A suite of fine-tuned language models specialized in CMMC 2.0, NIST 800-171, NIST 800-53, HIPAA, DFARS, and cybersecurity compliance frameworks. Built for on-premises, air-gapped deployment β no data leaves your network.
Built to answer the question: Can a small team deploy a domain-specific AI compliance advisor that runs entirely on-premises β no cloud, no API fees, no CUI exposure?
Yes. Four model sizes from 5 GB to 45 GB β from laptop to workstation to server.
Current release: Version 2.0 (February 2026) β All four models retrained on expanded dataset.
v3.0 (February 2026) β Experimental 7B testing alternative training methodology.
# Install Ollama (if needed)
curl -fsSL https://ollama.ai/install.sh | sh
# Download and run (pick your size)
ollama run Nathan-Maine/cmmc-expert-7b-v2.0
# Ask a compliance question
>>> What access control requirements apply to CMMC Level 2 for CUI handling?
# Or use the OpenAI-compatible API
curl http://localhost:11434/v1/chat/completions \
-H "Content-Type: application/json" \
-d '{
"model": "Nathan-Maine/cmmc-expert-7b-v2.0",
"messages": [{"role": "user", "content": "Map CMMC AC.L2-3.1.1 to its NIST 800-53 and HIPAA equivalents"}]
}'
| Need | Model | GGUF Size | VRAM | Speed | Link |
|---|---|---|---|---|---|
| Quick lookups, day-to-day queries | 7B v2.0 | 5.1 GB | 6 GB | ~1-2s | Download |
| Detailed analysis, multi-control reasoning | 14B v2.0 | 9.8 GB | 12 GB | ~3-5s | Download |
| Deep gap assessments, SSP drafting | 32B v2.0 | 18.9 GB | 24 GB | ~30-60s | Download |
| Complex multi-framework synthesis | 72B v2.0 | 45 GB | 48 GB | ~2-4 min | Download |
Start with the 7B for most use cases. Move up to 14B or 32B when you need deeper reasoning across multiple frameworks or long-form document generation. The 72B is for the hardest problems β simultaneous analysis across all 8+ frameworks with full citation chains.
All models run on CPU-only as well (slower but no GPU required). Double the VRAM numbers for approximate RAM requirements.
Organizations pursuing CMMC certification face a knowledge bottleneck. Compliance staff spend hours searching across NIST publications, CMMC assessment guides, and DFARS clauses to answer questions that a well-trained model can handle in seconds.
Commercial LLMs (GPT-4, Claude) are powerful but introduce data residency concerns for organizations handling CUI and ITAR-controlled information. These models run fully local β no data leaves the premises, no internet required, no per-token costs.
The base models use abliterated variants of Qwen2.5-Instruct. Standard instruction-tuned models refuse to discuss vulnerability details, attack patterns, and exploitation techniques β all of which are essential for compliance work. Security assessments require analyzing threats, testing controls, and documenting attack scenarios. Abliteration removes these safety refusals so the model provides complete, accurate compliance guidance including threat analysis and vulnerability assessment.
Trained across eight overlapping frameworks to support cross-framework mapping β because organizations rarely have single-framework obligations:
| Framework | Coverage |
|---|---|
| CMMC 2.0 (32 CFR Part 170) | All three levels β L1, L2, L3 practices, assessment methodology, actual regulatory text |
| NIST SP 800-171 Rev. 2 & 3 | Rev. 2 (110 requirements) + Rev. 3 (97 controls with assessment objectives and 88 ODPs) |
| NIST SP 800-172 Rev. 3 | Enhanced CUI requirements for critical programs (Final Public Draft) |
| NIST SP 800-53 Rev. 5 | Full OSCAL catalog β 1,016 controls + enhancements with structured statements |
| NIST CSF 2.0 | 6 functions (adds GOVERN), 34 categories, 174 subcategories |
| NIST SP 800-37 | Risk Management Framework (RMF) steps and authorization process |
| HIPAA Security Rule | Administrative, physical, and technical safeguards + full 45 CFR 164 text |
| DFARS Clauses | 252.204-7012, 7019, 7020, 7021 β full regulatory text and analysis |
The models understand the full compliance chain: from DFARS contract clauses β CMMC level requirements β NIST 800-171 controls β NIST 800-53 mappings β implementation evidence. They can trace a requirement from a contract clause all the way down to the specific technical control and assessment objective.
| Application | Description |
|---|---|
| SSP Generation | Draft System Security Plan control descriptions with proper NIST/CMMC citations |
| Gap Analysis | Identify which controls are required for specific CMMC levels and contract requirements |
| Cross-Framework Mapping | Map controls between CMMC β NIST 800-53 β HIPAA β DFARS with rationale |
| Assessment Prep | Generate evidence checklists and assessment objective narratives |
| Policy Drafting | Create policies and procedures aligned to specific CMMC practices |
| DFARS Clause Analysis | Trace requirements from contract clauses through CMMC to technical controls |
| Training & Education | Always-available compliance reference for teams β no waiting for SMEs |
| RMF Integration | Map compliance activities to Risk Management Framework steps |
The project started in January 2026 with a simple hypothesis: QLoRA fine-tuning on curated compliance data could produce a useful domain-specific model at a fraction of the cost of commercial alternatives. Three versions later, we've validated that hypothesis and learned a lot about what works (and what doesn't) for knowledge-dense compliance domains.
Goal: Prove that fine-tuning works for compliance.
v1.0 proved the concept. The models could accurately cite specific CMMC practices, map controls across frameworks, and generate structured compliance documents. Even the 7B model was useful for day-to-day compliance queries.
| Model | Eval Loss | Train Loss | GGUF | Training Time |
|---|---|---|---|---|
| cmmc-expert-7b | 1.241 | 1.030 | 5.1 GB (q5_k_m) | ~3.1h |
| cmmc-expert-14b | β | β | ~10 GB (q5_k_m) | ~6h |
| cmmc-expert-32b | β | β | ~19 GB (q4_k_m) | ~14h |
| cmmc-expert-72b | 1.004 | β | ~42 GB (q4_k_m) | ~32h |
Goal: Expand coverage with authoritative source material via automated pipeline.
The compliance landscape evolved significantly: NIST SP 800-171 Rev. 3 replaced Rev. 2, NIST CSF 2.0 added the GOVERN function, the CMMC Final Rule (32 CFR 170) was published, and new DFARS clauses took effect. v2.0 addresses all of these.
Key improvements over v1.0:
| Model | Eval Loss | Train Loss | GGUF | Training Time |
|---|---|---|---|---|
| cmmc-expert-7b-v2.0 | 1.142 | 1.030 | 5.1 GB (q5_k_m) | ~3.1h |
| cmmc-expert-14b-v2.0 | 1.144 | 1.009 | 9.8 GB (q5_k_m) | ~6.5h |
| cmmc-expert-32b-v2.0 | 1.073 | 1.005 | 18.9 GB (q4_k_m) | ~9.6h |
| cmmc-expert-72b-v2.0 | 1.048 | 0.966 | 45 GB (q4_k_m) | ~13.0h |
Goal: Test whether alternative hyperparameters could match v2.0 quality with a simpler setup.
v3.0 is a deliberate experiment, not a production release. It tests four hypotheses:
Result: v2.0 wins convincingly. The v3.0 train loss (1.479) is significantly higher than v2.0's (1.030). The experiment confirmed that for compliance β a knowledge-dense domain with 320+ distinct practices β LoRA rank and epoch count matter more than base quantization precision or module breadth.
| Model | Train Loss | Eval Loss | Method | Notes |
|---|---|---|---|---|
| cmmc-expert-7b-v3.0 | 1.479 | N/A | LoRA r=8, 8-bit, 1 epoch, Axolotl, H100 | See model card for detailed lessons learned |
Key takeaways from v3.0:
Nathan-Maine/cmmc-compliance-dataset β 18,747 curated examples (~4.5M tokens)
All data is derived from publicly available, authoritative government sources. Chat format with system/user/assistant messages.
| Source | Records | Coverage |
|---|---|---|
| NIST Cybersecurity Publications | 6,372 | SP 800-171, 800-172, 800-53, 800-37, CSF, and related guidance |
| CMMC Primary | 4,787 | CMMC 2.0 requirements, controls, implementation guidance |
| CMMC Balanced | 994 | Proportional coverage across all CMMC domains |
| HIPAA Compliance | 961 | Security Rule requirements and technical safeguards |
| CMMC Core | 320 | High-priority practices and assessment-critical requirements |
| Source | Records | Method |
|---|---|---|
| NIST SP 800-53 Rev. 5 | 773 | OSCAL JSON catalog β full control catalog including enhancements |
| DoD Documents | 519 | PDF extraction β Assessment Guide L2, Scoping Guides, ODP Values |
| Federal Register | 350 | Federal Register API β CMMC rulemakings, DFARS notices |
| eCFR Regulations | 75 | eCFR API β 32 CFR 170 (CMMC), DFARS cyber clauses, 45 CFR 164 (HIPAA) |
| NIST SP 800-171 Rev. 3 | 63 | OSCAL JSON β 97 controls with assessment objectives and ODPs |
| NIST CSF 2.0 | 61 | OSCAL JSON β 34 categories + subcategories with implementation examples |
The v2.0 data was produced by a fully automated, reproducible pipeline: scrape β relevance filter β convert β quality filter β MinHash LSH dedup β validate β version β merge. Each run creates an immutable versioned snapshot.
Pipeline source: github.com/NathanMaine/cmmc-data-pipeline
All v2.0 models trained with QLoRA β base weights frozen in 4-bit NF4, trainable adapters injected into all 7 transformer projection modules. Trained on NVIDIA A100-SXM4-80GB via RunPod.
| Parameter | 7B | 14B | 32B | 72B |
|---|---|---|---|---|
| LoRA rank | 64 | 16 | 32 | 16 |
| LoRA alpha | 128 | 32 | 64 | 32 |
| Target modules | All 7 | All 7 | All 7 | All 7 |
| Effective batch | 32 | 16 | 16 | 16 |
| Learning rate | 2e-4 | 1e-4 | 1e-4 | 5e-5 |
| Epochs | 3 | 3 | 3 | 3 |
| Sequence length | 2048 | 2048 | 2048 | 2048 |
| Framework | TRL + PEFT | TRL + PEFT | TRL + PEFT | Unsloth + TRL |
| Parameter | Value |
|---|---|
| LoRA rank | 8 |
| LoRA alpha | 16 |
| Target modules | All 7 |
| Base quantization | 8-bit (vs 4-bit) |
| Epochs | 1 |
| Framework | Axolotl |
| GPU | H100 PCIe 80GB |
| Decision | Rationale |
|---|---|
| 4 model sizes (7Bβ72B) | Tiered deployment β laptop for quick lookups, workstation for deep analysis |
| QLoRA (not full fine-tune) | Trainable params are <0.3% of total. 50x less compute, comparable domain accuracy |
| Abliterated base models | Removes alignment refusals that interfere with compliance work |
| q5_k_m / q4_k_m quantization | 5-bit for smaller models (accuracy-sensitive), 4-bit for larger (size-constrained) |
| Local-only deployment | CUI/ITAR data cannot leave premises. Zero cloud dependency by design |
| Multi-framework training | Cross-mapping across CMMC, NIST, HIPAA, and DFARS is the real value |
| OSCAL-native scraping | NIST's machine-readable format provides richer data than PDF extraction |
| Model | GPU (VRAM) | CPU-Only (RAM) | Storage |
|---|---|---|---|
| 7B | 6-8 GB | 16 GB | 10 GB |
| 14B | 12 GB | 24 GB | 15 GB |
| 32B | 24 GB | 32 GB | 25 GB |
| 72B | 48 GB | 64 GB | 50 GB |
Supported OS: Linux, macOS, Windows (WSL2)
| Model | GPU Required | Approx. Time | Approx. Cost (RunPod) |
|---|---|---|---|
| 7B | 16+ GB VRAM | ~3 hours | ~$7 |
| 14B | 40+ GB VRAM | ~6.5 hours | ~$16 |
| 32B | 80 GB VRAM | ~9.6 hours | ~$23 |
| 72B | 80 GB VRAM | ~13 hours | ~$31 |
This model suite was designed for environments where data sovereignty matters:
| Resource | Link |
|---|---|
| Source Code | github.com/NathanMaine/cmmc-compliance-ai-model |
| Data Pipeline | github.com/NathanMaine/cmmc-data-pipeline |
| Training Dataset | Nathan-Maine/cmmc-compliance-dataset |
| HuggingFace Collection | All Models |
@misc{maine2026cmmcexpert,
title={CMMC Expert: Fine-Tuned Language Models for Cybersecurity Compliance},
author={Nathan Maine},
year={2026},
url={https://github.com/NathanMaine/cmmc-compliance-ai-model}
}