KG Kinetic Gain Protocol Suite OPEN AI GOVERNANCE SPECS
DefenseTech vertical 6-pack — 10th vertical

DefenseTech / DIB AI Tooling
6 sibling specs · 1 canonical shape per artifact

Six sibling specs for AI tools used by Defense Industrial Base (DIB) prime + sub contractors, federally-funded research and development centers, defense-systems integrators, and AI vendors providing tools that touch CUI / classified / ITAR-controlled technical data. Distinct from sibling verticals: DefenseTech is the first Suite vertical with a 3-axis vault contract — CUI categorization × export-control status × foreign-person access restriction, all REQUIRED on every audit event and intersected at runtime by resolvePolicy(). Second Suite vertical with a numeric regulatory wall-clock invariant (DFARS 252.204-7012(c)(1)(ii) 72-hour cyber incident reporting; after EnergyTech CIP-008 1-hour). The Suite vertical 6-pack a DIB contractor's Chief Information Security Officer + Facility Security Officer + CMMC Compliance Lead + Empowered Official (ITAR) + DCMA contracting officer + DDTC + BIS + DCSA + NARA-ISOO need.

See the 6 repos All ten verticals →

Regulatory floor

DFARS 252.204-7012 (CDI safeguarding + 72-hour cyber incident reporting via dibnet.dod.mil) · DFARS 252.204-7019 / 7020 (NIST 800-171 self-assessment + SPRS submission) · DFARS 252.204-7021 (CMMC certification — becoming sole-source-disqualifying in 2026) · CMMC 2.0 L1/L2/L3 (32 CFR 170) · NIST SP 800-171 r2 + NIST SP 800-172 enhanced security requirements · ITAR 22 CFR 120-130 (DDTC USML licensing + defense services + deemed export) · EAR 15 CFR 730-774 (BIS CCL + Entity List + EAR-99 + deemed export 22 CFR 120.50) · E.O. 13526 Classified National Security Information + ICD 705 SCIF standards · DoDI 5230.24 Distribution Statements (letters A–F + X) · CUI Notice 2020-04 (CUI Registry implementation) · NISPOM 32 CFR 117 + Conforming Change 2 (Insider Threat Program) · FAR 52.204-21 (basic safeguarding) · False Claims Act 31 USC 3729 (post-Aerojet Rocketdyne settlement — false 7019/7020 self-assessment carries treble-damages exposure)

Canonical example anchored throughout the 6-pack

Key design innovations vs sibling-vertical equivalents

3-axis design — first in the Suite. Three independent typed fields on every audit event: cui_categorization (9 tiers PUBLIC → SCI) + export_control_status (NOT-CONTROLLED / EAR-99 / EAR-CCL / ITAR) + foreign_person_access_restriction (US-PERSON-ONLY / AUTHORIZED-FOREIGN-PERSON / FIVE-EYES / NATO-PLUS / NO-RESTRICTION). LegalTech is 1-axis (privilege_tier), EnergyTech is 2-axis (bes_categorization + ot_it_boundary), every other vertical is 1-axis equivalent. Defense regulators don't compose — DDTC, DoD CIO, and foreign-person verification each enforce independently. The vault contract's resolvePolicy() intersects all three axes at runtime; the most-restrictive axis wins. DFARS 72-hour wall-clock invariant — second Suite verifier to enforce regulatory time-arithmetic numerically (after EnergyTech CIP-008 1-hour). 22 event types on Incident Card — largest Incident Card profile in the Suite. 10 federal authorities × 8 distinct enforcement modes on state-tracker — most diverse enforcement-mode diversity of any state-tracker in the Suite. cross_binding_refs as REQUIRED schema fields on the vault contract — DefenseTech is the first vertical where the vault contract explicitly publishes its sibling repos as required cross-bindings, making the vault contract the structural centerpiece of the 6-pack.

The six sibling specs

Every Kinetic Gain Protocol Suite vertical 6-pack contains exactly these six artifact shapes. The same six shapes appear in every vertical — only the per-vertical content (data categories, regulatory basis, invariants) differs.

Operator audit-stream

defense-decision-record-audit-stream

18-kind event taxonomy + THREE first-class required fields on resource: cui_categorization + export_control_status + foreign_person_access_restriction. Three invariants: CUI distribution-statement on CUI-Specified+ (DoDI 5230.24); export-control gating (ITAR requires us_person_status verification + DDTC license number on AUTHORIZED-FOREIGN-PERSON); DFARS 252.204-7012(c)(1)(ii) 72-hour wall-clock — second Suite verifier enforcing regulatory time-arithmetic numerically.

Operator regulatory-lifecycle

dod-cmmc-disclosure-tracker

10 federal authorities seeded: DoD CIO + Cyber AB + DIBCAC + DDTC + BIS + NIST + GSA + DCMA + DCSA + NARA-ISOO. 8 distinct enforcement modes — most diverse enforcement-mode diversity of any state-tracker in the Suite. Reflects that no two federal-defense authorities work the same way (contract-clause-flowdown vs license-pre-authorization vs facility-personnel-clearance vs registry-curation are structurally different).

Evidence Bundle (compliance)

cmmc-l2-l3-readiness-evidence-bundle

18 control families × 48 evidence kinds. 14 NIST 800-171 families + 4 CMMC-program-specific families (Program Mgmt, POA&M, SPRS Scoring, C3PAO Assessment Artifacts). Three invariants: L3+DIBCAC requires dibcac confidence score; DFARS 7019/7020 in scope requires cmmc-sprs-scoring evidence; every not-satisfied outcome must carry a poam_ref (orphan failures break POA&M traceability).

Evidence Bundle (bias)

defense-contractor-bias-coverage-lab

15 dimensions × 8 metric kinds × 14 regulatory bases × 8 decision domains. Population-level only (per OFCCP guidance — counts below 20 reported as insufficient-data to avoid de-anonymization). DefenseTech-unique dimensions: protected-veteran-status-vevraa-4212, security-clearance-tier-distribution, clearance-denial-rate, polygraph-success-rate, subcontractor-sb-sdb-vosb-classification, insider-threat-flag-rate.

Incident Card

defense-ai-incident-card-profile

22 event types — LARGEST Incident Card profile in the Suite. Spans DFARS cyber incidents, CUI handling (spillage / marking / mishandling), ITAR + EAR violations, foreign-person access (unauthorized + blocked), classified-environment misuse + SCIF violations + AI-generated classified-marking errors, NISPOM insider-threat flags, CMMC POA&M failures + SPRS discrepancies, AI-tool supply-chain compromise. DFARS 72-hour clock enforced at the published-Card level (mirrors audit-stream invariant).

Decision Card vault contract

cui-data-vault-contract-profile

DESIGN CENTERPIECE. FIRST Suite vault contract with 3 orthogonal typed policy axes (cui_handling_policy 9 tiers × export_control_handling_policy 4 tiers × foreign_person_handling_policy 5 tiers). resolvePolicy() intersects all 3 axes at runtime — most-restrictive axis wins. cross_binding_refs as REQUIRED schema fields publish sibling repos. 4 runtime invariants: distribution_statement on CUI-Specified+; us-person-verified min on ITAR; audit_stream_event + fso_cosign on CLASSIFIED-*; audit_stream_event on AUTHORIZED-FOREIGN-PERSON (per-event DDTC review).

Why parallel structure matters

A DIB contractor's procurement team operating across mixed regulated programs — defense AI vendors plus HealthTech AI vendors (for veteran healthcare programs) plus FinTech AI vendors (for sub-contractor financing) — can apply the same six-shape Suite vocabulary to every vendor in every vertical. The kg-suite-vertical-router tool routes any artifact to the right vertical's verification logic with one CLI command. The kg-suite-vertical-comparator tool surfaces the SAME-vs-DIFFERENT design contributions across all ten verticals as a single reference table.