer's SSP author maps to the applicable control families.
Why commercial cloud AI is off the table
CMMC (Cybersecurity Maturity Model Certification) is the DoD framework that governs how defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) inside the Defense Industrial Base. Level 2 assessment aligns with the NIST SP 800-171 control set. If a system handles CUI, it sits inside the customer's CMMC boundary and every component of that system is in scope for assessment.
ITAR (International Traffic in Arms Regulations) and its export-control sibling EAR govern controlled technical data — design, requirements, drawings, test data, and software for defense articles and certain dual-use items. Access by non-US persons is a deemed export requiring authorization, and placing controlled technical data on commercial cloud AI infrastructure is generally treated as an export unless a specific carve-out applies — such as the end-to-end encryption provision at 22 CFR 120.54, which commercial AI products cannot satisfy because they process prompts in the clear.
A commercial cloud AI product — ChatGPT, Microsoft 365 Copilot, Gemini — processes prompts and grounding data on vendor-managed infrastructure. The vendor controls the operators, the storage, the model, the telemetry, and the update schedule. That is a fine arrangement for unregulated enterprise data. It is disqualifying for CUI in the CMMC boundary and for ITAR/EAR-controlled technical data on a program network — DFARS 252.204-7012 requires cloud services that store, process, or transmit CUI to meet security requirements equivalent to the FedRAMP Moderate baseline, a posture commercial consumer AI products do not hold.
Government-cloud offerings — Microsoft GCC High / Azure Government, AWS GovCloud, Google Assured Workloads — are the appropriate path for many Microsoft-native or cloud-native federal environments. They are not the right path when the program network is stand-alone, air-gapped, or on hardware the customer must physically control. That is the environment Onsite AI is built for.
The technical controls the deployment provides
Onsite AI ships with the security capabilities every CMMC-scoped or ITAR-boundary environment needs its information-system components to support. Your SSP author maps each capability to the applicable NIST SP 800-171 control family; the deployment provides the technical mechanism.
| Capability | What Onsite AI ships |
|---|---|
| Data boundary | Inference, retrieval, storage, and identity integration all run inside the customer's perimeter. Prompts, grounding data, and vector embeddings never traverse the network boundary — the deployment is fully air-gap capable. |
| Identity & authentication | SSO/LDAP integration with the customer's identity provider. Multi-factor authentication (MFA) on user access. The customer's IdP policy — including US-persons-only groupings the customer already enforces for ITAR — governs who reaches the deployment. |
| Access control | Role-based access control (RBAC) on users, collections, and content. Access to specific document corpora, tools, and model tiers is granted by role; every access decision is recorded. |
| Encryption at rest | Full-disk encryption on the deployment's storage. Model weights, vector indexes, RAG corpora, and audit logs are all covered. |
| Audit logging | Comprehensive audit logging of user actions, retrieval queries, model responses, and administrative events. Logs are retained inside the enclave and available to the customer's SIEM and assessor evidence bundles. |
| Update path | Signed offline update bundles delivered on media the customer's operations staff verify and apply through their existing media-in procedure. Updates apply on the customer's change window; the security posture never depends on outbound internet. |
| Physical & environmental | The deployment runs on hardware the customer owns and physically controls, in the facility they already accredit. Physical, environmental, and media-protection controls remain the customer's — same posture as the rest of the enclave. |
Air-gap operation and signed offline updates
Program-network engineering enclaves and classified environments frequently have no outbound route at all — no vendor phone-home, no update server, no telemetry collector. This is where most AI products quietly fail: their update path, telemetry, or model-serving stack assumes an internet-side dependency the enclave will never permit.
Onsite AI is designed to run fully air-gap capable. The inference stack, RAG pipeline, identity integration, and audit logging operate entirely inside the enclave. Software and model updates are shipped as signed offline update bundles: the customer's operations staff verify signatures on their existing media-in workstation, move the bundle across the air gap using their normal procedure, and apply it on their change window. There is no continuous outbound connectivity required for the product to function; the security posture does not depend on the network the enclave does not have.
The engineering detail behind the update path — bundle contents, signing model, RAG index rebuild strategy, and the common failure modes teams hit when they try to retrofit cloud-first AI into an air-gapped environment — is the subject of the sibling technical explainer: air-gapped LLM deployment — a practitioner's reference.
Fitting the deployment into your accreditation boundary
The deployment sits inside the boundary your organization already accredits — the network segment, hardware, and identity provider you have scoped for CUI-handling or ITAR-controlled work. From an SSP perspective it is an information-system component that supports the controls under assessment. Two 800-171 families make the shape concrete.
Access Control (3.1)
Every user reaches the deployment through the customer's identity provider — Active Directory, FreeIPA, or the program's own IdP — over LDAPS or SAML. Group membership drives RBAC on models, tool calls, and document collections; the same US-persons grouping the customer already enforces for ITAR extends to the AI surface without a separate directory to maintain. MFA lives at the IdP, so the customer's existing PIV/CAC posture applies without a second factor scheme layered on top. When an assessor asks who reached which controlled corpus, on what date, under what role, the answer is a single query against the deployment's audit store bound to the directory identity. Nothing about the AC.L2 posture is invented for the AI system; it is inherited from the enclave.
Audit and Accountability (3.3)
The deployment writes an append-only audit record for every user action, retrieval query, tool call, model response, and administrative event. Records live inside the enclave on encrypted storage. A scheduled one-way cross-domain transfer moves the day's records into the customer's SIEM through the same guarded path the rest of the enclave uses to reach it. Because the audit schema is documented, the SSP author can point AU.L2-3.3.1 (“create and retain audit records”) and AU.L2-3.3.5 (“correlate audit review, analysis, and reporting”) at a specific field set the assessor can spot-check.
The other families the deployment touches — Identification & Authentication on the same IdP integration, System & Communications Protection on the encrypted boundary, Media Protection on the update path — follow the same pattern: the AI component provides the technical mechanism, the customer's existing accreditation and personnel controls do the rest. The Discovery & Scoping Engagement produces the architecture drawing and control-support narrative your SSP author needs to draft the corresponding sections. Your Authorizing Official retains all accreditation authority.
Reference hardware for a program network
The entry deployment is a single inference server: 2× NVIDIA RTX PRO 6000 Blackwell GPUs (192 GB VRAM), dual AMD EPYC 9355 CPUs, 512 GB ECC RAM, 8 TB NVMe plus 32 TB SAS storage. That configuration supports 40+ concurrent engineering users on Local GPT or Enterprise RAG. Deployments scale up to a four-GPU 384 GB VRAM dual-node HA cluster with InfiniBand interconnect on the fAI Model tier — the pattern for mission-critical program-network availability where zero-downtime failover is a contract requirement. Full configurations and the sizing rationale behind them are in the LLM hardware requirements reference.
Because the hardware belongs to the customer and sits inside the enclave, physical and environmental controls, media protection, and facility security are governed by the accreditation the customer's site already holds. The AI deployment inherits that posture.
What the deployment is used for
On the defense and regulated-program side the workloads concentrate on a few things. Retrieval over controlled technical data — schematics, requirements documents, test reports, program specifications, vendor drawings — is the anchor, with cited answers from the Enterprise RAG tier and vision-language support for the drawings. Sustainment and MRO workflows over technical publications, fault histories, and maintenance records sit alongside it, since the corpus is already controlled and cannot leave the enclave.
Two smaller workloads round it out: tribal-knowledge capture from retiring engineers whose institutional memory is itself controlled, and program administration — drafting, summarization, analysis over CUI-scoped documents where a general-purpose cloud AI is disqualified by the boundary.
Each lands on the same three-tier engagement model described on the homepage: Local GPT for an air-gapped chatbot on a local open-weight model, Enterprise RAG for cited answers over the customer's corpus, and fAI Model for a fine-tuned model with agentic capabilities on an HA cluster.
Frequently asked questions
Is Onsite AI itself CMMC certified or ITAR compliant?
No. CMMC certifies organizations, not products, and ITAR governs how a US-person organization handles controlled technical data. Onsite AI is an on-premises AI deployment that runs inside the customer's accredited boundary and provides the technical capabilities the customer's SSP author and assessor map to the applicable NIST SP 800-171 control families: SSO/LDAP identity, RBAC, MFA, full-disk encryption, comprehensive audit logging, and fully air-gap-capable operation with signed offline update bundles. Onsite AI does not hold a FedRAMP High authorization, a DoD Impact Level 4/5/6 provisional authorization, StateRAMP, or a pre-issued authorization to operate on any specific government network. The customer scopes and accredits the environment; the deployment supports it.
Why can't we just use ChatGPT Enterprise or Microsoft 365 Copilot for ITAR/EAR-controlled technical data?
Access to ITAR/EAR-controlled technical data by non-US persons is a deemed export. Placing controlled technical data on commercial cloud AI infrastructure is generally treated as an export unless a specific carve-out applies, such as the end-to-end encryption provision at 22 CFR 120.54. Commercial AI products cannot satisfy that carve-out because they process prompts in the clear. A commercial cloud AI product runs on vendor-managed infrastructure whose operators, storage, model weights, and telemetry sit outside the customer's export-controlled boundary. For CUI in a CMMC boundary, DFARS 252.204-7012 requires cloud services that store, process, or transmit CUI to meet security requirements equivalent to the FedRAMP Moderate baseline, a posture commercial consumer AI products do not hold. Onsite AI runs inference, retrieval, and storage inside the customer's perimeter.
How does Onsite AI fit into our CMMC scope and system security plan (SSP)?
The deployment sits inside the CUI boundary the customer defines in their SSP: the network segment, hardware, and identity provider already scoped for CUI-handling systems. It becomes an information-system component in the SSP with SSO/LDAP identity binding to the customer's IdP, RBAC on models and collections, MFA at the IdP, full-disk encryption of model weights and vector indexes, and an append-only audit record of user actions, retrieval queries, tool calls, model responses, and administrative events. The SSP author maps these mechanisms to the applicable NIST SP 800-171 families; the Access Control (3.1) and Audit and Accountability (3.3) walkthroughs elsewhere on this page describe how two of them land in practice. A Discovery and Scoping Engagement produces the architecture drawing and control-support narrative your SSP author needs to draft the corresponding sections. Accreditation authority remains with the customer's Authorizing Official.