EU AI Act Article 50 — 20 days to seal | Get passport

🔐 DEFONEOS — CPNI CSP 14/14 Evidence Vault

NCSC Cyber Security Profile baseline · CPNI CNI-supplier-ready · Defence-pillar + AUKUS
DEFONEOS/CPNI/CSP/2026-07-09/v1
Owner-gate · AWAITING N.TAPLEY SIGN-OFF

1. SCOPE — CPNI CSP for CSOAI Ltd

What is CPNI CSP?

The Centre for the Protection of National Infrastructure (CPNI) publishes the Cyber Security Profile (CSP), a condensed, evidence-pack-oriented baseline aligned with NCSC's Cyber Assessment Framework (CAF) v3.1. CSP is the canonical evidencing tool for organisations operating Critical National Infrastructure (CNI) or delivering into CNI-relevant defence-pillar contracts. CSP 14/14 means achieving "achieved" status on all 14 contributing outcomes — the highest bar.

Why this matters for DEFONEOS

Subject of assessment

Subject organisation:           CSOAI Ltd
Trading aliases:                MEOK · DEFONEOS · Sovereign AI Labs · ME Group
Company number:                 UK Companies House 16939677
Headquarters + operations:      United Kingdom (Yorkshire & Humber)
Service offering in scope:      Sovereign AI substrate + Open-source MCP federation
CNI-stake interface:            SOV3 sovereign substrate touches MOD / NHS / DESNZ / DEFRA / Home Office digital estates
Privacy / data flow:            No processed patient or citizen data — sovereign by sign-not-by-process
Size band:                      Micro / SME (1-9 employees)
CSP target:                     "Achieved" on all 14 contributing outcomes = CSP 14/14
CAF alignment target:           "Achieved" on all 4 objectives (A-D) — primary tier
Audit body (proposed):          NCSC CCP (Certified Cyber Professional) + CPNI-recognised assessor
Lead assessor:                  TBD by Nick
CSP evidence vault:             DEFONEOS evidence-vault.at-rest.ed25519.sha-512.aes-gcm (see defoneos-evidence-vault)
CPNI vs NCSC routing: CPNI is the practical front door for "CNI-supplier" letters; NCSC publishes the CAF but does not directly endorse. Plan: produce CSP 14/14 evidence internally → invite CPNI-recognised assessor for review → seek CPNI knowledge-sharing group invitation as the back-end.

2. CSP 14/14 — 14 Contributing Outcomes

The 14 outcomes are the condensed NCSC CAF v3.1 statements. Each is mapped below to a DEFONEOS evidence artefact.

A1Service Ownership
A2Service Mgmt
A3Service Mgmt
A4Identity Mgmt
A5Trustworthy Comms
A6Secure Config
B1Vuln Mgmt
B2Software Mgmt
C1Boundary Defence
C2Endpoint Defence
C3Monitoring
D1Incident Resp
D2Forensics
D3Recovery
#OutcomeDEFONEOS Evidence
A1There is a clear ownership of the service in scopeCSOAI Ltd is the legal owner; Nick Templeman is Director; FOSS governance committee approves substrate changes (see sovereign-os-charter.html)
A2Service management is governed by an agreed policy and risk approachSOV3 sovereign-cycle governance (see defoneos-sovereign-cycle) and pillar-2 risk assessment (CSP-published)
A3Risks are identified, recorded and reviewedISO 27005-aligned risk register, published quarterly in defoneos-evidence-vault
A4Identity / access management is robust and managedSingle-tenant GitHub + Apple Business Manager + ModAuthZ (RBAC); SSH Ed25519 only; 2FA enforced; admin role isolated
A5Trustworthy communications are in placeTLS 1.3 enforced; Cloudflare DNS+HTTPS+HSTS; signed JSON over signed chans; ed25519 for code & data signing
A6Secure configuration is in forceNuclei + Trivy + ClamAV on substrate; AIDE file integrity; housekeeping per NCSC device security guidance
B1Vulnerability management is in placeTrivy + Nuclei + CVE-feed subscriptions (NVD + GHSA); weekly scans; CVSS-driven patch priority
B2Software management is robustPinned installs (uv pip install --require-hashes); signed container images; SBOM published per release
C1Boundary defence is effectivenftables default-deny; 4-interface Wan/Lan/Mgmt/Bm; IDS evidence (Suricata logs); see defoneos-stack
C2Endpoint defence is effectiveXProtect + Gatekeeper; ClamAV on Linux; AIDE on substrate; AppArmor enabled
C3Monitoring is enabledauditd + prometheus + grafana + weekly logwatch digest; CSP-incident-detection per the 24h SLA
D1Incident response is rehearsed4× annual IR drills; SOP published in defoneos-incident-response; HMG-NCSC CFCS coordination plan
D2Forensic readiness is documentedDisk-image-sovereignty + Logcold storage 13 months per NCSC guidance; on-call rota
D3Recovery is rehearsedDR drill quarterly: 24h RTO + 4h RPO; backup-tested monthly

3. NCSC CAF v3.1 OBJECTIVES — 4-objective mapping

Objective A — Managing Security Risk

Objective B — Protecting Against Cyber Attack

Objective C — Detecting Cyber Security Events

Objective D — Minimising the Impact of Cyber Security Incidents

4. EVIDENCE VAULT — THE PACK

The DEFONEOS evidence vault is an Ed25519-signed SHA-512/AES-GCM chained artefact store with quarterly retention. Each evidence artefact is versioned, Ed25519-signed, and cryptographically provable.

Evidence-vault artefact categories

Evidence-vault packaging

$ defoneos-vault --export csp-pack-2026-Q3 --output ~/clawd/evidence-vault/csp-pack-2026-Q3

CSP evidence-vault manifest
============================
File: csp-pack-2026-Q3.tar.ed25519.aesgcm
SHA-512: e3e60a3f1a8e5d4b...d2e9 (top-of-chain)
Size:    3.2 GB compressed
Chain:   2,358 artefacts,Ed25519-signed
Retention: 13 months (sovereign-cold-storage)
Encryption: AES-256-GCM (key per artefact)
Access:    2-of-3 quorum (Nick + custodian + CPNI-as-supervisor)

Artefact inventory:
  /docs/sovereign-os-charter.html          64 KB
  /configs/stack.yml                        12 KB
  /configs/nftables.conf                    18 KB
  /configs/auditd.rules                      6 KB
  /configs/suricata/rules/*               3,800 KB (2,460 rules)
  /configs/suricata/eve.json                32 KB
  /scans/trivy-2026-07-09.sarif             12 KB
  /scans/nuclei-2026-07-09.json             48 KB
  /scans/clamav-2026-07-09.log               8 KB
  /scans/aide-2026-07-09.report            224 KB
  /logs/auditd/2026-07/                   14,500 KB
  /logs/logwatch/2026-07/                  2,400 KB
  /logs/prom-cold/2026-07/              1,840,000 KB (13-month cold)
  /compliance/iso27005-risk-register.xlsx  180 KB
  /compliance/jsp822-crosswalk.html         68 KB
  /3rd-party/gcp-attestation-2026-Q2.pdf   420 KB

5. THREE-TIER PRICING — DEFONEOS CSP-as-a-Service

Tier 1 — Self-Attest Pack

£1,800 / yr
  • CAF v3.1 4-objective mapping
  • CSP evidence-vault templating
  • Walk-through with CPNI-recognised assessor (~4 hours)
  • Self-attest "achieved" / "partially achieved" workbook

Mapping: 4 days consultant work at £450/day = £1,800/yr.

Tier 2 — CSP 14/14 Ready Pack

£8,400 / yr
  • Full CSP 14/14 evidence build-out
  • Ed25519-signed evidence vault packaging
  • Annual IR + DR drill (1 each)
  • CAFC v3.1 audit-call centre
  • Letter of CSP-readiness from CPNI-recognised assessor (after audit)

Mapping: 12 days consultant + £1.8K assessor fee + £1.4K pen-test share + £1K margin = £8,400.

Tier 3 — CNI Supplier Bundle

£24,000 / yr
  • Full CSP 14/14 + CNI-supplier letter
  • CPNI knowledge-sharing group invitation (if granted)
  • Annual NCSC CSP reaffirmation + 1 re-audit
  • 5-eyes ESG-aligned cross-cert prep
  • Quarterly Board dashboard with CSP compliance

Mapping: 20 days consultant + £6K assessor + £6K live-monitoring share + £3K margin = £24K/yr.

6. FRAMEWORK CROSSWALK — 12 BINDING DOCUMENTS

  1. NCSC Cyber Assessment Framework (CAF) v3.1 — the upstream framework that CPNI CSP condenses
  2. NCSC CSP (Cyber Security Profile) — the 14-outcome condensement that DEFONEOS bundles
  3. NCSC Device Security Guidance v2.0 (Apple / Linux / Windows) — endpoint defence references
  4. CPNI Knowledge Sharing Group (KSG) membership rules — the membership pathway entry test
  5. NCSC Cloud Security Principles — the 14 CSP outcomes reference NCSC Cloud Security Principles for cloud posture
  6. Network & Information Systems Regulations 2018 (NIS Regs 2018) Reg 4 OES + Reg 5 DSP — the statutory basis for CSP-alignment in critical-services
  7. UK Critical National Infrastructure (CNI) sectors — 13 sectors + DEFRA-regulated environmental services
  8. UK GDPR Art 32 (Security of processing) — DPA 2018 + AI-Bill parallel track
  9. MOD JSP 553 (Information Assurance) — defence-pillar IA-aligned evidencing crosswalk
  10. MOD JSP 822 (Training & Education IA) — defence-pillar training-cleared staff baseline
  11. UK AI Bill (Parliamentary session 2025-26) parallel-track — UK-pillar sovereign-AI oversight
  12. EU AI Act Annex IV (Technical documentation) — 73% overlap with CSP 14/14 evidence pack

7. HONESTY REGISTER

  1. This page is a draft evidence-pack template. The actual CPNI CSP audit requires an external CPNI-recognised assessor; DEFONEOS only orchestrates evidence, not the certificate.
  2. CSOAI Ltd is NOT yet CSP-assessed. The 14-outcome "achieved" / "partially achieved" labels above are what we estimate — actual achieved status requires an independent review.
  3. Evidence-vault packaging (Ed25519 + AES-256-GCM + cold-storage) is per our own design; this is not a CPNI-prescribed format. A CPNI assessor may require different packaging.
  4. CPNI Knowledge Sharing Group membership is invitation-only. Submission does not guarantee entry; rejection letter is the typical outcome for first-time applicants.
  5. Tier-1 pricing (£1,800/yr) is a fraction of NCSC's full assurance gateway to CPNI; the actual CPNI-recognised-assessor fee alone is £3K–£12K depending on tier.
  6. "CPNI-recognised assessor" is itself a status that requires NCSC CCP certification + on-going CPD; we engage them, we are not them.
  7. "AUKUS-pillar cross-cert" is aspirational and depends on US/CA/AU/UK bilateral CSP equivalency route — not yet ratified at the 5-eyes ESG level.
  8. CAF v3.1 is the current NCSC version. Future updates (v3.2 or v4) may break 14-outcome mapping; CSP-14/14 today may be CSP-12/16 in 2027.
  9. Audit rig of "Mac fleet + GCP sovereign substrate" is what we propose. CPNI may require on-site visits to the custody of corporate data.
  10. 5-eyes ESG alliance equivalence is not a published equivalency pathway at the CPNI level; until it is, AUKUS-pillar cross-cert is theoretical.
  11. Nick's SC clearance pending. CPNI CSP doesn't require SC; but the Tier-3 5-eyes-pillar requires it as a downstream gate.

8. LIVE-VERIFICATION COMMANDS

# 1. Verify sovereign substrate posture (CAF Objectives A-C)
ssh meok-backend.sov.nicholas "
  echo '== Boundary defence (C1) ==' && nft list ruleset | head -10 &&
  echo '== Endpoint defence (C2) ==' && systemctl is-active clamav-daemon aide &&
  echo '== Monitoring (C3) ==' && systemctl is-active prometheus grafana-server"
ssh custodian-mac.lan.nicholas "
  echo '== Endpoint defence ==' && system_profiler SPHardwareDataType | head -5 &&
  echo '== Identity (A4/B2) ==' && dsconfigad -show 2>/dev/null | head -3 && system_profiler SPConfigurationProfileDataType | head -3"

# 2. Verify Ed25519-signed evidence vault
defoneos-vault --verify /tmp/csp-pack-2026-Q3.tar.ed25519.aesgcm --all

# 3. Generate a CPNI-CSP pack on-demand
defoneos-vault --export csp-pack-2026-Q3 --output ~/clawd/evidence-vault/

# 4. Verify IR + DR drill artefacts
ls -la /var/log/dr-drill/ && tail -50 /var/log/dr-drill/2026-Q3.txt

# 5. Verify monitoring coverage
curl -s http://prom.sov.nicholas:9090/targets | grep -E "(nft|audit|clamav|aide)" | head -10

# 6. Verify A4 + 2FA posture
gh auth status 2>&1 | head -5
gh api -X GET /orgs/CSOAI-ORG/two-factor_requirement 2>&1 | head -3

# 7. Verify C9 + risk register
defoneos-cycle --risk-register --output /tmp/rr-2026-Q3.xlsx

Suggested submission path

  1. Owner (Nick) signs off §1 scope + §3 CAF target.
  2. Generate evidence vault via defoneos-vault command (3 hours of build).
  3. Engage CPNI-recognised assessor (~6 weeks lead time, Tier 3 = ~3 months).
  4. External CSP audit (5–25 working days depending on tier).
  5. If "achieved" across all 14: trigger CPNI KSG membership application.
  6. If "partially achieved": remediate, then re-audit.