Defense & Federal
AI governance architecture for controlled federal and defense workloads. CMMC mapping support, stdlib-only primitives, and deployment patterns that stay inside the customer authorization boundary. HUMMBL does not claim FedRAMP authorization, CMMC certification, legal advice, or government approval.
The problem
Defense primes and cleared subcontractors are being asked to deploy AI-assisted development tooling under accelerating compliance obligations. The CMMC final program rule was published in October 2024, and DoD's public CMMC page says phased implementation began on November 10, 2025 with Phase 1 focused primarily on Level 1 and Level 2 self-assessments. Any finding depends on the customer's assessment scope and evidence.
OMB M-25-21 and M-25-22 added AI governance language to federal acquisition in April 2025. The DoD Responsible AI Strategy is cascading through the prime/sub relationship — and primes are excluding subs that cannot document AI governance posture.
The structural gap: many cloud-hosted AI governance platforms may be unsuitable for a customer's controlled environment unless they fit that customer's authorization boundary, data-handling rules, and assessment scope. HUMMBL's public claim is narrower: stdlib-only primitives can be deployed by the customer inside environments they authorize and control.
Why HUMMBL fits
- Stdlib-only, zero runtime dependencies — no third-party supply chain, no npm/pip graph for a supply-chain attack
- Open source, assessor-reviewable — customer reviewers can inspect the code, read the governance bus in a text editor, and verify HMAC signatures with their own tools
- Customer-controlled deployment — source can run in customer-authorized dev, staging, or production enclaves when the customer controls the authorization boundary and required safeguards. Same architecture, no cloud runtime dependency
- Contract-driven — every primitive carries a SemVer-versioned contract with frozen baseline tags, suitable for configuration-management control
- Append-only audit trail — evidence that's portable, grep-friendly, and survives air-gap transfers on physical media
CMMC Program / NIST SP 800-171 mapping boundary
Under 32 CFR part 170, CMMC Level 2 security requirements are based on NIST SP 800-171 Rev. 2. HUMMBL primitives can support evidence mapping to selected controls, but the customer's assessment scope, SSP, and assessor determine applicability.
| NIST 800-171 Control | HUMMBL Primitive |
|---|---|
3.1.1 Limit system access to authorized users
|
Delegation Tokens — HMAC-signed, scoped, expiring capability tokens per agent |
3.1.2 Limit access to types of transactions
authorized users are permitted
|
Delegation Context — capability-fence enforcement per operation |
3.3.1 Create and retain system audit logs |
Governance Bus — append-only JSONL, every action logged |
3.3.3 Review and update logged events |
Governance Bus — grep-friendly, assessor-readable in a text editor |
3.3.8 Protect audit information |
HMAC-SHA256 signed entries, append-only file with atomic writes |
3.6.1 Establish operational incident-handling
capability
|
Kill Switch — 4-mode runtime halt, sub-2-second MTTH |
3.13.1 Monitor, control, and protect
organizational communications
|
Circuit Breaker — per-adapter failure containment |
3.14.6 Monitor systems including inbound/outbound
traffic
|
Governance Bus + Circuit Breaker metrics |
A NIST SP 800-171 mapping packet can be prepared as part of an enterprise engagement. It is supporting evidence, not a certification product or legal opinion.
What you get
-
The
hummbl-governancePython library (Apache 2.0, PyPI) - A CMMC practice-to-primitive mapping handout for customer and assessor review
- Reference architecture for deployment inside customer-authorized environments
- Optional: assessor-readiness assist (preparing evidence packets, walking through the governance bus format, answering control-family questions)
- Optional: custom indemnification and on-prem deployment support
Federal contracting status
HUMMBL does not claim FedRAMP authorization. HUMMBL does not publicly claim SAM registration, UEI, CAGE code, GSA schedule status, CMMC certification, or government approval on this page. Unknown values remain unknown until verified from authoritative records. Customer authorization boundary controls determine where and how any deployment is assessed.
For primes, cleared subs, or federal systems integrators exploring AI governance architecture for controlled federal workloads:
Book a 30-minute federal governance architecture review →See also
- Browse the primitives
- The HUMMBL method — why primitives, not platforms
- Security posture — honest compliance status