Primary Wedge

Defense & Federal

AI governance architecture for controlled federal and defense workloads. CMMC mapping support, stdlib-only primitives, and deployment patterns that stay inside the customer authorization boundary. HUMMBL does not claim FedRAMP authorization, CMMC certification, legal advice, or government approval.

The problem

Defense primes and cleared subcontractors are being asked to deploy AI-assisted development tooling under accelerating compliance obligations. The CMMC final program rule was published in October 2024, and DoD's public CMMC page says phased implementation began on November 10, 2025 with Phase 1 focused primarily on Level 1 and Level 2 self-assessments. Any finding depends on the customer's assessment scope and evidence.

OMB M-25-21 and M-25-22 added AI governance language to federal acquisition in April 2025. The DoD Responsible AI Strategy is cascading through the prime/sub relationship — and primes are excluding subs that cannot document AI governance posture.

The structural gap: many cloud-hosted AI governance platforms may be unsuitable for a customer's controlled environment unless they fit that customer's authorization boundary, data-handling rules, and assessment scope. HUMMBL's public claim is narrower: stdlib-only primitives can be deployed by the customer inside environments they authorize and control.

Why HUMMBL fits

  • Stdlib-only, zero runtime dependencies — no third-party supply chain, no npm/pip graph for a supply-chain attack
  • Open source, assessor-reviewable — customer reviewers can inspect the code, read the governance bus in a text editor, and verify HMAC signatures with their own tools
  • Customer-controlled deployment — source can run in customer-authorized dev, staging, or production enclaves when the customer controls the authorization boundary and required safeguards. Same architecture, no cloud runtime dependency
  • Contract-driven — every primitive carries a SemVer-versioned contract with frozen baseline tags, suitable for configuration-management control
  • Append-only audit trail — evidence that's portable, grep-friendly, and survives air-gap transfers on physical media

CMMC Program / NIST SP 800-171 mapping boundary

Under 32 CFR part 170, CMMC Level 2 security requirements are based on NIST SP 800-171 Rev. 2. HUMMBL primitives can support evidence mapping to selected controls, but the customer's assessment scope, SSP, and assessor determine applicability.

NIST 800-171 Control HUMMBL Primitive
3.1.1 Limit system access to authorized users Delegation Tokens — HMAC-signed, scoped, expiring capability tokens per agent
3.1.2 Limit access to types of transactions authorized users are permitted Delegation Context — capability-fence enforcement per operation
3.3.1 Create and retain system audit logs Governance Bus — append-only JSONL, every action logged
3.3.3 Review and update logged events Governance Bus — grep-friendly, assessor-readable in a text editor
3.3.8 Protect audit information HMAC-SHA256 signed entries, append-only file with atomic writes
3.6.1 Establish operational incident-handling capability Kill Switch — 4-mode runtime halt, sub-2-second MTTH
3.13.1 Monitor, control, and protect organizational communications Circuit Breaker — per-adapter failure containment
3.14.6 Monitor systems including inbound/outbound traffic Governance Bus + Circuit Breaker metrics

A NIST SP 800-171 mapping packet can be prepared as part of an enterprise engagement. It is supporting evidence, not a certification product or legal opinion.

What you get

  • The hummbl-governance Python library (Apache 2.0, PyPI)
  • A CMMC practice-to-primitive mapping handout for customer and assessor review
  • Reference architecture for deployment inside customer-authorized environments
  • Optional: assessor-readiness assist (preparing evidence packets, walking through the governance bus format, answering control-family questions)
  • Optional: custom indemnification and on-prem deployment support

Federal contracting status

HUMMBL does not claim FedRAMP authorization. HUMMBL does not publicly claim SAM registration, UEI, CAGE code, GSA schedule status, CMMC certification, or government approval on this page. Unknown values remain unknown until verified from authoritative records. Customer authorization boundary controls determine where and how any deployment is assessed.

Status: HUMMBL's architecture is built for this surface, but active federal contract delivery requires partnership. If you are a prime, a cleared sub, or a federal systems integrator with CMMC engagement bandwidth and the credit/bonding infrastructure to run federal contracts, we want to talk. HUMMBL provides the architecture and the primitives; partners provide the contract vehicles and the assessor relationships.

For primes, cleared subs, or federal systems integrators exploring AI governance architecture for controlled federal workloads:

Book a 30-minute federal governance architecture review →

See also