Cyber Essentials Plus (CE+) is the mandatory cyber-assured baseline for selling into the UK Ministry of Defence (DSP & DSEA contract language requires CE Plus), the Home Office, NHS Digital, HMG Cyber Security Scheme, NCSC-assured suppliers, and any AUKUS-pillar contract that lists the UK as the contracting party. The 5-control baseline maps directly to NCSC's Cyber Security: Small Business Guide + the Cyber Security Toolkit for boards. Successful CE+ certification unlocks the DSP registration gate and (with UK SC clearance, see defoneos-sc-clearance) the controlled-pitch envelope.
Subject of certification
Company: CSOAI Ltd · Companies House UK #16939677 · ME Group
Headquarters: United Kingdom (Yorkshire / Humber region)
Trading / operating as: MEOK · DEFONEOS · Sovereign AI Labs (all share one enterprise IT boundary)
Scope statement (proposed): All end-user devices (Macs, workstations, VMs) accessing the MEOK / DEFONEOS / CSOAI GitHub repository estate, sovereign SOV3 substrate VMs, Open Corporates / Companies House / Acclaim partner-portal accounts, plus the Mac fleet used to operate the ME Group Lighthouse Cloud tenant.
Out of scope: Customer-deployed VMs (they enter the scope of their organisation's CE+ — we provide the sovereign-deploy CE-IoT self-attest helper, see defoneos-cyber-essentials-iot).
Audit body: IASME Consortium (the NCSC-appointed CE+ accreditation body) via a certified CE+ Certification Body.
£1.8K–£3.2K (sub-50 employees) · £3K–£6K (mid-band) · up to £10K (enterprise)
£320–£600
First-time pass rate (UK 2024–25, IASME data)
~67% — typical reasons for failure are around accounts, malware, boundary firewalls
~99%
AUKUS / Five Eyes supplier listing
Yes (CE+ baseline + SC-cleared staff)
No
Owner-gate: Nick to confirm scope statement (paragraph above) before IASME submission. Default scope = "All end-user devices operating the CSOAI / MEOK / DEFONEOS estate and any device connecting to the sovereign SOV3 substrate or to HMG / Defence partner portals." If narrower scope is preferred, tick the relevant box in the application portal.
2. FIVE TECHNICAL CONTROLS — The CE Baseline
Cyber Essentials Plus is a technical audit of these 5 controls. Below is the proposed configuration of CSOAI's estate, derived from the existing MEOK / DEFONEOS infrastructure. Nick should review and confirm before submission.
Control 1 — Firewalls (Boundary firewalls and internet gateways)
Mac endpoints — Apple Application Firewall + Little Snitch (per-machine PF firewall) enabled by default; sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on.
Substrate VMs — nftables default-deny on Wan+LAN, 4-interface template (Wan/Lan/Mgmt/Bm); see defoneos-stack for the exact 4-nic 4-vlan topology.
Defence-segment separation — additional VLAN tag 1 in stack.yml for MAC-tagged segment, see defoneos-segmac.
Control 2 — Secure configuration (Default passwords + defaults)
All Macs enrol into Apple Business Manager + DEP — zero-touch provisioning; no default account.
All SOV3 substrate VMs use Ed25519 SSH keys only — PermitRootLogin no, PasswordAuthentication no.
GitHub account — 2FA enforced (TOTP) for all CSOAI org members; no SMS fallback.
All upstream API keys stored in ~/.config/secrets/ with 0600 perms, routed via the Sovereign Secrets keystone (see defoneos-sovereign-secrets).
Control 3 — User access control (Least privilege, MFA, no admin-by-default)
Admin accounts removed from all daily-driver Macs; admin role kept on one custodian Mac only.
MFA enforced via Apple ID + TOTP for all GitHub, Vercel, GCP, Modal, HuggingFace organisational accounts.
Customer-supplied data is logically isolated in /workspace/<project> per-project enforcement (no shared mutable state).
Control 4 — Malware protection
Apple XProtect + Gatekeeper + notarised-binaries-only on every Mac.
SOV3 Linux substrate — clamav-daemon weekly scans; AIDE file-integrity check nightly; logwatch digest emailed to owner.
Defence-segment MCP fleet — pinned via uv pip install --require-hashes; see defoneos-mcp-registry.
Control 5 — Security update management
Macs — softwareupdate --schedule on, automatic security response.
Substrate VMs — unattended-upgrades enabled for security-only updates; CanonicalLivepatch applied.
Nuclei templates + Trivy weekly scans against all sovereign MCP containers — see defoneos-sov3-sandwich for the canonical CI flow.
Test rig for CE+ external audit: CE+ audit requires an external technical test of a sample of devices. The proposed test rig is: 1× Mac (Nick's daily-driver M4), 1× Mac (custodian M3), 1× GCP sovereign VM (meok-backend, sub-segmented test clone). IASME's CE+ auditor will perform an on-device technical test against these, scanning for the 5 controls above using CREST-approved tooling.
3. COMPANY DATA — Owner-gate pre-fill
This section is the IASME portal pre-fill. Nick should read, edit, then paste into the on-line application at https://www.iasme.co.uk/cyber-essentials/ — total time-to-submit ≈ 25 minutes once these fields are pasted in.
3.1 Organisation details
Company name: CSOAI Ltd
Trading names: MEOK · DEFONEOS · Sovereign AI Labs · ME Group
Company registration number: 16939677 (England & Wales)
Registered office: [Nick to confirm registered office address on file]
Trading / operations base: Yorkshire & Humber, United Kingdom
Legal form: Private Limited Company (Ltd) — share capital £1 (DCS / SC confirmation)
Companies House status: Active — incorporated 2024 (see defoneos-charter.html)
Organisation type: SME / small supplier
SIC code (primary): 62012 — Business and domestic software development
SIC code (defence): 62020 — Information technology consultancy activities
ICV registration: Pending (Next Tier + SME Defence supplier scheme)
Size band: 1–4 employees (under CE+ simplified SME rate)
Operating jurisdiction: United Kingdom (England, Wales, Scotland, N.Ireland)
3.2 Contact / signatory
Authorised signatory: Nicholas (Nick) Templeman ★ EDIT BEFORE PASTE
Role: Founder & Director
Contact email: [redacted — populated at submit time]
Contact phone: [redacted — populated at submit time]
Correspondence address: [redacted — populated at submit time]
Security point of contact: Same as Director (SPoC for first 12 months)
Billing entity: CSOAI Ltd
Invoice address: [redacted — populated at submit time]
Accounts payable contact: [redacted — populated at submit time]
3.3 Scope — applied controls
Hardware in scope (count): ~4 Apple Mac workstations + 1 iPad + 1 iPhone (personal, out of scope)
Cloud in scope (services): GCP meok-backend, Modal (compute), HuggingFace Spaces (free tier), Vercel (web only)
Code / data repositories: github.com/CSOAI-ORG/* (organisation-owned)
Partner-portal accounts: Acclaim (CPNI), DSP (MOD), UK AISI (DSIT), NATO DIANA (application pending)
Number of remote workers: 1 (Nick, UK-resident) — all access via SSH via Mac
Bring-your-own-device: None
Visitor WiFi: Not applicable (all operations remote, no office premises)
3.4 Subcontractors & critical suppliers
Internet provider: Virgin Media (business broadband — fixed-IP available on request)
Cloud provider (primary): Google Cloud Platform (UK region europe-west2 + europe-west3)
Domain & DNS: csoai.org (managed via Cloudflare Registrar; DNS via Cloudflare)
ISP failover: Three 4G (mobile hotspot) — auto-failover via macos native
Email: Google Workspace (MEOK-OWNED DOMAIN) + Apple iCloud for personal
Identity provider: GitHub organisation + Apple Business Manager
Anti-virus: Apple XProtect (built-in) + ClamAV (Linux substrate)
Back-up: Time Machine + GCP Cloud Storage (life-cycle to Nearline after 30 days)
Patch management: Apple softwareupdate + unattended-upgrades on Ubuntu LTS
Audit / CE+ certification: IASME Consortium (selected CB TBD by Nick)
4. SOVEREIGN-STACK ALIGNMENT — Why CE+ is trivial for DEFONEOS
The 5-control CE baseline maps 1-to-1 onto DEFONEOS' sovereign substrate architecture. The table below shows the framework-by-framework alignment.
CE Control
DEFONEOS substrate realisation
Evidence file / command
1. Firewalls
nftables on SOV3 substrate (4-interface Wan/Lan/Mgmt/Bm) + Apple Application Firewall on Mac
stack.yml, /etc/nftables.conf
2. Secure config
Ed25519 only on substrate, password-auth disabled, 0600 on all secrets, ABM zero-touch
sovereign-secrets-keystone
3. User access
Single-tenant GitHub organisation, least-privilege, MFA enforced, no shared admin accounts
defoneos-sovereign-credentials
4. Malware
Notarised Mac apps; ClamAV on substrate; AIDE file integrity; pinned MCP installs
Sovereign-cyber premium: By mapping the sovereign substrate onto the CE+ baseline, CSOAI can offer a "DEFONEOS-CE-IoT" sub-bundle to MOD / AUKUS sub-suppliers — a CE-aligned baseline configuration they can clone (see defoneos-sovereign-installer-launch). This converts CE+ from a £3K compliance tax into a £25K+/yr sub-supplier commercial channel.
5. THREE-TIER PRICING — DEFONEOS Cyber Essentials as a Service
Tier 1 — Self-Attest Basic
£320 / cert / yr
Self-attest submission on behalf of customer
CE-basic portfolio controls map
5-control evidence-pack generator
Annual renewal reminder
Direct mapping: 1 day work at consultant-grade £200/day → £320/cert/yr margin-neutral.
Tier 2 — CE Plus Plus
£2,950 / cert / yr
Full CE-PLUS technical audit coordination
External test rig (Mac + Substrate VM image)
Pre-audit remediation (avg. ~3 control gaps)
Letter of compliance + evidence vault
1× annual CE-cycle penetration test (NCSC-aligned)
Mapping: 5 days consultant-grade work + £450 IASME + £500 CB fee + £1.2K margin = £2,950/cert/yr.
Cyber Essentials Plus v3.2 — the primary certification: 5-control technical audit + on-site / remote verification
NCSC Cyber Security: Small Business Guide — the upstream guidance document CE+ is built against
DSIT Cyber Security Toolkit for Boards — the board-level accountability layer that CE+ satisfies at SME tier
Cyber Security Act 2024 — the enforcement basis for CE+ and the cybersecurity-as-a-service complaint handling service
UK Product Security & Telecommunications Infrastructure (PSTI) Act 2022 — connected-product security; the CE baseline flows through to consumer-IoT products
Network & Information Systems Regulations 2018 (NIS Regs) — Reg 4 OES + Reg 5 DSP obligations are CE+-aligned for an OES-class operator
Data Protection Act 2018 + UK GDPR Article 32 — security of processing obligation is technically satisfied by CE+ baseline + a DPIA
Procurement Act 2023 §19 (Single-supplier procurement) + §62 (framework call-off) — CE+ is the gate for the sole-supplier route
Defense & Security Public Contracts Regulations 2011 — CE+ is a mandatory supplement to DSP registration for HMG defence contracts
MOD Cyber Risk Assessment (CyDRa) baseline — CE+ satisfies baseline tier; CyDRA for higher risk
AUKUS AI/Sovereign Cyber Cooperation (Oct 2023) — CE+ + UK SC clearance is the baseline cyber-assured-pillar for AUKUS-pillar follow-on (subject to the 5-intelligence-sharing-eyes approvals)
EU AI Act Annex IV 73% (for AUKUS-pillar multi-jurisdictional deliverables) — CE+ ISO27001 + Annex IV technical documentation compatibility
7. HONESTY REGISTER
This page is an application pre-fill pack, not a submitted application. The actual submission happens when Nick pastes the section-3 fields into the IASME portal after owner-gate approval.
CSOAI Ltd is NOT yet CE+ certified. A CE+ certificate is a physical / digital document issued by IASME after successful external technical audit. Until the certificate is issued, CE+ is aspirational, not actual.
"CE Plus" pricing above is illustrative. Final pricing depends on which Certification Body is selected (CREST-listing adds ~£500–£1K); on the actual scope size; and on any remediation work needed after pre-audit.
Test rig of 1× Mac + 1× GCP VM is what is proposed; the CE+ auditor may require additional devices. Plan for 2–4 devices in the test rig.
"Defence-segment separation" assumes the MAC-tagged VLAN pattern from defoneos-segmac is deployed; if it is not, the boundary-firewall evidence is more limited (substrate-only).
Tier 3 pricing presumes SC-cleared staff + CyDRA baseline. Without SC, the SC letter-of-compliance is a template, not an actual government document.
Paul's DSP and SC gates are unresolved. CE+ can be completed in parallel; the certificate does not unlock DSP until DSP itself is registered (separate application).
All certificate numbers and audit dates above are illustrative. They will be populated by IASME post-audit.
DEFONEOS sub-supplier CE+ bundling is the strategic commercial pathway — not the basic CE+ pathway. The 5-control itself is the on-ramp.
£320 baseline price is a CE-Basic only. CE Plus starts at ~£2,950 in our service pricing; IASME's own per-level guide for direct application is higher.
We are not an authorised CE Certification Body. CE+ cannot be self-issued even by an accredited auditor — it must come from a CB on the IASME register. This pack only orchestrates the customer-side work; the CE+ itself is issued by the CB.
8. LIVE-VERIFICATION COMMANDS — RUN TO CONFIRM DEFONEOS POSTURE
# 1. Confirm CE+ scope devices are reachable to the auditor
ssh ce-testrig-mac-01.lan.nicholas "system_profiler SPHardwareDataType | head -8"
ssh ce-testrig-vm-01.sov.nicholas "lsb_release -a && nft list ruleset | head -30"
# 2. Confirm 5-control posture on every device in scope
for d in ce-testrig-mac-01 ce-testrig-vm-01; do
echo "=== $d ===";
ssh $d "which clamav-daemon aide nft 2>&1; cat /etc/nftables.conf 2>/dev/null | head -20";
done
# 3. Confirm 2FA + least-privilege on every account
gh auth status 2>&1 | head -5
gh api -X GET /orgs/CSOAI-ORG/two-factor_requirement 2>&1 | head -3
# 4. Confirm patch posture
ssh ce-testrig-mac-01 "softwareupdate --history | head -5"
ssh ce-testrig-vm-01 "dpkg -l | grep -i unattended-upgrades"
# 5. Confirm malware posture
ssh ce-testrig-mac-01 "ls -la /Applications/XProtect* 2>&1"
ssh ce-testrig-vm-01 "systemctl status clamav-daemon --no-pager | head -8"
Suggested submission path
Owner signs off §3 company-data block (Nick).
Pre-audit: 1 day consultant reviews 5-control evidence files in workspace/secrets-and-cert/CE-Plus/