The unclassified default, and what breaks when it changes
Most federal AI work lives at For Official Use Only or Controlled Unclassified Information. Models train on AWS GovCloud or Azure Government, code is reviewed on a managed GitLab, and the engineering team collaborates from home offices with CAC-authenticated VPNs. That stack is legible, familiar, and productive. It is also entirely unusable above Secret. Everything breaks — the cloud, the collaboration tools, the laptop, the home office, and in many cases the roster of who can touch the code at all.
The jump from CUI to Secret is large. The jump from Secret to TS/SCI is larger. The jump from TS/SCI to SAP is its own category. Each level strips away more of the tooling and assumptions that make normal AI development fast, and replaces them with physical, personnel, and procedural controls that add months to timelines and hundreds of thousands of dollars to fixed costs. Founders who want to compete in this space need to understand what is being traded and what the economics look like on the other side.
Classified AI Development Constraints — Complexity by Level
Classification levels and what they mean for AI development
FOUO and CUI are not classifications in the formal sense — they are marking regimes for sensitive unclassified information. Development happens in FedRAMP Moderate or High environments, typically AWS GovCloud, Azure Government, or Google Cloud for Government. Engineers can work from home on government-furnished or CMMC-aligned equipment. Model weights, training data, and logs all live in the cloud tenant. DoD contractors working at this level are bound by DFARS 252.204-7012 and 7020, NIST SP 800-171, and increasingly CMMC 2.0.
Secret introduces formal classification. Work must happen on a SIPRNet-connected system or an equivalent accredited enclave. There is no SIPR on AWS GovCloud. Development moves to contractor-owned classified enclaves or government-furnished facilities. Code, data, and models cannot leave the enclave without a formal review and declassification process. All personnel touching the system need at least a Secret clearance, which takes roughly 6 to 12 months to process for a new applicant.
Top Secret raises the bar again. TS systems run on JWICS or equivalent. The enclave is physically more restrictive — the terminal lives in a space approved for TS handling, typically a SCIF or a SAPF. Clearance processing can take 9 to 18 months, and the background investigation is deeper (T5, formerly SSBI). TS/SCI adds Sensitive Compartmented Information, which means compartment-specific access — a TS/SCI clearance alone does not grant access to any particular compartment. Compartment read-ins are decided by the sponsoring program.
Special Access Programs are their own universe. SAPs have their own accreditation, their own SAPFs, their own personnel processes, and their own nomination procedures. Many SAPs do not appear on public lists. Small firms rarely touch SAP work directly — it usually flows through cleared primes with long-standing SAP read-ins.
SCIF requirements for classified AI development
A Sensitive Compartmented Information Facility is an accredited space for storing and processing classified information above Secret. SCIF construction follows ICD 705 and is overseen by the sponsoring agency's cognizant security authority. The physical requirements are demanding: acoustic isolation, RF shielding where required, 24/7 monitoring, two-person integrity procedures, and strict control of electronic devices entering and leaving the space.
Building or leasing a SCIF is a significant capital decision. A modest contractor SCIF — two or three workstations and a conference room — runs $250K to $750K to construct and $50K to $150K per year to maintain and monitor. Larger SCIFs scale accordingly. Most small firms do not build their own SCIF; they lease time in a shared SCIF, use the government's SCIF, or subcontract to a prime whose SCIF accommodates the team.
From an AI development perspective, the SCIF constraint matters in two concrete ways. First, engineering time is physically tied to the facility — no remote pull requests, no late-night debugging from home, no pair programming over Zoom. Second, compute is also physically tied. If the model needs GPU hours, those GPUs must live inside the SCIF (or on an accredited connected classified cluster). This concentrates the normal AI development loop dramatically and has real productivity consequences that need to be priced into proposals.
Air-gapped infrastructure: no AWS GovCloud, no managed APIs
At Secret and above, the managed-cloud pattern that defines modern AI development does not exist. There is no S3 bucket. There is no SageMaker endpoint. There is no OpenAI API. There is no Hugging Face pull during a training run. The classified enclave is air-gapped — physically disconnected from the public internet and from lower-classification networks — and every dependency the system needs must be pre-loaded and maintained inside the enclave.
This creates real engineering tax. Python wheels, container images, model weights, and Linux packages must be procured from trusted sources, scanned, approved, and brought in through a cross-domain transfer process. A two-line change that adds a new library in a normal project might take two weeks of paperwork in a classified enclave. Dependency updates are rare, deliberate, and batched. Teams that thrive in this environment tend to minimize dependencies, pin versions aggressively, and build internal mirrors of PyPI, Conda, and container registries.
Model weights are the most interesting dependency. Large language models and vision foundation models often carry terms of service or export restrictions that complicate bringing them into classified enclaves. Some models are cleared for classified use through formal review; many are not. Practical classified AI work in 2026 still leans heavily on smaller, openly licensed models (Llama family, Mistral variants, encoder-only transformers) that can be brought in cleanly, rather than proprietary frontier models behind an API.
Cleared personnel and the facility clearance path
A facility clearance (FCL) is the government's authorization for a contractor entity to access classified information. The FCL is separate from personnel clearances and must be sponsored by a cleared government contracting officer or a cleared prime. Without a sponsor, a firm cannot apply for an FCL. This is the single largest barrier for new small firms entering the classified space.
The typical path for a small AI firm: win an unclassified SBIR Phase I with a component that does classified work, demonstrate capability on the unclassified subset, and then pursue an FCL at Phase II or Phase III when the program office is ready to sponsor. FCL processing for a small firm typically runs 9 to 18 months and requires a designated Facility Security Officer (FSO), compliant storage, and compliant personnel practices. Before and during the FCL process, the small firm can execute classified work only through a cleared prime, with cleared personnel sponsored by the prime's FCL.
Personnel clearances are their own timeline. A Secret investigation for a first-time applicant typically runs 4 to 8 months under current DCSA processing. Top Secret runs 9 to 18 months. Interim clearances can accelerate the process for urgent work, but interim TS is rare. Founders planning a classified business should start clearance conversations well before the contract — not after the award.
ITAR, EAR, and AI model export concerns
The International Traffic in Arms Regulations and Export Administration Regulations govern what technology can be shared across borders and with foreign persons. For AI work that touches defense articles, ITAR is the relevant regime. For dual-use technology, EAR applies. Both regimes have specific implications for AI development teams.
ITAR constrains who can touch the code. A foreign national employee — even a US permanent resident from a covered country — may be restricted from accessing ITAR-controlled technical data without an export license. For a small firm building an engineering team, the ITAR constraint often means hiring is limited to US persons (citizens, permanent residents, and protected-category individuals under 8 U.S.C. 1324b) and sometimes to US citizens only. Model weights trained on ITAR-controlled data inherit the control. So do derived artifacts — fine-tuned checkpoints, distilled models, and sometimes even representations learned from ITAR data.
EAR's implications for frontier AI models are evolving quickly. The Commerce Department's 2024 and 2025 rules on advanced computing and AI models created new licensing requirements for certain model exports and for cloud compute exceeding specific FLOPS thresholds. Small firms building on top of foundation models should track the EAR 742.6 and Supplement 7 provisions and the more recent AI Diffusion framework updates. The compliance surface is real, and the penalties for getting it wrong are criminal.
How SBIR bridges to classified work
SBIR is a natural on-ramp into classified work for small firms, because Phase I and Phase II are almost always unclassified even when the eventual operational system is classified. A firm can win a Phase I on an unclassified version of a classified problem — for example, anomaly detection on synthetic or unclassified signals data that parallels a classified use case. Phase II scales the capability with more realistic data. Phase III is where the transition to classified usually happens, either through a direct classified contract or through a cleared prime integrating the capability into a classified program of record.
The practical pattern: a firm wins a Phase I with a Navy or Air Force topic that has a classified downstream. Over Phase II, the firm cultivates relationships with the program office, hires or sponsors at least one cleared engineer, and begins the FCL process through the program's sponsorship. By Phase III, the firm is either cleared or credibly on the path, and the contract can accommodate classified work through a cleared partner or through direct delivery inside a government SCIF.
Small firm path into classified AI
A realistic path for a small AI firm to enter the classified space looks something like this. Year one: win two or three unclassified SBIR Phase Is at agencies with strong classified pipelines (Army, Navy, Air Force, SOCOM, DARPA). Year two: convert at least one to Phase II and begin discussions with the program office about FCL sponsorship. Hire the first cleared engineer, sponsored by a teaming partner's FCL. Year three: complete FCL processing, stand up a minimal classified-capable workspace (leased SCIF time, not owned), and take the first direct classified subcontract through a prime. Year four: pursue a direct classified prime contract, typically a Phase III or a follow-on task order.
This is a four to five year path, not a one year path. The firms that compress it meaningfully usually have a founder with existing clearances from prior government service and an existing relationship with a cleared prime willing to sponsor the FCL early. Without one of those two advantages, the timeline is structural and cannot be wished away.
Bottom line
Classified AI is real work with real demand and real economics. The path in is slower and more capital-intensive than unclassified federal AI, and the operational constraints reduce development velocity materially. But the competition thins out above Secret, the contracts are larger, and the relationships are stickier. Small firms willing to commit to the four-year path and price their work honestly can build durable classified businesses. Firms that assume they can just hire cleared contractors and plug into SIPR usually discover the structural constraints only after they have already burned a year and a contract.
Frequently asked questions
Yes, but not as a prime. A small firm without an FCL can subcontract to a cleared prime, where the prime sponsors cleared personnel under the prime's FCL. Direct classified contracting requires the small business to obtain an FCL through sponsorship by a cleared contracting officer or a prime, typically a 12 to 18 month process.
An air-gapped AI environment is a network physically isolated from the public internet and from lower-classification networks. Model training, inference, and data transfer happen entirely inside the enclave. There is no AWS GovCloud in a SCIF — systems are bare-metal or on-premises hardware, often with classified-only compute clusters. Model updates and data are transferred via one-way data diodes or escorted media transfers.
Most SBIR topics are unclassified, but DoD issues classified and controlled unclassified topics regularly, especially in Air Force, Army, Navy, and DARPA programs. Phase I work is almost always unclassified even when the eventual transition is classified. Phase III transitions into classified programs of record are the common bridge.