You need to agree to share your contact information to access this model

This repository is publicly accessible, but you have to accept the conditions to access its files and content.

CMMC Expert 12B

A 12B parameter language model fine-tuned for cybersecurity compliance, specializing in CMMC 2.0, NIST SP 800-171, NIST SP 800-53, HIPAA Security Rule, DFARS, and related regulatory frameworks.

Built by Memoriant, Inc.

Model Details

Detail	Value
Parameters	12B
Quantization	Q5_K_M (GGUF)
Context Window	128K tokens
License	Apache 2.0
Training Method	QLoRA (4-bit NF4, rank 64)
Training Data	18,000+ curated compliance Q&A examples
Eval Loss	0.583
Format	GGUF (compatible with Ollama, llama.cpp, LM Studio)

What This Model CAN Do

Answer specific questions about CMMC 2.0 levels, practices, and assessment requirements
Draft SSP control descriptions with correct control IDs and assessment objectives
Generate POA&M entries with milestones, risk levels, and remediation steps
Identify compliance gaps from real-world scenarios (missing MFA, unencrypted devices, shared accounts)
Map controls across CMMC, NIST SP 800-171, and NIST SP 800-53 frameworks
Explain C3PAO assessment processes, evidence requirements, and scoping guidance
Calculate and explain SPRS scoring methodology
Distinguish between CMMC levels and correctly reject non-existent levels (Level 4, Level 5)
Provide current regulatory awareness (DFARS 7019 elimination, HIPAA NPRM status, CMMC phase timeline)
Run 100% locally with no internet connection required

What This Model CANNOT Do

Replace a C3PAO assessment - This is an assistant tool, not a certified assessor
Provide legal advice - Compliance guidance is not legal counsel
Guarantee compliance - Using this model does not make your organization CMMC certified
Access live regulatory databases - Knowledge is from training data, not real-time feeds
Generate complete SSPs or POA&Ms from scratch - It drafts sections, not full documents
Perform technical security scans - It advises on controls, it doesn't test your systems
Replace human judgment - Complex scoping decisions, risk acceptance, and policy exceptions require qualified professionals
Process images, audio, or video - Text input and output only
Guarantee factual accuracy on every response - Responses should be verified against authoritative sources

Intended Use

This model is designed for cybersecurity compliance professionals, defense contractors pursuing CMMC certification, managed security service providers (MSSPs), and compliance consultants.

Recommended deployment: Air-gapped, local inference via Ollama or llama.cpp. No cloud dependency required.

This model is NOT a substitute for professional compliance assessment. It is an assistant tool to support compliance professionals in their work.

Quick Start

# Download and run with Ollama
ollama run memoriant/cmmc-expert-12b

# Or with llama.cpp
llama-server -m cmmc-expert-12b-q5_k_m.gguf --host 0.0.0.0 --port 8080

Example Usage

User: What are the three CMMC levels?

Assistant: Under the CMMC program (32 CFR Part 170, effective October 15, 2024):

Level 1 (Self-Assessment): 15 basic safeguarding requirements from FAR 52.204-21. Organizations handling FCI must meet this level.
Level 2 (Self-Assessment or C3PAO Certification): 110 security requirements from NIST SP 800-171. Required for organizations handling CUI.
Level 3 (DIBCAC Assessment): Enhanced requirements from NIST SP 800-172. Government-led assessment for the highest sensitivity CUI.

User: Do I need to submit a SPRS Basic Assessment under DFARS 252.204-7019?

Assistant: DFARS 252.204-7019 was eliminated effective February 1, 2026. The requirement to conduct and upload a Basic self-assessment SPRS score under this clause no longer exists. The current DFARS CMMC assessment requirements are found in DFARS 252.204-7020, which requires CMMC certification at the level specified in the contract.

Training Data

Trained on 18,000+ curated Q&A examples covering:

Framework	Coverage
NIST SP 800-53 Rev 5	30.1%
General Cybersecurity	24.7%
CMMC 2.0	12.7%
NIST SP 800-171 Rev 3	9.9%
HIPAA Security Rule	7.8%
FedRAMP	6.6%
NIST General	5.0%
DFARS	1.7%
CUI	0.8%
CIS Controls	0.7%

Dataset available separately: memoriant/cmmc-compliance-dataset

Limitations

Responses should be verified against authoritative source documents
Model knowledge has a training cutoff and may not reflect the most recent regulatory changes
Not suitable for generating legally binding compliance documentation without professional review
Performance degrades on highly specific organizational scenarios without RAG augmentation
12B parameter model may produce less detailed responses than larger variants

Larger Models Available

More capable models (up to 31B parameters) with enhanced reasoning, RAG synthesis, and 256K context windows are available for enterprise deployment through Memoriant, Inc.

These include:

Higher parameter models with superior compliance reasoning
Instruct-tuned variants optimized for document analysis and RAG workflows
Pre-configured deployment packages for air-gapped environments (NVIDIA hardware, on-premise servers)
Custom fine-tuning on organization-specific compliance documentation

Contact: memoriant.ai | HuggingFace Organization

About Memoriant

Memoriant, Inc. builds purpose-built AI systems for regulated industries. Our platform transforms domain expertise into deployable, air-gapped AI solutions that run on customer hardware with zero cloud dependency.

Downloads last month: -

GGUF

Model size

12B params

Architecture

gemma3

Hardware compatibility

5-bit