A locally-hosted, fine-tuned language model specialized in CMMC 2.0, NIST 800-171, NIST 800-53, HIPAA, DFARS, and cybersecurity compliance frameworks.

Notice: Research models are provided for evaluation purposes only. The Gemma 4 31B flagship is not publicly available — enterprise deployment runs through the Memoriant Platform. For commercial licensing, pilot programs, or partnership inquiries, contact Nathan Maine or visit memoriant.ai.

Built to answer the question: Can a small team deploy a domain-specific AI compliance advisor that runs entirely on-premises — no cloud, no API fees, no CUI exposure?

Yes. Multiple model sizes from 4B edge models to 31B flagship — laptop to workstation to air-gapped appliance.

Current release: Q2 2026 — Gemma 4 31B flagship (private, enterprise-only, eval loss 0.4517). Two public Nemotron specialized models launching Q2 2026 (lookup specialist + POA&M generator). All Memoriant datasets and benchmarks refreshed quarterly. Published under Memoriant, Inc. organization.

Organizations pursuing CMMC certification face a knowledge bottleneck. Compliance staff spend hours searching across NIST publications, CMMC assessment guides, and DFARS clauses to answer questions that a well-trained model can handle in seconds.

Commercial LLMs (GPT-4, Claude) are powerful but introduce data residency concerns for organizations handling CUI and ITAR-controlled information. These models run fully local — no data leaves the premises, no internet required, no per-token costs.

AI systems make mistakes. Always review AI-generated output before using it for any purpose.

Any AI system — including those trained on the Memoriant datasets — can produce factually incorrect information, hallucinated citations, outdated guidance, or plausible-sounding fabrications. Never submit AI output directly to DoD assessors, regulatory agencies, or formal compliance documentation without qualified human review.

This is especially critical for CMMC and defense compliance. Wrong answers can cause failed assessments. Failed assessments can cost DoD contracts. C3PAO assessors verify human understanding, not AI output. The DoD holds contractors accountable for their submissions, not the tools they used.

Memoriant's position: AI is a force multiplier for compliance professionals, not a replacement. The human stays accountable. The AI accelerates the work. Every output is a draft for human review.

Models trained across multiple base architectures on the v6.0 dataset (18,202 curated examples). Published under Memoriant, Inc. organization.

Flagship (private — enterprise deployment only):

The Gemma 4 31B flagship is the best-performing compliance AI model Memoriant has trained. It is not publicly available — the weights remain private as product IP. Enterprise deployment through the Memoriant Platform includes the flagship model, RAG with 30+ authoritative government documents, governed LLM gateway with audit trails, and quarterly regulatory updates.

Contact Memoriant, Inc. for enterprise licensing.

Research Models (earlier training experiments):

Two specialized models trained on NVIDIA Nemotron 3 base architectures. Published publicly under memoriant/ on HuggingFace under the NVIDIA Nemotron Open Model License. Each model is highly specialized — excellent at one specific task rather than mediocre at many.

Model 1: Lookup Specialist (Edge Tier — 4B)

Fine-tuned for fast, accurate CMMC control knowledge. Runs on a laptop, phone, or edge device.

What it does well:

• Look up any CMMC control (AC.L2-3.1.1 through SI.L2-3.14.7) with full detail
• Identify control families and levels correctly
• Explain NIST 800-171 controls in plain English
• Point to the right DFARS clauses for each requirement
• Refuse to hallucinate (Level 4/5, non-existent controls)

What it does NOT do:

• Draft SSPs
• Generate POA&Ms
• Perform gap analysis
• Multi-turn compliance reasoning

Tagline: "The CMMC control reference that fits in your pocket. Offline. Free."

Model 2: POA&M Generator (Professional Tier — 30B MoE)

Fine-tuned for remediation planning — POA&M and SSP drafting. 30B total parameters but only 3.5B active per token (Mixture of Experts), so inference is fast despite the model size. 1M token context window.

What it does well:

• Generate professional POA&M entries for failed controls
• Draft SSP control descriptions
• Identify remediation steps and milestones
• Recommend evidence artifacts
• Structured output with control IDs, timelines, resources
• Basic gap analysis for common scenarios

What it does NOT do:

• Track v6.0 regulatory updates (Phase 2 timeline, DFARS 7019 elimination, HIPAA NPRM)
• Perform complex multi-framework mapping
• Provide C3PAO-specific assessment guidance
• RAG-grounded responses with source citations

Tagline: "Generate POA&M entries and SSP drafts in seconds. Human review required. 100x cheaper than a consultant."

Upgrade Path:

1. Free — Lookup Specialist (4B) → Learn CMMC basics, reference tool
2. Free — POA&M Generator (30B) → Draft compliance documentation
3. Enterprise — Memoriant Platform → Full flagship model + RAG + audit trails + monthly updates

Both Nemotron models will be published under the NVIDIA Nemotron Open Model License (commercial-friendly, no layered licensing).

Training Method: QLoRA fine-tuning (4-bit NF4, rank 64, alpha 128) on NVIDIA B200, H200, and DGX Spark hardware

Runtime: Ollama (OpenAI-compatible API at localhost:11434/v1) or llama.cpp (6.5x faster for serving)

All Memoriant assets are now on a quarterly versioning cadence with auto-gated access (login required, auto-approved). Each release is dated and expires at quarter end — new versions incorporate regulatory updates, DFARS amendments, and NIST revisions.

Training Data:

Benchmarks (Tiered — use the right one for your purpose):

If you are deploying compliance AI in a regulated environment, v3 is the only credible evaluation. v1 and v2 are preliminary tools.

Models:

The flagship Gemma 4 31B is not publicly available — enterprise deployment only through the Memoriant Platform. Contact Memoriant, Inc. for licensing.

All Memoriant datasets and models follow a quarterly release cadence:

• Q2 2026 (current) — Valid through June 30, 2026
• Q3 2026 — Releases July 1, 2026
• Q4 2026 — Releases October 1, 2026

Why quarterly: CMMC regulations, DFARS clauses, and NIST publications update continuously. A frozen benchmark becomes invalid within a quarter. A model trained on stale data produces stale answers. Quarterly refresh ensures evaluation and training stay current with the regulatory landscape.

Using assets after their expiration date produces incomplete evaluations and outdated model behavior.

Quick start with Ollama:

# Download and run the 12B model
ollama run memoriant/cmmc-expert-12b

# Or use the OpenAI-compatible API
curl http://localhost:11434/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{
    "model": "memoriant/cmmc-expert-12b",
    "messages": [{"role": "user", "content": "What are the access control requirements for CMMC Level 2?"}]
  }'

Remember: Always review AI output before using it for compliance work. See the AI Safety Disclaimer at the top of this document.

Released: February 2026

Version 2.0 significantly expands the training corpus with authoritative source material scraped directly from government APIs and official publications. An automated data pipeline handles scraping, conversion, quality filtering, deduplication, and versioning with full reproducibility.

• 40% more training data — 18,747 total examples (up from 16,906 in v1.0)
• 6 new authoritative sources — NIST SP 800-53 Rev. 5, NIST CSF 2.0, eCFR regulations, Federal Register, DoD PDFs, NIST SP 800-171 Rev. 3
• Expanded LoRA coverage — All 7 transformer modules targeted across all model sizes
• Best eval loss: 1.048 — 72B flagship model achieves the lowest loss in the suite
• Improved across the board — 7B eval loss improved from 1.241 (v1.0) to 1.142 (v2.0)

The regulatory landscape changed substantially since the v1.0 training data was assembled. Version 2.0 addresses these gaps:

14,906 training + 3,841 validation examples (~4.5M tokens) assembled from 11 sources:

The v2.0 data pipeline (cmmc-data-pipeline) is fully automated and reproducible:

                Authoritative Sources
    ┌──────────────────────────────────────────┐
    │  NIST OSCAL (GitHub)    eCFR API         │
    │  DoD PDFs               Federal Register │
    └─────────────────┬────────────────────────┘
                      │
                      ▼
    ┌──────────────────────────────────────────┐
    │  Step 1: Scrape                          │
    │  Rate-limited, retry-enabled scrapers    │
    │  Raw JSON saved to data/raw/{source}/    │
    ├──────────────────────────────────────────┤
    │  Step 1b: Relevance Filter               │
    │  eCFR filtered to CMMC-relevant DFARS    │
    │  clauses only (252.204-70xx, 252.239)    │
    ├──────────────────────────────────────────┤
    │  Step 2: Convert                         │
    │  Source-specific templates generate       │
    │  chat-format instruction/response pairs  │
    ├──────────────────────────────────────────┤
    │  Step 3: Quality Filter                  │
    │  Min length, max length (8K), alpha ratio│
    ├──────────────────────────────────────────┤
    │  Step 4: Deduplicate                     │
    │  xxhash exact + MinHash LSH near-dedup   │
    │  (128 perms, Jaccard 0.8, 5-gram)        │
    ├──────────────────────────────────────────┤
    │  Step 5: Validate                        │
    │  Format checks, quality scoring, stats   │
    ├──────────────────────────────────────────┤
    │  Step 6: Version                         │
    │  Immutable snapshots with rollback       │
    ├──────────────────────────────────────────┤
    │  Step 7: Merge                           │
    │  Cross-version dedup against v1.0 data   │
    └──────────────────────────────────────────┘

The pipeline supports both full scrapes and incremental updates. Each run creates a versioned snapshot that can be inspected, diffed, or rolled back before merging into the training dataset.

All models trained using QLoRA (Quantized Low-Rank Adaptation) — base weights frozen in 4-bit NF4, trainable adapter layers injected into all 7 transformer projection modules. Trained on NVIDIA A100-SXM4-80GB via RunPod.

The 72B model used Unsloth for memory-efficient 4-bit loading, enabling QLoRA fine-tuning on a single A100-80GB without multi-GPU setups.

All models showed continuous improvement across training with no overfitting observed.

Per-Model Training Metrics:

The 72B model achieves the lowest eval loss in the suite (1.048), demonstrating that model scale continues to improve compliance reasoning quality even with the same training data.

v1.0 vs v2.0 Comparison (7B):

The models understand the full chain from contract clause to technical implementation:

DFARS 252.204-7012 — Safeguarding Covered Defense Information

• Adequate security requirements for CUI on contractor systems
• Cyber incident reporting obligations (72-hour timeline)
• Flow-down requirements to subcontractors
• Relationship to NIST SP 800-171 compliance

DFARS 252.204-7019 — Notice of NIST SP 800-171 Assessment

• SPRS (Supplier Performance Risk System) scoring methodology
• Self-assessment requirements and documentation
• DoD Assessment Methodology (Basic, Medium, High)

DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements

• Government assessment access and cooperation requirements
• Relationship between SPRS scores and assessment levels

DFARS 252.204-7021 — Cybersecurity Maturity Model Certification

• CMMC level requirements by contract type
• Phase-in timeline and applicability
• Relationship between CMMC levels and NIST SP 800-171/172

┌──────────────────────────────────────────────────────────┐
│                     User Query                            │
│   "What access control requirements apply to              │
│    CMMC Level 2 for CUI handling?"                        │
└──────────────────────┬────────────────────────────────────┘
                       │
                       ▼
┌──────────────────────────────────────────────────────────┐
│              Ollama Runtime (Local)                        │
│  ┌────────────────────────────────────────────────────┐   │
│  │  Foundation Model (frozen, 4-bit quantized)         │   │
│  │  + QLoRA Adapters (compliance-tuned)                │   │
│  │                                                     │   │
│  │  7B  — quick lookups, day-to-day queries            │   │
│  │  14B — detailed analysis, multi-control reasoning   │   │
│  │  32B — deep gap assessments, SSP drafting           │   │
│  │  72B — complex multi-framework analysis             │   │
│  └────────────────────────────────────────────────────┘   │
│  System prompt: Compliance expert across CMMC/NIST/HIPAA  │
└──────────────────────┬────────────────────────────────────┘
                       │
                       ▼
┌──────────────────────────────────────────────────────────┐
│              Structured Response                          │
│   - Framework-specific references (SP 800-171 §3.1)      │
│   - Implementation guidance                               │
│   - Assessment evidence requirements                      │
│   - Cross-framework mappings (CMMC ↔ 800-53 ↔ HIPAA)    │
│   - DFARS clause applicability                            │
└──────────────────────────────────────────────────────────┘

This model suite was designed for environments where data sovereignty matters:

• Fully air-gappable — Runs entirely on local hardware after initial download. No internet required for inference
• No telemetry — No data is transmitted to any external service
• No third-party API dependency — No per-query costs, no rate limits, no data exposure to cloud providers
• CUI-safe deployment — Suitable for use in environments processing Controlled Unclassified Information, as no data leaves the local system boundary
• Customizable — Can be further fine-tuned with organization-specific policies, SSPs, and internal security documentation

OS: Linux, macOS, Windows (WSL2)

cmmc-compliance-ai-model/
├── README.md                    # This file
├── docs/
│   ├── training-methodology.md  # Detailed QLoRA configuration and rationale
│   ├── data-pipeline.md         # Full pipeline documentation with filtering logic
│   └── evaluation-results.md    # Eval metrics, example outputs, failure modes
├── pipeline/
│   ├── 01_format_converter.py   # Raw → chat-style instruction pairs
│   ├── 02_quality_filter.py     # Length, artifact, and fragment removal
│   ├── 03_relevance_filter.py   # NIST relevance scoring and sampling
│   ├── 04_deduplication.py      # xxhash exact + MinHash LSH near-dedup
│   └── 05_train_val_split.py    # Stratified split with source balancing
├── training/
│   ├── train_qlora.py           # QLoRA training script
│   ├── config.yaml              # Hyperparameters and training config
│   └── merge_and_quantize.py    # Adapter merge + GGUF quantization
├── evaluation/
│   ├── eval_compliance.py       # Framework-specific accuracy testing
│   └── eval_cross_mapping.py    # Cross-framework mapping validation
├── deployment/
│   ├── Modelfile                # Ollama model configuration
│   └── setup_ollama.sh          # Local deployment script
└── publishing/
    ├── huggingface/             # Model cards + upload scripts
    ├── ollama/                  # Ollama Library submission guide
    └── github-releases/         # GitHub Release creation script

Note: This repo contains the pipeline code, training configuration, and documentation. Pre-trained model weights (GGUF) are available on Hugging Face. Training data and checkpoints are excluded from the repository.

• v1.0 - 4 models (7B-72B) trained on Qwen2.5, published on HuggingFace
• v2.0 - Automated scraping pipeline, expanded to 18,747 examples from 11 sources
• v3.0 - Base model migration to US-origin architectures (Gemma, Llama, Phi, OLMo, Granite)
• v3.0 - 13 models trained across 8 architectures on NVIDIA B200 and DGX Spark
• v3.0 - Flagship: Gemma 4 31B (eval loss 0.4517, day-zero fine-tuning)
• v3.0 - Published under Memoriant, Inc. HuggingFace organization
• v3.0 - Standardized compliance benchmark (46 questions, 9 tiers) published
• v3.0 - CMMC Expert Platform v08 (orchestrator + gateway + RAG + PII + audit trails)
• v3.0 - Open source contributions: huggingface/peft#3129, huggingface/transformers#45200
• v3.1 - Platform v09 with Qdrant vector search (replacing ChromaDB)
• v3.1 - Gemma 4 26B-A4B MoE fine-tuning (fast inference variant)
• v3.2 - 500+ question production benchmark (full NIST 800-171 coverage)
• v4.0 - Agent integration with CrewAI for multi-agent compliance workflows
• v4.0 - FedRAMP baselines, CIS Controls, and ITAR coverage
• v4.0 - Custom fine-tuning pipeline for organization-specific compliance data

• Base Models (v3.0): Google Gemma 4 (flagship), Google Gemma 3, Meta Llama 3.1, Microsoft Phi-4, AI2 OLMo-2, IBM Granite 3.1
• Base Models (v2.0 legacy): Qwen2.5 Instruct (7B, 14B, 32B, 72B)
• Training: HuggingFace TRL + PEFT + bitsandbytes -- QLoRA fine-tuning
• Quantization: llama.cpp -- GGUF format (Q4_K_M / Q5_K_M)
• Inference: Ollama -- Local deployment with OpenAI-compatible API
• Vector Search: Qdrant (v09) / ChromaDB (v08) -- RAG pipeline
• Platform: Custom orchestrator + governed-llm-gateway -- Auth, PII, policy, audit
• Data Pipeline: cmmc-data-pipeline -- 8 automated scrapers, MinHash dedup, 5-phase pipeline
• Data Sources: NIST OSCAL, eCFR API, Federal Register API, CISA KEV, CIS Controls, DoD PDFs, FedRAMP
• Training Hardware: NVIDIA B200 192GB (RunPod), NVIDIA DGX Spark GB10 128GB (on-premises)
• Organization: Memoriant, Inc. on HuggingFace

All training data is derived from publicly available, authoritative government sources:

• The model is trained on publicly available compliance framework documentation. It does not contain classified or controlled information.
• Responses should be treated as expert-informed guidance, not as legal or regulatory determinations. All compliance decisions should be validated by qualified assessors.
• The model's knowledge reflects the training data at time of creation. Regulatory updates published after the training cutoff should be incorporated through the automated pipeline or RAG.
• Performance on highly specialized or edge-case compliance scenarios may vary. The model performs best on well-documented framework requirements.

Built by Nathan Maine — Solving compliance bottlenecks with purpose-built AI.