๐Ÿ›ก Defense & Federal ยท FedRAMP High ยท CMMC L2 ยท NIST AI RMF

Your AI stack probably
fails your next FedRAMP audit.

Nixer audits AI agents, LLMs, code repos, model supply chains, and CI/CD pipelines for the exposures FedRAMP High, CMMC Level 2, NIST AI RMF, and DoD Responsible AI examiners are now requiring documentation on โ€” at primes, integrators, and federal AI product teams.

โš ๏ธ 11/12 top AI repos vulnerable โ€” CVE-2026-2287 deep-dive
๐Ÿ† Live Risk Leaderboard + badge for every repo
โš™๏ธ GitHub Action โ€” scans every PR automatically

Your AI stack is handling CUI.
FedRAMP High controls were written before LLMs existed.

Three attack surfaces that go unmapped in every ATO package for an LLM-backed federal system โ€” and that appear in every Nixer scan of a defense AI product.

๐Ÿ”

FedRAMP High + AI Agents = Unmapped Control Surface

FedRAMP High's AC-6 (Least Privilege) and AC-17 (Remote Access) require documented, bounded access for every system component that touches CUI. MCP-based AI agents โ€” now standard in federal copilots, acquisition tools, and mission analytics โ€” expose tool manifests granting LLMs unrestricted API access that has no corresponding control boundary in any existing ATO package. Nixer audits every MCP endpoint for unauthenticated access and over-scoped tool permissions before your 3PAO does.

nixer/mcp/unauthenticated
๐Ÿ“ฆ

CMMC L2 Supply Chain Controls Don't Cover Model Artifacts

CMMC Level 2 control SR.L2-3.17.1 requires supply chain risk assessment for all external components, but CMMC assessors have no methodology for evaluating model artifact integrity. Pickle-formatted model files downloaded from HuggingFace or internal registries can execute arbitrary code at load time โ€” CVE-2022-45907 demonstrated this against PyTorch nightly. If your team is fine-tuning export-controlled models, an unsigned artifact in your supply chain is a critical gap that no current CMMC assessment tool catches. Nixer does.

nixer/model-supply-chain/pickle-rce
๐Ÿ“Š

NIST AI RMF MEASURE Has No Automated Tooling Without Nixer

The NIST AI RMF MEASURE function (AI 600-1) requires ongoing, quantified assessment of AI risk โ€” including adversarial input testing, output integrity monitoring, and component provenance tracking. DoD Responsible AI Strategy and CNSSI-1253 map to the same requirements. In practice, every federal AI team Nixer has assessed is doing this manually, quarterly, with no automated detection of prompt injection surfaces or CI/CD supply chain exposure. Nixer is the audit-ready MEASURE layer that currently doesn't exist in the federal AI tooling ecosystem.

nixer/prompt-injection/indirect

What Nixer Finds in Defense AI Stacks

Representative findings from scans of LLM-backed federal and defense contractor codebases. Details reflect the real exposure classes โ€” no identifiable systems cited.

โ— Critical

Model Card Missing for Export-Controlled Fine-Tune

A fine-tuned model artifact with no model card, no SHA-256 manifest, and no documented data provenance. Loaded via torch.load() without weights_only=True. Fails CMMC SR.L2-3.17.1 and NIST AI RMF MAP 3.5 component integrity requirements.

nixer/model-supply-chain/pickle-rce
โ— Critical

MCP Tool Server with Unsigned Binary โ€” No Auth

An MCP server exposing execute_shell and read_file tools, bound to 0.0.0.0 without authentication, serving a prebuilt binary with no code signature. No FedRAMP AC-6 least-privilege control is implementable on a tool manifest that accepts any caller.

nixer/mcp/unauthenticated
โ— High

RAG Corpus with Mixed Classification Markers

A RAG pipeline ingesting documents with inconsistent classification markings. Indirect prompt injection payloads embedded in retrieved documents redirect the LLM's tool calls โ€” a NIST AI RMF MEASURE 2.5 output integrity failure with a direct CUI exfiltration path.

nixer/prompt-injection/indirect
โ— High

CI/CD GitHub Actions Pinned to Mutable Tags

All third-party GitHub Actions pinned to version tags, not commit SHAs โ€” matching the exact pattern exploited in the tj-actions/changed-files supply chain attack (CVE-2025-30066). Every CI run silently accepts attacker-controlled code updates. Fails FedRAMP SA-12 and CMMC SR.L2-3.17.1.

nixer/cicd/unpinned-action
โ— Critical

Hardcoded DoD API Gateway Credential in Repo

An API key for a DoD-contracted data gateway committed to version control โ€” pattern matches sk- prefix. Credential has been in git history for 14 commits. Fails FedRAMP IA-5, CMMC IA.L2-3.5.3, and CNSSI-1253 IA-5(1) authenticator management controls.

nixer/secrets/hardcoded-api-key
โ— High

pwn-request Pattern in Classified Repo CI Workflow

pull_request_target trigger combined with checkout of PR head SHA. Any contributor can fork the repo and execute code in the privileged CI context โ€” stealing all repository secrets including model signing keys, deployment tokens, and API credentials. Fails FedRAMP SA-12 and CNSSI-1253 SI-7.

nixer/cicd/pwn-request

Everything Nixer Audits for Defense AI

One scan run covers the complete attack surface your LLM-backed federal system touches โ€” agents, models, pipelines, and supply chain.

๐Ÿค–

AI Agents & MCP Configs

Agent definitions, system prompts, tool registrations, and MCP server configs scanned for injection vectors, over-privileged tool access, and unauthenticated endpoints. Maps against FedRAMP AC-6 least privilege controls.

โœ“ AC-6 / AC-17 mapping
๐Ÿ“ฆ

Model Supply Chain

Pickle deserialization RCE detection, ML package typosquat analysis, model artifact integrity checks, and version provenance for fine-tuned models. Maps against CMMC SR.L2-3.17.1 supply chain risk controls.

โœ“ CMMC SR.L2-3.17.1
๐Ÿง 

RAG & LLM Integration Points

Input sanitization gaps, retrieval pipeline injection surfaces, and indirect prompt injection paths in document-processing pipelines. Covers NIST AI RMF MEASURE 2.5 output integrity and MAP 1.5 adversarial input identification.

โœ“ NIST AI RMF MEASURE
โš™๏ธ

CI/CD Pipelines

GitHub Actions audited for pwn-request patterns, script injection, unpinned supply chain dependencies, and GITHUB_TOKEN over-exposure. Maps against FedRAMP SA-12 and CNSSI-1253 SI-7 integrity verification controls.

โœ“ SA-12 provenance trail
๐Ÿ“

Code Repositories

Source code scanned for hardcoded credentials, insecure dependencies, CVE-tracked frameworks, and secrets in version control. Most common FedRAMP IA-5 / CMMC IA.L2-3.5.3 finding in contractor AI stacks.

โœ“ IA-5 authenticator audit
๐Ÿ›ก

Architecture & Threat Model

LLM-assisted analysis of system design for mismatched trust boundaries, missing access controls between agent layers, and CUI data flow paths that bypass audit logging. Supports NIST AI RMF GOVERN risk documentation.

โœ“ GOVERN risk narrative

Nixer Findings โ†’ FedRAMP + CMMC + NIST AI RMF

Every finding Nixer surfaces maps directly to controls FedRAMP 3PAOs, CMMC C3PAOs, and NIST AI RMF assessors check. Here's your pre-built audit evidence trail.

Nixer Finding FedRAMP High CMMC L2 NIST AI RMF CNSSI-1253
Unscoped Agent Tool Access (MCP Unauthenticated)
nixer/mcp/unauthenticated
AC-6 โ€” Least Privilege; AC-17 โ€” Remote Access AC.L2-3.1.3 โ€” Control CUI Flow GOVERN 1.6 โ€” Risk policies for AI deployment; MANAGE 1.3 โ€” Risk response AC-6(1) โ€” Privileged Account Management
Indirect Prompt Injection in RAG Pipeline
nixer/prompt-injection/indirect
SI-3 โ€” Malicious Code Protection; SI-10 โ€” Information Input Validation SI.L2-3.14.2 โ€” Malicious Code Protection MEASURE 2.5 โ€” AI output integrity monitoring; MAP 1.5 โ€” Identify adversarial inputs SI-10 โ€” Information Input Validation
Unpinned CI/CD Action โ€” Supply Chain Attack
nixer/cicd/unpinned-action
SA-12 โ€” Supply Chain Protection; SR-3 โ€” Supply Chain Controls SR.L2-3.17.1 โ€” Supply Chain Risk Assessment GOVERN 1.4 โ€” Organizational risk tolerance for AI; MAP 3.5 โ€” Component provenance SA-12 โ€” Supply Chain Protection
Pickle Deserialization RCE (Model Artifact)
nixer/model-supply-chain/pickle-rce
SI-7 โ€” Software, Firmware, and Information Integrity; SA-9 โ€” External System Services SI.L2-3.14.1 โ€” Identify and Manage System Flaws MAP 3.5 โ€” AI component integrity; MEASURE 2.6 โ€” Test model artifact provenance SI-7(1) โ€” Integrity Checks
Hardcoded API Key / Secret in Source
nixer/secrets/hardcoded-api-key
IA-5 โ€” Authenticator Management; SC-28 โ€” Protection of Information at Rest IA.L2-3.5.3 โ€” Multifactor Authentication; SC.L2-3.13.10 โ€” Key Management MANAGE 2.4 โ€” Maintain access control for AI system credentials IA-5(1) โ€” Password-Based Authentication
Train Your Team

AI Security Curriculum โ€” Free to Start

Four free modules on prompt injection, tool abuse, RAG poisoning, and CI/CD pipeline security. Built for developers and security engineers shipping AI in regulated industries.

4 free modules
120+ min of content
17+ detection rules covered
View Curriculum Start Module 1 Free

Get ahead of the FedRAMP AI audit.

Book a 20-minute demo and we'll walk through a live scan of your AI stack โ€” or a comparable defense/federal repo โ€” and map every finding to the FedRAMP, CMMC, and NIST AI RMF controls your 3PAO or C3PAO will ask about.