Complete guide to deploying AI systems in air-gapped networks including CMMC 2.0 compliance patterns, FedRAMP alternatives, IL5/IL6 network architecture, and supply chain security for defense contractors.
Air-gapped networks represent the highest level of network isolation — complete disconnection from any external networks including the internet and corporate IT. For government and defense organizations handling Controlled Unclassified Information (CUI), sensitive compartmented information (SCI), or classified data, air-gap provides the only path to AI capabilities without compromising security classifications.
However, building AI systems in air-gapped environments presents challenges that don't exist in connected deployments:
Despite these challenges, air-gapped AI deployment is not only possible — it's required for many government and defense use cases. This guide covers the complete framework for successful deployment.
| Data Classification | Network Requirement | AI Deployment Implications |
|---|---|---|
| Public Information | No restrictions | Cloud AI acceptable if no PHI/CUI involved. |
| Federal Contract Information (FCI) | NIST SP 800-171 minimum | CMMC Level 1 or 2 required. On-premise preferred, cloud acceptable with FedRAMP Moderate + BAA. |
| Controlled Unclassified Information (CUI) | NIST SP 800-171 full controls | CMMC Level 2 required. On-premise with segmentation. Some scenarios require IL4 or higher. |
| Secret | Semi-Secret Network (SSTT) | Air-gapped AI required. Approved hardware and software only. No external connectivity ever. |
| Top Secret | TS Network | TSA-certified AI systems only. Compartment-specific access controls. Highly restricted transfer mechanisms. |
CMMC 2.0 establishes cybersecurity requirements for defense contractors handling federal contract information. Understanding how CMMC applies to AI systems is essential for compliant deployment.
| CMMC Level | Requirement | AI System Application |
|---|---|---|
| Level 1 (Foundational) | 17 safeguarding practices from NIST SP 800-171. Focus on protecting FCI. | Basic AI usage allowed but with strict endpoint protection, access controls, and antivirus. Cloud AI acceptable if vendor agrees to FCI protections. |
| Level 2 (Advanced) | All 110 NIST SP 800-171 safeguards. Full CUI protection. CMMC assessment required. | AIR systems processing CUI must meet all 110 controls. Key requirements for AI: AC.L2-3.5.1 (audit logging), SC.L2-3.5.14 (encryption), SI.L2-3.7.1 (malware detection). |
| Level 3 (Expert) | NIST SP 800-172 enhancements plus incident response and advanced threat protection. | Required for high-value contracts. AI systems need enhanced monitoring, continuous authentication, and advanced threat detection. Likely requires air-gap for sensitive workloads. |
During a CMMC assessment, expect evidence requests related to your AI systems:
FedRAMP authorization provides a pathway for using cloud services in government environments, but some use cases exceed even FedRAMP High's requirements. Understanding when FedRAMP suffices versus when air-gap is necessary is critical.
| FedRAMP Level | Authority to Operate | AI Use Case Fit |
|---|---|---|
| FedRAMP Low | Public-facing applications, non-sensitive data | Not suitable for most government AI where any CUI is involved. |
| FedRAMP Moderate | Most federal data including unclassified but sensitive | Suitable for general purpose AI tools that process limited CUI. Requires additional safeguards for highly sensitive workloads. |
| FedRAMP High | FISMA High, DoD IL4, law enforcement, national security | Appropriate for CUI-rich workloads that still require cloud flexibility. Many defense AI initiatives operate here. |
Even FedRAMP High may not suffice for certain AI deployments requiring:
In these scenarios, air-gapped deployment becomes the only viable option. The tradeoff is reduced agility and increased operational overhead, but it's necessary for missions where breach consequences could compromise national security.
Information Assurance (IA) levels define increasing tiers of network security for Department of Defense networks. IL5 supports Secret, IL6 supports Top Secret. AI systems deployed at these levels face extreme constraints while operating under strict DOAD and CJCSI standards.
The AI supply chain encompasses every component that makes up your AI ecosystem: hardware accelerators, firmware, operating systems, AI frameworks (PyTorch, TensorFlow), libraries, pre-trained models, and tooling. Each represents a potential attack vector that must be managed under CMMC and air-gapped deployment requirements.
| Component | Risk Category | Mitigation Strategy |
|---|---|---|
| GPU Hardware | Hardware backdoors, tampering during transit, counterfeit products | Procure directly from manufacturers. Verify serial numbers. Physical inspection upon receipt. Use TPM chips for integrity verification. |
| Firmware/Drivers | Malicious code in driver packages, compromised NVIDIA driver repositories | Download firmware only from manufacturer sites. Verify digital signatures. Maintain offline copies of approved versions. Test in sandbox before deployment. |
| AI Frameworks | Supply chain attacks via package managers (pip, conda, npm), compromised dependencies | Pin exact versions in requirements.txt. Use private package mirrors. Sign Python wheel packages. Implement dependency scanning (pip-audit, safety, snyk). |
| Pre-trained Models | Poisoned models, Trojan payloads, malicious fine-tuning weights | Use only trusted model sources (Hugging Face verified, internal models). Validate model hashes. Run adversarial robustness testing. Sandboxed evaluation environment. |
| Data Sets | Poisoned training data, backdoor triggers embedded in data | Source data from verified origins. Validate data quality and provenance. Implement data cleansing pipelines. Detect distribution shifts. |
| Development Tools | IDE plugins, Jupyter extensions, debugging tools with malicious functionality | Whitelist approved development tools. Block unauthorized extensions. Use hardened, immutable development containers. |
An AI-specific SBOM should document:
Generate SBOMs using tools like Syft, CycloneDX, or Trivy. Integrate SBOM generation into CI/CD pipelines for automated updates.
Air-gapped AI deployment is complex but entirely achievable with careful planning and execution. Begin by documenting your current security posture against CMMC requirements, then design your air-gapped architecture incrementally, validating each phase before proceeding.
BPI specializes in air-gapped AI deployments for government and defense clients. Our Privacy-First AI engagements include air-gapped architecture design, CMMC alignment, and supply chain security planning. Learn more about our government and defense AI services or AI infrastructure services. Book a consultation to discuss your specific deployment requirements.
AI solutions for government and defense including CMMC-compliant deployments, air-gapped infrastructure, and classified network integration.
Learn More →Custom infrastructure design for air-gapped environments, CMMC compliance, and high-assurance deployments.
Explore Service →Complete hardening guide for AI infrastructure including GPU security, container hardening, and access control.
Read Guide →Book a free 30-minute consultation. We'll discuss your current security posture, CMMC requirements, and how to architect an air-gapped AI deployment that meets all compliance obligations. No pressure. No pitch deck.
Book a Free ConsultationNo commitment. No sales pitch. Just a conversation. We respond within 24 hours.