Skip to content
OnticBeta
Tier 2 — Industry Standardindustry oracle

Defense & Intelligence — AI Governance Landscape

Publisher

Ontic Labs

Version

v1

Last verified

February 15, 2026

Frameworks

Classified information handling (EO 13526)DD Form 254 requirementsDFARS 252.204-7012 / 252.204-7021 (CMMC)EAR (15 CFR 730-774)Executive Order 14028 (cybersecurity)FAR Part 9 (contractor responsibility)FIPS 140-2/3ICD 503 (IC systems)ITAR (22 CFR 120-130)ITAR/EARNIST SP 800-171NIST SP 800-171/800-53

Industries

defense intelligence

Defense & Intelligence - Overview

$1.8B DoD AI budget. $800M in vendor contracts. Governance is 50% -- mandated, not optional. This is not a gap buyer. This is a compliance buyer operating under ATO, FedRAMP High, and CMMC. The Appliance deployment was built for this environment.

This is not a gap market. This is a compliance market. The $1.8B DoD AI budget and $800M in vendor contracts operate under ATO, FedRAMP High, CMMC, and DoD Directive 3000.09 for autonomous weapons systems. Governance is 50% -- mandated, not optional. The challenge is not demonstrating that governance matters. It is providing governance infrastructure that operates in air-gapped, SCIF-rated environments where nothing touches a public network. Physical custody of weights and data. Signed firmware. Hardware-enforced constraints. Human authorization required for high-stakes actions. When a mission-critical AI output informs a kinetic decision, the evidentiary chain must be cryptographically provable under the most adversarial examination conditions. The Appliance deployment model exists for exactly this environment.

This industry includes 2 segments in the Ontic governance matrix, spanning risk categories from 3_evidentiary through 3_evidentiary. AI adoption index: 5/5.

Defense & Intelligence - Regulatory Landscape

The defense & intelligence sector is subject to 12 regulatory frameworks and standards across its segments:

  • Classified information handling (EO 13526)
  • DD Form 254 requirements
  • DFARS 252.204-7012 / 252.204-7021 (CMMC)
  • EAR (15 CFR 730-774)
  • Executive Order 14028 (cybersecurity)
  • FAR Part 9 (contractor responsibility)
  • FIPS 140-2/3
  • ICD 503 (IC systems)
  • ITAR (22 CFR 120-130)
  • ITAR/EAR
  • NIST SP 800-171
  • NIST SP 800-171/800-53

The specific frameworks that apply depend on the segment and scale of deployment. Cross-industry frameworks (GDPR, ISO 27001, EU AI Act) may apply in addition to sector-specific regulation.

Defense & Intelligence - Defense & Intel -- Subcontractor

Risk Category: 3_evidentiary Scale: Mid-Market Applicable Frameworks: ITAR (22 CFR 120-130), EAR (15 CFR 730-774), DFARS 252.204-7012 / 252.204-7021 (CMMC), NIST SP 800-171, FAR Part 9 (contractor responsibility), DD Form 254 requirements

CMMC certification does not exempt AI-generated outputs from DFARS flow-down requirements.

The Governance Challenge

Defense subcontractors deploy AI for proposal drafting, past-performance summaries, internal knowledge management, ITAR/EAR compliance screening, and export control validation. DFARS 252.204-7012 and 252.204-7021 (CMMC) requirements flow down from the prime to the subcontractor. NIST SP 800-171 controls apply to CUI in AI systems. ITAR (22 CFR 120-130) and EAR (15 CFR 730-774) govern AI-generated technical data and defense articles. When an AI-generated proposal volume inadvertently includes CUI that was not properly marked, or an export control screening misses a controlled item, the subcontractor faces DFARS compliance action and potential debarment.

Regulatory Application

DFARS 252.204-7012 mandates adequate security for covered defense information in AI systems. DFARS 252.204-7021 (CMMC) certification requirements apply to AI tool procurement and usage. NIST SP 800-171 controls govern CUI handling in AI workflows. ITAR (22 CFR 120-130) restricts AI-generated defense article content. EAR (15 CFR 730-774) governs dual-use AI outputs. FAR Part 9 contractor responsibility requirements apply to AI governance. DD Form 254 classification requirements extend to AI-processed classified information.

AI Deployment Environments

  • Studio: Proposal drafting | Past-performance summary drafting | Internal knowledge management
  • Refinery: ITAR/EAR compliance screening | Export control validation outputs
  • Clean Room: DFARS/CMMC compliance evidence governance | Incident reconstruction bundles

Typical deployment path: Refinery → Refinery → Clean Room

Evidence

  • CMMC 2.0 certification required for all defense contractors handling CUI
  • ITAR/EAR enforcement actions for AI-related violations are emerging
  • Prime contractors increasingly require subcontractor AI governance evidence
  • DFARS flow-down requirements apply to AI outputs without exception

Defense & Intelligence - Defense & Intel -- Prime / IC Agency

Risk Category: 3_evidentiary Scale: Enterprise Applicable Frameworks: ITAR/EAR, DFARS 252.204-7012 / 252.204-7021 (CMMC), NIST SP 800-171/800-53, ICD 503 (IC systems), Executive Order 14028 (cybersecurity), Classified information handling (EO 13526), FIPS 140-2/3

Mission-critical AI governance that operates where nothing touches a public network.

The Governance Challenge

Defense primes and IC agencies deploy AI across analyst drafting, situation reports, controlled unclassified information governance, inter-agency report harmonization, and classified environment operations. The regulatory stack is the densest in any industry — ITAR/EAR, DFARS, NIST SP 800-171/800-53, ICD 503, Executive Order 14028, classified information handling under EO 13526, and FIPS 140-2/3 cryptographic requirements. The challenge is not demonstrating that governance matters. It is providing governance infrastructure that operates in air-gapped, SCIF-rated environments where no data leaves the facility, no model phones home, and every update arrives on physical media with a verified chain of custody.

Regulatory Application

ITAR/EAR govern AI-generated defense articles and technical data. DFARS 252.204-7012/7021 (CMMC) mandate adequate security for CUI. NIST SP 800-171 and 800-53 specify the controls. ICD 503 governs IC system authorization. Executive Order 14028 establishes federal cybersecurity standards. Classified information handling (EO 13526) applies to AI processing classified data. FIPS 140-2/3 governs cryptographic modules in AI systems. Every framework requires evidentiary proof, not policy assertions.

AI Deployment Environments

  • Studio: Analyst drafting assist | Situation report drafting
  • Refinery: Controlled unclassified information governance | Inter-agency report harmonization
  • Clean Room: Classified environment governance | Mission-critical decision support | End-to-end chain-of-custody

Typical deployment path: Clean Room → clean_room (primary) | refinery for unclassified operations

Evidence

  • DoD FY2024 budget includes about $1.8B for AI and machine learning, with hundreds of millions in vendor awards across programs like CDAO and Replicator
  • DoD Directive 3000.09 requires human judgment in autonomous weapons decision chains
  • CMMC 2.0 required for all defense contractors handling CUI
  • ATO process requires continuous monitoring — not point-in-time attestation
← Oracle LibraryChat with Goober →