Air-Gapped AI Deployment: Building AI Systems for Classified and CMMC-Compliant Environments

Complete guide to deploying AI systems in air-gapped networks including CMMC 2.0 compliance patterns, FedRAMP alternatives, IL5/IL6 network architecture, and supply chain security for defense contractors.

The Unique Requirements of Air-Gapped AI

Air-gapped networks represent the highest level of network isolation — complete disconnection from any external networks including the internet and corporate IT. For government and defense organizations handling Controlled Unclassified Information (CUI), sensitive compartmented information (SCI), or classified data, air-gap provides the only path to AI capabilities without compromising security classifications.

However, building AI systems in air-gapped environments presents challenges that don't exist in connected deployments:

  • Model training constraints — Most modern AI models are trained on public datasets available only over the internet. In air-gapped environments, you must bring in pre-trained models or train locally with curated datasets.
  • Update management — Software patches, model updates, and library upgrades cannot be applied automatically. Each update requires manual vetting, testing, and controlled transfer into the air-gapped environment.
  • Threat intelligence isolation — Air-gapped systems cannot receive real-time threat feeds, vulnerability databases, or security updates that depend on connectivity.
  • Supply chain verification — Every component entering an air-gapped environment must be verified for tampering and malicious code. The transfer mechanism itself becomes a critical security control.
  • Performance constraints — Air-gapped hardware may not have GPU drivers, CUDA libraries, or AI acceleration support readily available due to certification and supply chain requirements.

Despite these challenges, air-gapped AI deployment is not only possible — it's required for many government and defense use cases. This guide covers the complete framework for successful deployment.

When Is Air Gap Required?

Data Classification Network Requirement AI Deployment Implications
Public Information No restrictions Cloud AI acceptable if no PHI/CUI involved.
Federal Contract Information (FCI) NIST SP 800-171 minimum CMMC Level 1 or 2 required. On-premise preferred, cloud acceptable with FedRAMP Moderate + BAA.
Controlled Unclassified Information (CUI) NIST SP 800-171 full controls CMMC Level 2 required. On-premise with segmentation. Some scenarios require IL4 or higher.
Secret Semi-Secret Network (SSTT) Air-gapped AI required. Approved hardware and software only. No external connectivity ever.
Top Secret TS Network TSA-certified AI systems only. Compartment-specific access controls. Highly restricted transfer mechanisms.

CMMC 2.0 AI System Requirements

CMMC 2.0 establishes cybersecurity requirements for defense contractors handling federal contract information. Understanding how CMMC applies to AI systems is essential for compliant deployment.

CMMC Levels and AI Relevance

CMMC Level Requirement AI System Application
Level 1 (Foundational) 17 safeguarding practices from NIST SP 800-171. Focus on protecting FCI. Basic AI usage allowed but with strict endpoint protection, access controls, and antivirus. Cloud AI acceptable if vendor agrees to FCI protections.
Level 2 (Advanced) All 110 NIST SP 800-171 safeguards. Full CUI protection. CMMC assessment required. AIR systems processing CUI must meet all 110 controls. Key requirements for AI: AC.L2-3.5.1 (audit logging), SC.L2-3.5.14 (encryption), SI.L2-3.7.1 (malware detection).
Level 3 (Expert) NIST SP 800-172 enhancements plus incident response and advanced threat protection. Required for high-value contracts. AI systems need enhanced monitoring, continuous authentication, and advanced threat detection. Likely requires air-gap for sensitive workloads.

CMMC Controls Specific to AI Systems

  • AC.L2-3.1.2 — Process and procedure review — Document AI system usage procedures and conduct periodic reviews to ensure continued compliance.
  • AC.L2-3.5.1 — User accounts — Assign unique user IDs for all AI system users. Never allow shared or generic accounts.
  • AC.L2-3.5.3 — Access control policy — Define who can access the AI system and what they can do within it.
  • AT.L2-3.11.1 — Role-based training — Train AI users on security requirements specific to their role (data handlers vs. analysts vs. admins).
  • AU.L2-3.2.1 — Audit events — Log all AI interactions including user queries, model outputs, data accessed, and administrator actions.
  • CM.L2-3.9.1 — Configuration management — Control all changes to AI system configuration including model updates, retraining parameters, and software patches.
  • CP.L2-3.14.1 — Contingency plan — Include AI system recovery in contingency planning. Document recovery time objectives for AI services.
  • IR.L2-3.16.1 — Incident response plan — Include AI-specific incidents: model poisoning, adversarial attacks, unauthorized inference, prompt injection.
  • RA.L2-3.13.1 — Vulnerability monitoring — Monitor AI frameworks and libraries for vulnerabilities. Apply patches per defined timeline.
  • SA.L2-3.14.1 — Supply chain risk — Assess AI vendors and open-source components for supply chain risk. Document SBOM for all AI dependencies.
  • SC.L2-3.5.14 — Cryptography — Encrypt AI data at rest and in transit using NSA-approved algorithms.
  • SI.L2-3.7.1 — Malware detection — Deploy anti-malware on AI infrastructure. Scan all transferred content before introduction into the environment.

CMMC Assessment Evidence for AI

During a CMMC assessment, expect evidence requests related to your AI systems:

  • Configuration baselines for AI servers
  • User access logs showing AI system usage patterns
  • Audit log samples demonstrating user identification and action recording
  • Encryption implementation evidence (certificate validation, key management)
  • Vulnerability scan reports covering AI infrastructure
  • Patch management records for AI software components
  • Incident response exercises that included AI scenarios
  • Training records for personnel with AI system access
  • Vendor assessment documentation for AI providers
  • System security plan (SSP) section describing AI systems

FedRAMP Alternatives for Sensitive Workloads

FedRAMP authorization provides a pathway for using cloud services in government environments, but some use cases exceed even FedRAMP High's requirements. Understanding when FedRAMP suffices versus when air-gap is necessary is critical.

FedRAMP Authorization Levels

FedRAMP Level Authority to Operate AI Use Case Fit
FedRAMP Low Public-facing applications, non-sensitive data Not suitable for most government AI where any CUI is involved.
FedRAMP Moderate Most federal data including unclassified but sensitive Suitable for general purpose AI tools that process limited CUI. Requires additional safeguards for highly sensitive workloads.
FedRAMP High FISMA High, DoD IL4, law enforcement, national security Appropriate for CUI-rich workloads that still require cloud flexibility. Many defense AI initiatives operate here.

When FedRAMP Is Insufficient

Even FedRAMP High may not suffice for certain AI deployments requiring:

  • Physical separation — When data classification or contractual terms prohibit any third-party hosting, including government clouds
  • Compartmented access — SCI, SAP, REFORGER, or other special access programs that require isolation beyond standard High boundaries
  • Geographic sovereignty — Requirements for data to remain physically within specific facilities with no cross-facility movement
  • Supply chain restrictions — Cases where the cloud provider itself (even a government cloud) is considered part of the adversary threat model
  • Real-time response SLAs — Mission-critical operations where milliseconds matter and cloud latency is unacceptable

In these scenarios, air-gapped deployment becomes the only viable option. The tradeoff is reduced agility and increased operational overhead, but it's necessary for missions where breach consequences could compromise national security.

IL5/IL6 Network Design for AI

Information Assurance (IA) levels define increasing tiers of network security for Department of Defense networks. IL5 supports Secret, IL6 supports Top Secret. AI systems deployed at these levels face extreme constraints while operating under strict DOAD and CJCSI standards.

IL5 Requirements

  • Boundary protection — DMZ with stateful inspection firewalls between unclassified and Secret networks.
  • Access control — IDPP (Individual Device Password Protection) required. MFA for remote access points.
  • Malware protection — Approved AV solutions with central management. Content filtering mandatory.
  • Monitoring — Security monitoring at network perimeter and internal segments. Centralized log management.
  • Encryption — FIPS 140-2 validated encryption for data at rest and in transit.
  • Transport protocols — Only approved protocols. TLS 1.2+ for web services.
  • Media transport — CDIP (Cross-Domain Integration Platform) or similar certified devices for data transfer between compartments.

IL6 Additional Requirements

  • Enhanced boundary protection — Stronger firewall rulesets. Multi-stage filtering required.
  • Multi-factor authentication — PIV cards or equivalent cryptographic tokens mandatory for all access.
  • Compartmentalization — Additional logical partitions within IL6 for different access levels (e.g., TS//SCI vs. TS//SF).
  • Enhanced auditing — All access attempts logged. Real-time alerting for anomalous behavior.
  • Physical security — Facilities meeting CNSSP-11 specifications. Biometric access controls.
  • Data diodes — One-way communication devices required for certain compartment transfers.

AI Architecture Patterns for IL5/IL6

  1. Hyperscale inference engines — Deploy GPU clusters with NVLink interconnects. Air-gapped from management networks. Use separate VLANs for training vs. inference traffic.
  2. Secure data staging — Create designated secure areas where data can be prepared for AI consumption. Scanned, sanitized, then transferred through authorized pathways.
  3. Model vault — Secure repository for AI models with access controls matching the classification of data they were trained on. Version-controlled with audit trails.
  4. Dedicated inference tier — Separate servers for production inference, isolated from development environments to prevent cross-contamination.
  5. Output filtering — Review layer for AI outputs to prevent inadvertent disclosure of sensitive information, especially for generative AI systems.

AI Supply Chain Security

The AI supply chain encompasses every component that makes up your AI ecosystem: hardware accelerators, firmware, operating systems, AI frameworks (PyTorch, TensorFlow), libraries, pre-trained models, and tooling. Each represents a potential attack vector that must be managed under CMMC and air-gapped deployment requirements.

Key Supply Chain Risks

Component Risk Category Mitigation Strategy
GPU Hardware Hardware backdoors, tampering during transit, counterfeit products Procure directly from manufacturers. Verify serial numbers. Physical inspection upon receipt. Use TPM chips for integrity verification.
Firmware/Drivers Malicious code in driver packages, compromised NVIDIA driver repositories Download firmware only from manufacturer sites. Verify digital signatures. Maintain offline copies of approved versions. Test in sandbox before deployment.
AI Frameworks Supply chain attacks via package managers (pip, conda, npm), compromised dependencies Pin exact versions in requirements.txt. Use private package mirrors. Sign Python wheel packages. Implement dependency scanning (pip-audit, safety, snyk).
Pre-trained Models Poisoned models, Trojan payloads, malicious fine-tuning weights Use only trusted model sources (Hugging Face verified, internal models). Validate model hashes. Run adversarial robustness testing. Sandboxed evaluation environment.
Data Sets Poisoned training data, backdoor triggers embedded in data Source data from verified origins. Validate data quality and provenance. Implement data cleansing pipelines. Detect distribution shifts.
Development Tools IDE plugins, Jupyter extensions, debugging tools with malicious functionality Whitelist approved development tools. Block unauthorized extensions. Use hardened, immutable development containers.

Software Bill of Materials (SBOM) for AI

An AI-specific SBOM should document:

  • Base OS components — Linux kernel version, distribution, installed packages
  • Hardware inventory — GPU model, VRAM count, storage specifications, network cards
  • AI frameworks — PyTorch/TensorFlow/JAX version, CUDA/cuDNN versions
  • Python dependencies — Complete list of pip/conda packages with exact versions
  • Container images — Docker image names, tags, base layers, build provenance
  • Models and weights — Model identifiers, source, hash values, training dataset references
  • Data pipeline components — ETL tools, data format libraries, transformation scripts

Generate SBOMs using tools like Syft, CycloneDX, or Trivy. Integrate SBOM generation into CI/CD pipelines for automated updates.

Air-Gapped AI Deployment Checklist

  • [ ] Infrastructure planning — Identify dedicated air-gapped facility space. Plan power, cooling, and physical security requirements.
  • [ ] Hardware procurement — Order GPUs, servers, networking equipment directly from manufacturers with documented supply chain.
  • [ ] Firmware verification — Download and verify all firmware from manufacturer websites. Store checksums securely.
  • [ ] OS installation — Install from verified offline media. Configure minimal attack surface. Disable unnecessary services.
  • [ ] Network topology — Design segment topology with proper VLANs. Implement one-way data flow where possible.
  • [ ] Access control — Deploy IAM solution integrated with PKI. Enable MFA for all administrative access.
  • [ ] Monitoring deployment — Install IDS/IPS capable of detecting AI-specific attacks (adversarial examples, model extraction).
  • [ ] Logging configuration — Configure centralized logging to SIEM. Retain logs per regulatory requirements.
  • [ ] Transfer mechanisms — Establish approved processes for importing data, models, and software updates (gap bridges, secure media).
  • [ ] Backup strategy — Design backup and disaster recovery procedures for air-gapped systems. Consider offline backups.
  • [ ] Patch management — Define process for evaluating, testing, and applying security patches to air-gapped systems.
  • [ ] Training program — Develop air-gapped AI security training for operators, administrators, and end users.
  • [ ] Documentation — Create system architecture diagrams, runbooks, SOPs, and incident response playbooks.
  • [ ] Assessment preparation — Prepare for CMMC assessment with full SSP, policies, and evidence collection.
  • [ ] Red team exercise — Conduct adversarial simulation tests targeting AI-specific vulnerabilities.

Next Steps

Air-gapped AI deployment is complex but entirely achievable with careful planning and execution. Begin by documenting your current security posture against CMMC requirements, then design your air-gapped architecture incrementally, validating each phase before proceeding.

BPI specializes in air-gapped AI deployments for government and defense clients. Our Privacy-First AI engagements include air-gapped architecture design, CMMC alignment, and supply chain security planning. Learn more about our government and defense AI services or AI infrastructure services. Book a consultation to discuss your specific deployment requirements.

Related Resources

Need Help Planning Air-Gapped AI Deployment for Your Government or Defense Organization?

Book a free 30-minute consultation. We'll discuss your current security posture, CMMC requirements, and how to architect an air-gapped AI deployment that meets all compliance obligations. No pressure. No pitch deck.

Book a Free Consultation

No commitment. No sales pitch. Just a conversation. We respond within 24 hours.