Government Documents
Everything a procurement officer, contracting specialist, or prime contractor needs. Print or download.
Capability Statement
Print this page for a clean one-pager. Ctrl+P / ⌘P
The Cochran Block, LLC — Capability Statement
The Cochran Block, LLC
7452 School Avenue, Dundalk, MD 21222
[email protected] · cochranblock.org
EIN: 41-3835237
Certifications & Registrations
SAM.gov — Active · CAGE 1CQ66 · UEI W7X3HAQL9CF9 · EIN 41-3835237
Maryland CSB (Certified Small Business) — Approved
SDVOSB (Service-Disabled Veteran-Owned Small Business) — Final Review (VetCert/SBA)
Maryland eMMA — Vendor SUP1095449 · ACH Direct Deposit Active
crates.io — 32 published crates at crates.io/users/gotemcoach
GitHub — 31 repositories at github.com/cochranblock
Audit the source — github.com/cochranblock
Core Competencies
• Memory-safe compiled architecture (Rust) — aligned with CISA Secure-by-Design mandate
• Zero-cloud single-binary deployment — eliminates cloud attack surface entirely
• On-device AI inference — no data exfiltration, runs in air-gapped environments
• DevSecOps binary optimization — 48 KB to 51.5 MB release binaries with full SBOM
• Edge computing and IoT integration — LoRa/915MHz mesh, ARM/RISC-V targets
• Autonomous threat detection — 312 KB APT hunter, zero-config deployment
NAICS Codes
541511 — Custom Computer Programming Services
541512 — Computer Systems Design Services
541519 — Other Computer Related Services
518210 — Computing Infrastructure Providers
541330 — Engineering Services
541690 — Other Scientific and Technical Consulting
Past Performance
• cochranblock.org — Production website. 10 MB binary, $10/month, 31 products, intake forms, booking calendar, community grant app. Self-hosted on bare metal.
• oakilydokily.com — First paying client. Waiver management, digital intake, ESIGN compliance. Bare metal via Cloudflare Zero Trust.
• Pixel Forge — AI sprite generator with on-device diffusion models. 3 MoE models, LoRA fine-tuning. Pure Rust.
• USCYBERCOM J38 JMOC-E — Dev lead for Congressional NDAA-directed offensive cyber operations study.
• 31 public GitHub repos — All code auditable at github.com/cochranblock
Differentiators
• Proven federal contracting posture — CAGE 1CQ66, UEI W7X3HAQL9CF9, SAM.gov Active
• Single-binary = zero infrastructure — 10MB replaces $36K/year cloud stacks for $120/year
• Rust = memory-safe mandate compliance — Aligned with CISA Secure-by-Design, EO 14028, NIST SP 800-218
• 32 published crates on crates.io at crates.io/users/gotemcoach
• 31 Rust repositories with Proof of Artifacts and Timeline of Invention
• 4 inventions, 3 architecture patterns, 5 techniques — honestly classified at cochranblock.org/arch
• 13 years defense and enterprise — USCYBERCOM J38 dev lead, Congressional NDAA study
• Army 17C (Cyber Operations), JCAC 2014
• All Rights Reserved — The Cochran Block, LLC
Past Performance
• oakilydokily.com — First paying partnership. Waiver management, digital intake, ESIGN. Deployed on bare metal via Cloudflare Zero Trust.
• cochranblock.org — Live production site. 31 products, intake forms, SQLite, booking calendar. 10 MB binary, $10/month total infrastructure.
• USCYBERCOM J38 JMOC-E — Dev lead for Congressional NDAA-directed offensive cyber operations study.
Contact
Michael Cochran, Owner
[email protected]
cochranblock.org/book — Schedule a call
cochranblock.org/deploy — Start a project
Downloadable Documents
Available documents
Capability Statement (PDF) Resume (PDF) Company Logo Card
W-9: Available on request — email for a signed copy.
Registration Status
| Maryland eMMA | ⬤ Vendor SUP1095449 — Active |
| Certified Small Business (CSB) | ⬤ Approved |
| SAM.gov | ⬤ Active · CAGE 1CQ66 · UEI W7X3HAQL9CF9 |
| SDVOSB (VetCert) | ⬤ Final Review — VetCert Apr 10, 2026 |
| GSA Schedule | ○ Not Yet Applied |
Technical Approach — SBIR/STTR
Zero-Cloud Edge Architecture for Defense and Federal Applications
Problem Statement
Federal agencies spend $36,000+/year per application on cloud infrastructure. These deployments create single points of failure, expose sensitive data to third-party providers, and require dedicated DevOps teams. Forward-deployed and disconnected environments cannot rely on cloud connectivity for mission-critical operations.
Technical Innovation
CochranBlock has developed a compiled single-binary architecture in Rust that eliminates cloud dependency entirely. A complete web application — server, database, authentication, TLS, asset pipeline — compiles into a 10 MB binary that runs on commodity hardware ($10/month total infrastructure). This architecture is proven in production at cochranblock.org, serving multiple domains from a single laptop.
Key Technical Capabilities
• Single-binary deployment — Entire application stack compiles to one executable. No containers, no orchestration, no package managers. Deploy by copying one file.
• On-device AI inference — Local LLM execution via custom Mixture-of-Experts architecture. No API calls, no data exfiltration risk. Runs on consumer GPUs.
• Edge-native by design — Operates in disconnected, intermittent, and limited-bandwidth (DIL) environments. Zero external dependencies at runtime.
• Distributed C2 mesh — Multi-node orchestration via SSH with tokenized command compression. Nodes operate independently and resync when connectivity restores.
• Zero-trust architecture — AES-256-GCM encryption, HKDF key derivation, Argon2id password hashing. No plaintext secrets in source. Cloudflare Zero Trust tunnel integration.
• Embedded storage — sled (embedded key-value store) + bincode serialization + zstd compression. No external database servers. Data lives with the application.
• 97% cost reduction — Demonstrated: $36,000/year cloud → $120/year bare metal. Same availability, same performance, fraction of the attack surface.
Relevant SBIR/STTR Technology Areas
• AI/Autonomy — On-device inference, Mixture-of-Experts routing, edge AI for sensor processing
• Cybersecurity — Zero-trust compiled architecture, embedded encryption, no third-party attack surface
• Edge Computing — DIL-capable single-binary deployment, IoT gateway (LoRa/915MHz)
• Advanced Computing — Compiled Rust replacing interpreted cloud stacks, WASM-capable architecture
• Command and Control — Distributed node mesh with compressed tokenized command protocol
Proof of Concept — Live Production Systems
• cochranblock.org — 15-product portfolio site. 10 MB binary. SQLite intake forms. Booking calendar. Cloudflare tunnel. $10/month.
• oakilydokily.com — Waiver management and digital intake with ESIGN compliance. Bare metal deployment.
• Kova augment engine — Local LLM inference, agentic tool loop, distributed node C2, cargo/git tokenization. Single binary.
• Approuter — Reverse proxy with automatic Cloudflare tunnel management, app registry, multi-domain routing. Single binary.
• 31 repositories — All source code publicly auditable at github.com/cochranblock
Phase I Objectives (6 months, $250K)
1. Formalize the single-binary deployment framework as a reusable platform for federal applications
2. Demonstrate on-device AI inference for classified/sensitive workloads with zero cloud dependency
3. Deploy proof-of-concept in a simulated DIL environment with multi-node mesh recovery
4. Deliver security assessment and ATO-ready documentation package
Phase II Path ($2M, 18–24 months)
1. Harden for IL4/IL5 deployment with FIPS 140-3 cryptographic module integration
2. Build agency-specific application templates (case management, intake, reporting)
3. Integrate with DoD identity providers (CAC/PIV authentication)
4. Develop training curriculum for agency adoption
Commercialization
The technology has immediate dual-use application. Commercial clients (startups, SMBs) pay $3,500 base deployment + $225/hour consulting. Federal clients access through SBIR Phase III, GSA Schedule 70, or direct contract. Year 1 projected gross: $150,000.
Principal Investigator
Michael Cochran — Army 17C (Cyber Operations), JCAC 2014. 13 years defense and enterprise. USCYBERCOM J38 JMOC-E dev lead for Congressional NDAA-directed offensive cyber operations study. 30% service-connected disabled veteran.
Agency-Specific Technical Approaches
DoD SBIR 26.1 — Cyber-Resilient Edge Computing for Contested Environments
Solicitation Target: DoD SBIR 26.1 Phase I (Army/CYBERCOM) — AI/Autonomy, Cybersecurity, Edge Computing
Estimated Open: April 2026 · Phase I: $250,000 / 6 months
Topic Alignment
DoD requires mission-critical applications that operate in disconnected, intermittent, and limited-bandwidth (DIL) environments without dependence on commercial cloud providers. Current containerized deployments require network connectivity, container orchestration, and cloud-hosted databases — none of which are available at the tactical edge.
Proposed Innovation
CochranBlock's compiled single-binary architecture eliminates every external dependency. A complete application — web server, database, AI inference engine, encryption, and asset pipeline — ships as one 10 MB executable. No Docker. No Kubernetes. No package manager. No internet required at runtime. Copy the file, run it, the mission continues.
Technical Objectives — Phase I
1. Deploy single-binary web application in a simulated JWICS/SIPRNet disconnected environment with zero external dependencies
2. Demonstrate on-device AI inference (classification, NLP, anomaly detection) using custom Mixture-of-Experts model running on commodity GPU hardware
3. NanoSign model integrity — 36-byte BLAKE3 signatures on all AI model files, verified at load time. Unsigned or tampered models are rejected before inference. Zero-infrastructure supply chain security for AI at the tactical edge
4. Validate multi-node mesh recovery — nodes operate independently during network partition and resync state when connectivity restores
5. Deliver threat model and security architecture document suitable for ATO initiation at IL4
Technical Objectives — Phase II ($2M / 24 months)
1. FIPS 140-3 cryptographic module integration for IL5 deployment
2. CAC/PIV authentication integration via PKCS#11
3. Cross-domain solution compatibility assessment (CDS guard integration points)
4. Field trial with operational unit in DIL exercise environment
5. Transition plan for PEO/PM adoption
Past Performance
• PI served as dev lead at USCYBERCOM J38 JMOC-E for a Congressional NDAA-directed offensive cyber operations study
• Army 17C (Cyber Operations), JCAC 2014, 30% service-connected disabled veteran
• 31 Rust repositories demonstrating every claimed capability — auditable at github.com/cochranblock
• cochranblock.org running in production as a single 10 MB binary on $10/month infrastructure
NSF Seed Fund — On-Device AI Inference Without Cloud Dependency
Solicitation Target: NSF SBIR Phase I (America's Seed Fund) — Artificial Intelligence, Software
Estimated Open: April–May 2026 (rolling after restart) · Phase I: $275,000 / 6 months
Topic Alignment
NSF Seed Fund seeks deep technology innovations with commercial potential. Current AI deployment requires cloud API calls — sending sensitive data to third-party servers, paying per-token fees, and depending on network connectivity. There is no production-grade framework for running full AI inference on local hardware inside a compiled application.
Proposed Innovation
CochranBlock has built a working on-device AI inference system (Kova) that runs local LLM models through a custom Mixture-of-Experts router inside a single compiled Rust binary. No API calls. No data leaves the device. The system includes an agentic tool loop (read, write, edit, search, execute), tokenized command compression for minimal context overhead, and distributed node orchestration for scaling across commodity hardware.
Technical Objectives — Phase I
1. Package on-device inference engine as a reusable Rust library crate (WASM-safe, no-std compatible)
2. Benchmark inference latency and quality on standardized tasks (external cloud APIs may be used solely as calibration reference points; never in the production path)
3. Demonstrate privacy-preserving AI for healthcare (HIPAA), legal (attorney-client privilege), and defense (classified) use cases
4. NanoSign model signing — 36-byte BLAKE3 integrity verification for AI model files. Prevents model poisoning and ensures provenance without key infrastructure
5. Publish reproducible benchmarks and make the inference runtime available under commercial license
Technical Objectives — Phase II ($1M / 24 months)
1. Train domain-specific expert models (cybersecurity, code generation, document analysis) from production data
2. Build model marketplace for community-contributed experts with quality gates
3. Mobile deployment (Android/iOS) — on-device inference on consumer phones
4. Enterprise SDK with API compatibility layer for drop-in cloud replacement
Commercialization Path
• Direct sales: $3,500 base deployment for SMBs replacing $36K/year cloud AI bills
• Enterprise licensing: Per-seat for on-device inference runtime
• Federal: SBIR Phase III transition to DoD/IC for classified AI workloads
• Commercial licensing with support
DHS/CISA — Zero-Trust Edge Architecture for Critical Infrastructure
Solicitation Target: DHS SBIR FY2026 — Cybersecurity and Infrastructure Security Agency (CISA)
Estimated Open: Summer 2026 · Phase I: $250,000 / 6 months
Topic Alignment
CISA's mission includes securing federal civilian networks and critical infrastructure. Current architectures depend on cloud-hosted security tools, SaaS SIEM platforms, and containerized microservices — each adding third-party attack surface. When an adversary compromises the cloud provider, every tenant is exposed. Critical infrastructure operators need security tools that run locally, operate offline, and present zero external attack surface.
Proposed Innovation
CochranBlock's zero-trust architecture is secure by compilation, not configuration. The entire application compiles to a single binary with AES-256-GCM encryption, HKDF key derivation, and Argon2id password hashing built in. No plaintext secrets in source. No external secret managers. No runtime dependency injection. The binary IS the security boundary — if it's not compiled in, it doesn't exist.
Technical Objectives — Phase I
1. Deploy zero-trust edge node at a simulated critical infrastructure site (water/power/transportation) with zero cloud dependency
2. Demonstrate real-time log aggregation and anomaly detection using on-device AI inference — no data exfiltration to cloud SIEM
3. NanoSign AI model integrity verification — BLAKE3-based 36-byte model signing prevents supply chain poisoning of on-device ML models. Self-verifying, no key infrastructure, no network required
4. Validate IoT device monitoring via LoRa/915MHz mesh network for air-gapped OT environments
5. Produce NIST 800-53 control mapping for the single-binary architecture
6. Deliver pen test results and security assessment from independent third party
Technical Objectives — Phase II ($2M / 24 months)
1. Integration with CISA's Continuous Diagnostics and Mitigation (CDM) program
2. Automated SBOM generation from compiled binary (full dependency tree at build time)
3. Incident response playbook execution engine running on-device
4. Multi-site mesh deployment with encrypted state synchronization
5. FedRAMP-equivalent security documentation package
Past Performance
• PI: 13 years defense and enterprise cybersecurity. USCYBERCOM J38 JMOC-E dev lead.
• Army 17C (Cyber Operations) — trained at JCAC (Joint Cyber Analysis Course), 2013
• Live production system (cochranblock.org) running zero-cloud architecture with Cloudflare Zero Trust integration
• 31 repositories — full supply chain transparency, every dependency auditable
NASA — Edge Computing for Space and Aeronautics Ground Systems
Solicitation Target: NASA SBIR 2026 BAA Appendix A — Ground Systems, Software, Edge Computing
Estimated Open: April–May 2026 (new BAA model, rolling appendices) · Phase I: ~$150,000 / 6 months
Topic Alignment
NASA ground systems process massive telemetry streams from spacecraft and launch vehicles. Current architectures route data through centralized cloud infrastructure, adding latency and single points of failure. Ground stations in remote locations need local processing capability that operates independently when connectivity degrades.
Proposed Innovation
CochranBlock's single-binary architecture deploys a complete data processing application — web interface, embedded database, real-time stream handling, and AI inference — as one file on ground station hardware. No cloud dependency. No container orchestration. Local processing with store-and-forward synchronization when connectivity restores.
Technical Objectives — Phase I
1. Deploy single-binary telemetry viewer and anomaly detection system on representative ground station hardware
2. Demonstrate real-time stream processing with on-device ML inference for anomaly flagging
3. Validate store-and-forward data synchronization across simulated intermittent satellite links
4. Benchmark binary size, memory footprint, and startup latency against containerized equivalent
Phase II Path
1. Integration with NASA GSFC ground system data formats (CCSDS, XTCE)
2. Multi-station mesh deployment with distributed state consensus
3. Flight software qualification assessment (DO-178C gap analysis)
4. Mission-specific AI model training for spacecraft health monitoring
DOE — Cybersecurity for Energy Infrastructure and Scientific Computing
Solicitation Target: DOE SBIR FY2026 — Cybersecurity, Energy Security, Advanced Scientific Computing Research
Next Deadline: Phase II Release 2 — Applications due April 21, 2026 · FOA issued March 2, 2026
Topic Alignment
Energy infrastructure — power grids, pipelines, nuclear facilities — runs on operational technology (OT) networks that were never designed for internet connectivity. Retrofitting cloud-based security monitoring onto these systems introduces the exact attack surface it claims to protect against. DOE needs security tools that run locally on OT networks without phoning home to cloud APIs.
Proposed Innovation
CochranBlock's compiled architecture deploys security monitoring as a single binary on OT-adjacent hardware. AES-256-GCM encryption, embedded log aggregation, and on-device anomaly detection — all without a single outbound network connection. The binary includes its own database (sled), web dashboard, and alerting engine. Air-gapped by design, not by configuration.
Technical Objectives — Phase I
1. Deploy single-binary OT network monitor on representative SCADA-adjacent hardware
2. Demonstrate passive traffic analysis and anomaly detection using on-device ML (no cloud egress)
3. Validate air-gapped operation — zero outbound connections over 30-day test period
4. Produce NERC CIP control mapping for the single-binary architecture
5. Integrate with DOE CESER (Cybersecurity, Energy Security, and Emergency Response) reporting formats
Phase II Path
1. Multi-site deployment across simulated utility network (generation, transmission, distribution)
2. ICS protocol deep packet inspection (Modbus, DNP3, OPC-UA) compiled into the binary
3. Integration with DOE Argonne/Sandia cyber range for validation testing
4. NIST SP 800-82 (Guide to ICS Security) full compliance documentation
USDA — Rural Broadband and Agricultural Edge Computing
Solicitation Target: USDA SBIR FY2026 — Rural Broadband, Precision Agriculture, Agricultural AI
Estimated Open: June–August 2026 · Phase I: ~$175,000 / 8 months
Topic Alignment
Rural agricultural operations lack reliable broadband. Cloud-dependent farm management tools fail when connectivity drops — which is exactly when real-time sensor data matters most (irrigation, frost alerts, livestock monitoring). Farmers need software that works offline-first and syncs when a signal is available.
Proposed Innovation
CochranBlock's single-binary platform deploys a complete farm management application on any hardware — laptop, Raspberry Pi, or existing farm PC. Embedded database stores sensor history locally. LoRa/915MHz mesh network connects field sensors without WiFi or cellular. On-device AI provides crop health and weather anomaly alerts without internet. Syncs to cloud dashboard when broadband is available.
Technical Objectives — Phase I
1. Deploy single-binary farm management system on Raspberry Pi with LoRa sensor mesh (soil moisture, temperature, humidity)
2. Demonstrate 30-day offline operation with local data retention and automated sync on reconnect
3. On-device crop health inference from sensor fusion data — no cloud API dependency
4. Validate deployment simplicity — non-technical operator installs and configures in under 15 minutes
5. Cost analysis: total system cost vs. cloud-dependent alternatives in low-broadband regions
Phase II Path
1. Integration with USDA NASS (National Agricultural Statistics Service) data formats
2. Livestock monitoring via LoRa-tagged wearable sensors
3. Cooperative deployment — multi-farm data sharing with privacy-preserving aggregation
4. USDA Rural Development grant integration for farmer subsidized adoption
EPA — Environmental Monitoring for Air and Water Quality
Solicitation Target: EPA SBIR FY2026 — Air Quality, Clean and Safe Water, Environmental Monitoring
Estimated Open: Spring–Summer 2026 · Phase I: ~$100,000 / 6 months
Topic Alignment
Environmental monitoring stations in remote or underserved areas lack reliable connectivity for real-time reporting. Cloud-based dashboards go dark when the cell tower does. EPA needs monitoring systems that log continuously, alert locally, and report when connectivity permits — without losing data during outages.
Proposed Innovation
CochranBlock's single-binary monitoring platform runs on solar-powered edge hardware. Embedded database stores months of sensor readings locally. LoRa mesh connects distributed sensors across miles without cellular infrastructure. On-device AI detects anomalies (contamination spikes, equipment drift) and triggers local alerts. Data syncs to EPA reporting systems when backhaul is available.
Technical Objectives — Phase I
1. Deploy single-binary environmental monitor on low-power ARM hardware (Raspberry Pi + solar)
2. LoRa sensor mesh for distributed air quality (PM2.5, O3, NO2) and water quality (pH, turbidity, dissolved O2) monitoring
3. Demonstrate 90-day autonomous operation with zero maintenance and zero cloud dependency
4. On-device anomaly detection with configurable alerting thresholds
5. EPA AQS (Air Quality System) and WQX (Water Quality Exchange) data format export
Phase II Path
1. Integration with EPA AirNow and ECHO (Enforcement and Compliance History) reporting APIs
2. Community-deployed network with public-facing dashboard (environmental justice applications)
3. Machine learning model for source attribution from multi-sensor correlation
4. Tribal and rural community pilot deployments with EPA Region coordinators
DOT — Edge Computing for Transportation Infrastructure
Solicitation Target: DOT SBIR FY2026 — Intelligent Transportation Systems, Connected Infrastructure
Estimated Open: Spring–Summer 2026 · Phase I: ~$200,000 / 6 months
Topic Alignment
Transportation infrastructure — traffic signals, bridge sensors, highway weather stations — operates in harsh environments with unreliable connectivity. Cloud-dependent monitoring fails when the cell tower goes down during the storm you most need data from. DOT needs infrastructure monitoring that runs locally, stores months of data, and reports when backhaul is available.
Technical Objectives — Phase I
1. Deploy single-binary traffic/infrastructure monitor on roadside hardware (ARM SBC + solar)
2. LoRa mesh for bridge structural health sensors, flood gauges, and weather stations
3. On-device anomaly detection for structural fatigue patterns and weather hazards
4. V2I (Vehicle-to-Infrastructure) data ingestion for connected vehicle corridors
5. NTCIP (National Transportation Communications for ITS Protocol) compliance
NIST/Commerce — Software Supply Chain Security and SBOM
Solicitation Target: NIST SBIR FY2026 — Cybersecurity, Software Supply Chain, EO 14028 Compliance
Estimated Open: Spring–Summer 2026
Topic Alignment
EO 14028 mandates Software Bills of Materials (SBOM) for federal software. Current SBOM tools bolt onto interpreted/containerized deployments and struggle with completeness. A compiled single-binary architecture produces a deterministic, complete dependency tree at build time — every dependency is known, versioned, and auditable before the binary ships.
Technical Objectives — Phase I
1. Automated SBOM generation from compiled Rust binary — CycloneDX and SPDX output formats
2. Demonstrate provenance chain: source commit → build artifact → deployed binary with cryptographic attestation
3. SSDF (Secure Software Development Framework, NIST SP 800-218) compliance mapping for single-binary architecture
4. Comparison study: SBOM completeness and accuracy vs. container-based and interpreted-language equivalents
5. NanoSign integration — 36-byte AI model signing (BLAKE3) for tamper detection of ML model files in the supply chain. Self-verifying, zero infrastructure, format-agnostic (safetensors/GGUF/ONNX/PyTorch)
6. Publish SBOM and NanoSign tooling under commercial license
NIH — Privacy-Preserving On-Device Health Data Processing
Solicitation Target: NIH SBIR/STTR FY2026 — Health IT, HIPAA-Compliant AI, Biomedical Informatics
Estimated Open: April 2026 (new NOFO) · Phase I: ~$275,000 / 6 months
Topic Alignment
Health data is the most regulated data in federal systems. Every cloud API call with patient data is a HIPAA exposure. Current health AI tools send PHI to third-party servers for inference. Clinics in rural and underserved areas lack reliable broadband for cloud-dependent EHR tools. NIH needs health data processing that never leaves the device.
Technical Objectives — Phase I
1. Deploy single-binary clinical intake system with HIPAA-compliant on-device storage (AES-256-GCM at rest)
2. On-device NLP for clinical note summarization and coding — zero PHI transmitted to cloud
3. FHIR R4 data export for EHR integration without cloud intermediary
4. Demonstrate offline-first operation for rural clinic scenario — 30-day autonomous with sync on reconnect
5. HIPAA Security Rule technical safeguard mapping for single-binary architecture
NOAA — Remote Environmental and Ocean Monitoring
Solicitation Target: NOAA SBIR FY2026 — Ocean Observation, Weather Monitoring, Remote Sensing
Estimated Open: Spring–Summer 2026 · Phase I: ~$150,000 / 6 months
Topic Alignment
NOAA operates monitoring stations in the most remote environments on earth — ocean buoys, arctic weather stations, volcanic observatories. These stations have intermittent satellite connectivity at best. Cloud-dependent monitoring loses data during the exact conditions worth recording. NOAA needs edge intelligence that runs for months unattended.
Technical Objectives — Phase I
1. Deploy single-binary monitoring platform on low-power marine-grade hardware
2. On-device ML for extreme weather event detection and priority alerting via satellite burst
3. 180-day autonomous operation with zero maintenance on solar/battery power
4. Compressed data encoding for low-bandwidth satellite uplink (Iridium SBD, GOES DCS compatible)
5. WMO BUFR/CREX data format export for integration with GTS (Global Telecommunication System)
Upcoming Bids — SBIR/STTR 2026
Solicitation tracker. Updated as agencies publish topics. CochranBlock technical approach ready for each.
| Agency | Solicitation | Opens | Closes | Status |
| DoD | SBIR 26.1 Phase I | April 2026 | May 2026 (est) | ⬤ SAM.gov Pending |
| DOE | Phase II Release 2 | March 2, 2026 | April 21, 2026 | ⬤ SAM.gov Pending |
| NIH | New NOFO | April 2026 (est) | Rolling | ⬤ SAM.gov Pending |
| NSF | Seed Fund Restart | April–May 2026 | Rolling | ⬤ SAM.gov Pending |
| NASA | BAA Appendix A | April–May 2026 | TBD | ⬤ SAM.gov Pending |
| DHS/CISA | FY2026 | Summer 2026 | TBD | ⬤ SAM.gov Pending |
| USDA | FY2026 | June–Aug 2026 | TBD | ⬤ SAM.gov Pending |
| EPA | FY2026 | Spring–Summer 2026 | TBD | ⬤ SAM.gov Pending |
| DOT | FY2026 | Spring–Summer 2026 | TBD | ⬤ SAM.gov Pending |
| NIST | FY2026 | Spring–Summer 2026 | TBD | ⬤ SAM.gov Pending |
| NOAA | FY2026 | Spring–Summer 2026 | TBD | ⬤ SAM.gov Pending |
SAM.gov Active. CAGE 1CQ66. UEI W7X3HAQL9CF9. SDVOSB submitted via VetCert.
Architecture & Compliance FAQ
Q: Who owns the IP, and how do you handle Data Rights?
Zero vendor lock-in. All core code is All Rights Reserved. Government or Prime owns their deployment 100%. No recurring licensing. No proprietary runtime. No vendor dependency.
Every repo ships with a Timeline of Invention (TOI) and Proof of Artifacts (PoA) providing commit-level AI provenance documentation. This eliminates accidental copyright infringement risks from AI-generated code — every human decision and AI contribution is documented, dated, and hash-verified.
Q: Who handles sustainment, patching, and DevOps?
No DevOps team required. We replace Kubernetes clusters and microservices with single, memory-safe, statically linked Rust binaries — often under 50 KB. No dependency chains to patch. No container images to rebuild. No orchestration layer to manage.
Patching = rebuild the binary from pinned Cargo.lock + SCP to the server. If the hardware has power, the binary runs. Total sustainment burden: one file.
Q: How does this survive DoD Authority to Operate (ATO) audits?
Modern ATO delays are caused by bloated attack surfaces — cloud supply chains, Docker vulnerabilities, exposed Node/Python runtimes, 500+ transitive dependencies with unknown provenance.
Our architecture eliminates that attack surface:
- Zero cloud supply chain — no AWS, no Azure, no GCP dependency
- Zero unnecessary open ports — one binary, one port, behind Cloudflare Zero Trust
- Zero interpreted runtimes — compiled Rust, memory-safe by construction
- Complete SBOM at compile time — every dependency pinned and auditable
- NIST SP 800-218 (SSDF) compliance documented — see SSDF matrix below
Built by a former USCYBERCOM J38 JMOC-E offensive cyber operations dev lead. The architecture was designed to survive the audits, not to pass them after the fact.
Q: Is your operation DCAA compliant for SBIR Phase II/III or Prime subcontracts?
Radical financial transparency. The Open Books page calculates IR&D hours and value in real-time from GitHub commit timestamps. Every hour is machine-verified, not self-reported. The methodology is public. The data is auditable.
IR&D costs documented per FAR 31.205-18. AI tooling costs separately trackable as materials under FAR 31.205-26. Founder hours valued at published $225/hr rate.
This is continuously auditable by design — not DCAA-compliant because we hired an accountant, but because the entire operation is transparent by architecture.
Software Bill of Materials (SBOM)
EO 14028 compliant. Every direct dependency, version, and license — known at compile time.
cochranblock — 42 direct dependencies
| Crate | Version | License | Purpose |
| aes-gcm | 0.10.3 | Apache-2.0/MIT | AES-256-GCM encryption |
| approuter-client | 0.2.0 | All Rights Reserved | Approuter service registration |
| argon2 | 0.5.3 | MIT/Apache-2.0 | Password hashing (Argon2id) |
| axum | 0.7.9 | MIT | HTTP framework |
| axum-extra | 0.9.6 | MIT | Cookie handling, typed headers |
| axum-server | 0.7.3 | MIT | TLS server |
| base64 | 0.21.7 | MIT/Apache-2.0 | Encoding |
| bincode | 2.0.1 | MIT | Binary serialization |
| chrono | 0.4.44 | MIT/Apache-2.0 | Date/time handling |
| chrono-tz | 0.9.0 | MIT/Apache-2.0 | Timezone support |
| clap | 4.5.60 | MIT/Apache-2.0 | CLI argument parsing |
| dirs | 5.0.1 | MIT/Apache-2.0 | Platform directories |
| dotenvy | 0.15.7 | MIT | Environment file loading |
| hkdf | 0.12.4 | MIT/Apache-2.0 | HKDF key derivation |
| include_packed | 0.1.5 | MIT | zstd asset embedding |
| lers | 0.4.0 | MIT | ACME/Let's Encrypt |
| mime_guess | 2.0.5 | MIT | MIME type detection |
| open | 5.3.3 | MIT | Open URLs in browser |
| openssl | 0.10.75 | Apache-2.0 | TLS backend |
| rand | 0.8.5 | MIT/Apache-2.0 | Random number generation |
| rcgen | 0.14.7 | MIT/Apache-2.0 | Certificate generation |
| reqwest | 0.11.27 | MIT/Apache-2.0 | HTTP client (webhooks, API) |
| rustls | 0.23.37 | Apache-2.0/ISC/MIT | TLS implementation |
| serde | 1.0.228 | MIT/Apache-2.0 | Serialization framework |
| serde_json | 1.0.149 | MIT/Apache-2.0 | JSON parsing |
| sha2 | 0.10.9 | MIT/Apache-2.0 | SHA-256 hashing |
| sled | 0.34.7 | MIT/Apache-2.0 | Embedded key-value database |
| sqlx | 0.8.6 | MIT/Apache-2.0 | SQLite database (intake forms) |
| tempfile | 3.26.0 | MIT/Apache-2.0 | Temporary file handling |
| thiserror | 1.0.69 | MIT/Apache-2.0 | Error type derivation |
| time | 0.3.47 | MIT/Apache-2.0 | Time formatting |
| tokio | 1.49.0 | MIT | Async runtime |
| tower-http | 0.5.2 | MIT | HTTP middleware (compression, headers) |
| tracing | 0.1.44 | MIT | Structured logging |
| tracing-subscriber | 0.3.22 | MIT | Log output formatting |
| urlencoding | 2.1.3 | MIT | URL encoding |
| uuid | 1.21.0 | Apache-2.0/MIT | UUID generation (lead IDs) |
| zstd | 0.13.3 | MIT | Zstandard compression |
All dependencies sourced from crates.io. Versions pinned in Cargo.lock. Full transitive tree: cargo tree --features approuter. Zero vendored binaries. Zero pre-built shared libraries.
NIST SP 800-218 — Secure Software Development Framework
SSDF Compliance Matrix — cochranblock
| Task | Practice | Implementation |
| PS — Prepare | PS.1 — Define security requirements | Memory-safe language (Rust) eliminates buffer overflows, use-after-free, data races by construction. Release profile: LTO, strip, panic=abort. |
| PS.2 — Implement roles and responsibilities | Single maintainer (CODEOWNERS). All code reviewed via git diff before commit. AI-assisted development with human verification (Timeline of Invention). | |
| PS.3 — Implement toolchains | Rust toolchain via rustup. Clippy (linter), cargo build (compiler), cargo tree (dependency audit). No third-party CI — build IS the test. | |
| PW — Protect | PW.1 — Design secure software | Single-binary architecture — no runtime deps, no container escape, no sidecar injection. Crypto: AES-256-GCM, Argon2id, HKDF. TLS via rustls. |
| PW.4 — Reuse secure software | All deps from crates.io (Rust package registry). Versions pinned in Cargo.lock. SBOM generated from cargo tree. Zero vendored code. | |
| PW.5 — Create source code | Human-piloted AI development. Timeline of Invention documents every decision. Proof of Artifacts proves build output. All source public on GitHub. | |
| PW.6 — Configure compilation | opt-level='s', LTO, codegen-units=1, panic='abort', strip=true. Deterministic builds from Cargo.lock. | |
| PW.7 — Review code | Clippy with -D warnings (treat warnings as errors). All code pushed to public GitHub for community audit. | |
| RV — Respond | RV.1 — Identify vulnerabilities | cargo audit (dependency vulnerability scan). GitHub Dependabot alerts enabled. Public issue tracker. |
| RV.2 — Assess vulnerabilities | Single maintainer triages all alerts. Rust's type system prevents most memory-safety CVE classes entirely. | |
| RV.3 — Address vulnerabilities | Cargo.lock update + rebuild + deploy. Single binary = single update point. No container layers to rebuild. | |
| PO — Protect Ops | PO.1 — Secure deployment | Binary copied via SCP. No package manager, no container registry, no orchestration. Cloudflare Zero Trust tunnel for internet exposure. |
| PO.2 — Protect release integrity | Git commit hashes link source to build. Binary stripped but build is reproducible from Cargo.lock + source. |
CMMC Level 1-2 Practices
CMMC Domain Mapping — cochranblock
| Domain | Level | Practice | Implementation |
| AC — Access Control | L1 | AC.1.001 — Limit system access | No admin interface exposed. Deploy page uses form submission, not authenticated API. SSH with key-based auth to worker nodes. |
| L1 | AC.1.002 — Limit transactions | Intake forms rate-limited by Cloudflare. No bulk data export endpoints. | |
| AU — Audit | L2 | AU.2.042 — Create audit records | tracing + tracing-subscriber for structured logging. All HTTP requests logged with method, path, status, latency. |
| CM — Config Mgmt | L2 | CM.2.061 — Establish baselines | Cargo.lock pins all dependency versions. Release profile codified in Cargo.toml. Single binary = single config baseline. |
| IA — Identification | L1 | IA.1.076 — Identify users | No user authentication in cochranblock (static site). Intake submissions identified by UUID + email. |
| MP — Media Protection | L1 | MP.1.118 — Sanitize media | No removable media. All data in embedded sled/SQLite databases. Binary replacement = complete sanitization. |
| PE — Physical | L1 | PE.1.131 — Limit physical access | Worker nodes in private residence. SSH only via kova-commander key. WoL for remote power management. |
| SC — System/Comms | L1 | SC.1.175 — Monitor communications | Cloudflare Zero Trust tunnel encrypts all internet traffic. Internal node communication via SSH. |
| L2 | SC.2.179 — Use encrypted sessions | TLS via rustls for all HTTPS. AES-256-GCM for data at rest. HKDF for key derivation. | |
| SI — System Integrity | L1 | SI.1.210 — Identify flaws | Clippy -D warnings, cargo audit, GitHub Dependabot. Rust type system prevents memory-safety flaws. |
| L2 | SI.2.214 — Monitor inbound traffic | Cloudflare WAF + DDoS protection. Approuter proxies all inbound requests with logging. |
Security Posture
Cryptographic Primitives & Attack Surface
Cryptographic Primitives
| Function | Algorithm | Crate | FIPS Status |
| Encryption at rest | AES-256-GCM | aes-gcm 0.10 | Algorithm approved (FIPS 197/SP 800-38D). Crate not FIPS-validated. |
| Password hashing | Argon2id | argon2 0.5 | Not FIPS. Exceeds PBKDF2 requirements. Path: swap to FIPS-validated PBKDF2 if required. |
| Key derivation | HKDF-SHA256 | hkdf 0.12 | Algorithm approved (SP 800-56C). Crate not FIPS-validated. |
| TLS | TLS 1.3 | rustls 0.23 | Algorithm approved. Crate in FIPS validation process (Prossimo project). |
| Hashing | SHA-256 | sha2 0.10 | Algorithm approved (FIPS 180-4). Crate not FIPS-validated. |
| Random | ChaCha20 | rand 0.8 | CSPRNG. Not FIPS-validated. |
| AI Model Signing | BLAKE3 (NanoSign) | blake3 1.x | 36-byte self-verifying signature. Any model format. Zero infrastructure. Spec |
NanoSign — AI Supply Chain Integrity
AI model files ship unsigned. NanoSign appends 36 bytes (4-byte magic + 32-byte BLAKE3 hash) to any model file — safetensors, GGUF, ONNX, PyTorch. The file becomes self-verifying with zero infrastructure. No key servers, no PKI, no ceremony. Verification runs at memory bandwidth (~6 GB/s). A 4GB model verifies in under 1 second. Aligns with EO 14028 supply chain transparency requirements, SSDF PS.1 (protect software components), and CMMC SC.L2-3.13.11 (CUI encryption). Reference implementation: 3 lines of Rust.
Attack Surface
- Network exposure: One port (8081) behind approuter (8080) behind Cloudflare tunnel. No direct internet exposure.
- Input validation: All form inputs validated server-side. HTML-escaped output prevents XSS. No SQL injection (parameterized queries via sqlx).
- Error handling: thiserror for typed errors. No stack traces exposed to users. Errors logged via tracing, not displayed.
- Dependencies: 42 direct deps, all from crates.io. No C dependencies except openssl (system library). No vendored binaries.
- Memory safety: 100% Rust. No unsafe blocks in application code. Memory-safety CVE classes eliminated by construction.
- Secrets: No plaintext secrets in source. Environment variables loaded from .env file with restricted permissions.
Cost Analysis
For a detailed cost comparison of cloud vs zero-cloud architecture: cochranblock.org/stats