OpsDoctor is built on OpenClaw, open-source AI agent technology. The code is free. The compliance, infrastructure, and operational burden are not.
If you have the team and want to self-host, this page gives you an honest look at what's involved — and three deployment paths to choose from.
Choose Your Deployment Model
Defense contractors have different security postures depending on contract requirements, data sensitivity, and CMMC level. Here are the three paths:
Path 1: Hardened VPS (Recommended Start)
Best for: Contractors handling CUI who need NIST 800-171 alignment without the overhead of GovCloud.
- Dedicated VPS on a US-based provider (DigitalOcean, Vultr, or Hetzner US)
- Full-disk encryption, SSH key-only access, Tailscale or WireGuard overlay network
- Docker containers with per-client isolation
- Automated backups to encrypted S3-compatible storage
- Monthly cost: $50-150 for infrastructure + $100-300 for AI model access
This is how OpsDoctor's managed service runs for most clients. It's battle-tested, cost-effective, and meets NIST 800-171 controls when properly hardened.
Path 2: AWS GovCloud
Best for: Contractors who need FedRAMP High authorization, ITAR compliance, or whose primes require GovCloud.
- AWS GovCloud (US-West or US-East) — FedRAMP High, ITAR, DoD SRG IL4/IL5
- ECS or EKS for container orchestration
- RDS with encryption at rest and in transit
- VPC with private subnets, no public internet exposure
- CloudTrail + GuardDuty for audit logging and threat detection
- Monthly cost: $500-1,500+ for infrastructure (GovCloud pricing premium)
GovCloud adds real compliance value but significantly increases cost and operational complexity. You'll need someone who's deployed in GovCloud before — the IAM policies alone will take days.
Path 3: Air-Gapped / On-Premises
Best for: Contractors handling classified work (IL5+), SAP/SAR programs, or organizations with strict data sovereignty requirements.
- Physical or virtual servers on your own infrastructure
- No internet connectivity — all AI models run locally (Llama, Mistral, or similar)
- Manual update process via sneakernet or approved transfer mechanisms
- Complete data sovereignty — nothing leaves your facility
- Cost: Hardware ($5K-20K upfront) + GPU for local inference ($3K-15K)
This is the most secure option and the most operationally demanding. Local models are improving fast but still trail cloud models in capability. OpsDoctor can be deployed this way — talk to us if this is your requirement.
What You'll Need (All Paths)
The skills required:
- Linux administration (hardening, patching, monitoring)
- Docker and container orchestration
- Networking — firewalls, VPNs, TLS certificate management
- API integration — Microsoft Graph API (M365 GCC/GCC High), ERP connectors
- Database management — PostgreSQL, backups, encryption at rest
- Secrets management — HashiCorp Vault, AWS Secrets Manager, or equivalent
- Compliance documentation — SSP, POA&M, audit log retention
The time commitment:
- Initial setup: 40-80 hours (VPS) / 80-160 hours (GovCloud) / 160+ hours (on-prem)
- Monthly maintenance: 10-20 hours minimum
- CMMC assessment preparation: 40-100 hours (documentation alone)
- Emergency response: 2-8 hours per incident
The M365 GCC High Integration Challenge
Most defense contractors run Microsoft 365 GCC or GCC High. Integrating with it is not the same as integrating with commercial M365.
- Different endpoints — Graph API URLs are different for GCC High (
graph.microsoft.usvsgraph.microsoft.com) - App registration — Azure AD for Government has separate tenant requirements
- Conditional Access — Your security policies will block OAuth flows you're used to
- Compliance boundaries — Data must stay within the GCC High boundary; cross-tenant calls fail silently
- Limited documentation — Microsoft's GCC High docs have gaps. Expect trial and error.
This is where most DIY deployments stall. The M365 integration works on commercial tenants, then breaks in non-obvious ways on GCC High.
ERP Integration: Costpoint, Unanet, PROCAS
Defense ERP systems don't have friendly APIs. Here's the reality:
- Deltek Costpoint — SOAP-based API or direct database access. Documentation requires a Deltek support contract. Expect XML parsing nightmares.
- Unanet — REST API available but limited. Timesheet and project data accessible; financial data requires elevated permissions your Unanet admin may not grant.
- PROCAS — No public API. Data extraction via scheduled reports or database queries.
- JAMIS Prime — Web-based with limited integration points. Screen scraping may be your only option.
OpsDoctor uses a controlled ingestion model for ERP data — you decide what data we see, exported on your schedule. No direct API access to your financial systems unless you choose to enable it. This is often simpler and more secure than trying to build a live integration.
Security Is Not Optional
Your AI agent will have access to CUI, contract data, financial information, and potentially ITAR-controlled technical data. The security checklist for defense work goes well beyond standard DevOps:
- FIPS 140-2 validated encryption modules
- Multi-factor authentication on all administrative access
- Audit logging with tamper-evident storage (min 1 year retention)
- Incident response plan documented and tested
- Access control matrices mapped to NIST 800-171 controls
- Vulnerability scanning on a defined cadence
- Data flow diagrams showing CUI boundaries
- Subcontractor/vendor risk assessment (if using cloud AI models)
If you're pursuing CMMC Level 2, every one of these needs documentation in your System Security Plan. Miss one, and your assessor will flag it.
The AI Model Question
Cloud AI models (Claude, GPT-4) are significantly more capable than local models, but they introduce compliance questions:
- Cloud models: Data leaves your boundary. Anthropic and OpenAI have enterprise agreements with data handling terms, but your SSP needs to account for this. Some primes won't accept it for CUI.
- Local models: Data stays on your infrastructure. Llama 3, Mistral, and similar models run on consumer GPUs. Capability is good for structured tasks (email parsing, report generation) but weaker for complex reasoning.
- Hybrid approach: Use local models for CUI-adjacent tasks, cloud models for non-sensitive work. This is where most defense deployments will land.
The DIY Resources
If you have the team and the time, the tools are available:
- OpenClaw Documentation — deployment guides, API reference, integration patterns
- OpenClaw GitHub — source code, issue tracker, and deployment templates
- NIST SP 800-171 Rev 2 — the 110 controls you'll need to implement and document
- CMMC Assessment Guide — what assessors actually look for
- Microsoft GCC High Documentation — Graph API endpoints and tenant configuration
Honest Comparison
| DIY (VPS) | DIY (GovCloud) | OpsDoctor | |
|---|---|---|---|
| Monthly cost | $200-450 | $700-2,000+ | $1,000-1,500 |
| Setup time | 40-80 hours | 80-160 hours | Days, not weeks |
| Monthly ops | 10-20 hours | 15-30 hours | 0 hours |
| M365 GCC High | You figure it out | You figure it out | Pre-configured |
| ERP integration | Build from scratch | Build from scratch | Controlled ingestion |
| CMMC prep | Your responsibility | Your responsibility | Documentation included |
| On-prem option | Possible | N/A | Available |
Ready To Hand It Off?
Whether you've tried the DIY path and hit the GCC High wall, or you'd rather skip 160 hours of setup and go straight to operational:
OpsDoctor is built on OpenClaw, open-source AI agent technology.
We believe in open source. We also believe your time is better spent winning contracts than debugging GCC High tenant configurations at midnight.