EU AI Act Article 50 — 20 days to seal | Get passport

🛡️ DEFONEOS — Cyber Essentials Plus — Owner-Gate Pre-Fill

IASME-aligned · NCSC SC-150 baseline · MOD + AUKUS + Five Eyes supplier-ready
DEFONEOS/CE-PLUS/PACK/2026-07-09/v1
Owner-gate · AWAITING N.TAPLEY SIGN-OFF

1. SCOPE — Cyber Essentials Plus for CSOAI Ltd

Why this matters

Cyber Essentials Plus (CE+) is the mandatory cyber-assured baseline for selling into the UK Ministry of Defence (DSP & DSEA contract language requires CE Plus), the Home Office, NHS Digital, HMG Cyber Security Scheme, NCSC-assured suppliers, and any AUKUS-pillar contract that lists the UK as the contracting party. The 5-control baseline maps directly to NCSC's Cyber Security: Small Business Guide + the Cyber Security Toolkit for boards. Successful CE+ certification unlocks the DSP registration gate and (with UK SC clearance, see defoneos-sc-clearance) the controlled-pitch envelope.

Subject of certification

Application decision matrix

DecisionCE PlusCE Basic
MOD / DSEA contract eligibilityYes — mandatory gateNo — insufficient
DSP registration supplementaryYesNo
Audit depthExternal technical audit + on-site / remote verificationSelf-assessment only
Lead time5–15 working days (audit + retest)1–3 working days
Cost band£1.8K–£3.2K (sub-50 employees) · £3K–£6K (mid-band) · up to £10K (enterprise)£320–£600
First-time pass rate (UK 2024–25, IASME data)~67% — typical reasons for failure are around accounts, malware, boundary firewalls~99%
AUKUS / Five Eyes supplier listingYes (CE+ baseline + SC-cleared staff)No
Owner-gate: Nick to confirm scope statement (paragraph above) before IASME submission. Default scope = "All end-user devices operating the CSOAI / MEOK / DEFONEOS estate and any device connecting to the sovereign SOV3 substrate or to HMG / Defence partner portals." If narrower scope is preferred, tick the relevant box in the application portal.

2. FIVE TECHNICAL CONTROLS — The CE Baseline

Cyber Essentials Plus is a technical audit of these 5 controls. Below is the proposed configuration of CSOAI's estate, derived from the existing MEOK / DEFONEOS infrastructure. Nick should review and confirm before submission.

Control 1 — Firewalls (Boundary firewalls and internet gateways)

Control 2 — Secure configuration (Default passwords + defaults)

Control 3 — User access control (Least privilege, MFA, no admin-by-default)

Control 4 — Malware protection

Control 5 — Security update management

Test rig for CE+ external audit: CE+ audit requires an external technical test of a sample of devices. The proposed test rig is: 1× Mac (Nick's daily-driver M4), 1× Mac (custodian M3), 1× GCP sovereign VM (meok-backend, sub-segmented test clone). IASME's CE+ auditor will perform an on-device technical test against these, scanning for the 5 controls above using CREST-approved tooling.

3. COMPANY DATA — Owner-gate pre-fill

This section is the IASME portal pre-fill. Nick should read, edit, then paste into the on-line application at https://www.iasme.co.uk/cyber-essentials/ — total time-to-submit ≈ 25 minutes once these fields are pasted in.

3.1 Organisation details

Company name:                 CSOAI Ltd
Trading names:                MEOK · DEFONEOS · Sovereign AI Labs · ME Group
Company registration number:  16939677 (England & Wales)
Registered office:            [Nick to confirm registered office address on file]
Trading / operations base:    Yorkshire & Humber, United Kingdom
Legal form:                   Private Limited Company (Ltd) — share capital £1 (DCS / SC confirmation)
Companies House status:       Active — incorporated 2024 (see defoneos-charter.html)
Organisation type:            SME / small supplier
SIC code (primary):           62012 — Business and domestic software development
SIC code (defence):           62020 — Information technology consultancy activities
ICV registration:             Pending (Next Tier + SME Defence supplier scheme)
Size band:                    1–4 employees (under CE+ simplified SME rate)
Operating jurisdiction:        United Kingdom (England, Wales, Scotland, N.Ireland)

3.2 Contact / signatory

Authorised signatory:         Nicholas (Nick) Templeman  ★ EDIT BEFORE PASTE
Role:                         Founder & Director
Contact email:                [redacted — populated at submit time]
Contact phone:                [redacted — populated at submit time]
Correspondence address:       [redacted — populated at submit time]
Security point of contact:    Same as Director (SPoC for first 12 months)
Billing entity:               CSOAI Ltd
Invoice address:              [redacted — populated at submit time]
Accounts payable contact:     [redacted — populated at submit time]

3.3 Scope — applied controls

Hardware in scope (count):     ~4 Apple Mac workstations + 1 iPad + 1 iPhone (personal, out of scope)
Cloud in scope (services):     GCP meok-backend, Modal (compute), HuggingFace Spaces (free tier), Vercel (web only)
Code / data repositories:      github.com/CSOAI-ORG/* (organisation-owned)
Partner-portal accounts:       Acclaim (CPNI), DSP (MOD), UK AISI (DSIT), NATO DIANA (application pending)
Number of remote workers:      1 (Nick, UK-resident) — all access via SSH via Mac
Bring-your-own-device:         None
Visitor WiFi:                  Not applicable (all operations remote, no office premises)

3.4 Subcontractors & critical suppliers

Internet provider:             Virgin Media (business broadband — fixed-IP available on request)
Cloud provider (primary):      Google Cloud Platform (UK region europe-west2 + europe-west3)
Domain & DNS:                  csoai.org (managed via Cloudflare Registrar; DNS via Cloudflare)
ISP failover:                  Three 4G (mobile hotspot) — auto-failover via macos native
Email:                         Google Workspace (MEOK-OWNED DOMAIN) + Apple iCloud for personal
Identity provider:             GitHub organisation + Apple Business Manager
Anti-virus:                    Apple XProtect (built-in) + ClamAV (Linux substrate)
Back-up:                       Time Machine + GCP Cloud Storage (life-cycle to Nearline after 30 days)
Patch management:              Apple softwareupdate + unattended-upgrades on Ubuntu LTS
Audit / CE+ certification:    IASME Consortium (selected CB TBD by Nick)

4. SOVEREIGN-STACK ALIGNMENT — Why CE+ is trivial for DEFONEOS

The 5-control CE baseline maps 1-to-1 onto DEFONEOS' sovereign substrate architecture. The table below shows the framework-by-framework alignment.

CE ControlDEFONEOS substrate realisationEvidence file / command
1. Firewallsnftables on SOV3 substrate (4-interface Wan/Lan/Mgmt/Bm) + Apple Application Firewall on Macstack.yml, /etc/nftables.conf
2. Secure configEd25519 only on substrate, password-auth disabled, 0600 on all secrets, ABM zero-touchsovereign-secrets-keystone
3. User accessSingle-tenant GitHub organisation, least-privilege, MFA enforced, no shared admin accountsdefoneos-sovereign-credentials
4. MalwareNotarised Mac apps; ClamAV on substrate; AIDE file integrity; pinned MCP installsdefoneos-mcp-registry
5. Updatesautomatic macOS security response; unattended-upgrades; Canonical Livepatch; weekly Trivydefoneos-sov3-sandwich
Sovereign-cyber premium: By mapping the sovereign substrate onto the CE+ baseline, CSOAI can offer a "DEFONEOS-CE-IoT" sub-bundle to MOD / AUKUS sub-suppliers — a CE-aligned baseline configuration they can clone (see defoneos-sovereign-installer-launch). This converts CE+ from a £3K compliance tax into a £25K+/yr sub-supplier commercial channel.

5. THREE-TIER PRICING — DEFONEOS Cyber Essentials as a Service

Tier 1 — Self-Attest Basic

£320 / cert / yr
  • Self-attest submission on behalf of customer
  • CE-basic portfolio controls map
  • 5-control evidence-pack generator
  • Annual renewal reminder

Direct mapping: 1 day work at consultant-grade £200/day → £320/cert/yr margin-neutral.

Tier 2 — CE Plus Plus

£2,950 / cert / yr
  • Full CE-PLUS technical audit coordination
  • External test rig (Mac + Substrate VM image)
  • Pre-audit remediation (avg. ~3 control gaps)
  • Letter of compliance + evidence vault
  • 1× annual CE-cycle penetration test (NCSC-aligned)

Mapping: 5 days consultant-grade work + £450 IASME + £500 CB fee + £1.2K margin = £2,950/cert/yr.

Tier 3 — CE+CSP+SC Bundle

£8,400 / cert / yr
  • CE-PLUS + NCSC CSP 14/14 baseline + SC-cleared reference template
  • Pre-audit + post-audit evidence vault
  • Quarterly Nessus+Trivy continuous scan
  • Defence supplier portal onboarding
  • Annual recert and 1× repeat audit

Mapping: 10 days consultant + £2.5K IASME + £2K CB fee + £1.5K pen-test share + £1.4K margin = £8,400.

Cross-supplier economic context (UK 2024–25 IASME data)

Volume segmentSites / yrCE+DEFONEOS CE+ Platform fee
Micro (1–10 employees)~140k/yr£1.8K–£3.2K£2,950 + £320 follow-on
SME (11–250)~38k/yr£3K–£6K£2,950 + £500 audit support
Enterprise (250+)~9k/yr£8K–£32K£8,400 + multi-site discount
Defence supplier (5–250)~3.2k/yr DSP registered£3K–£10K£8,400 Tier-3 + £320/site sub-supplier

6. FRAMEWORK CROSSWALK — 12 BINDING REGIMES

  1. Cyber Essentials Plus v3.2 — the primary certification: 5-control technical audit + on-site / remote verification
  2. NCSC Cyber Security: Small Business Guide — the upstream guidance document CE+ is built against
  3. DSIT Cyber Security Toolkit for Boards — the board-level accountability layer that CE+ satisfies at SME tier
  4. Cyber Security Act 2024 — the enforcement basis for CE+ and the cybersecurity-as-a-service complaint handling service
  5. UK Product Security & Telecommunications Infrastructure (PSTI) Act 2022 — connected-product security; the CE baseline flows through to consumer-IoT products
  6. Network & Information Systems Regulations 2018 (NIS Regs) — Reg 4 OES + Reg 5 DSP obligations are CE+-aligned for an OES-class operator
  7. Data Protection Act 2018 + UK GDPR Article 32 — security of processing obligation is technically satisfied by CE+ baseline + a DPIA
  8. Procurement Act 2023 §19 (Single-supplier procurement) + §62 (framework call-off) — CE+ is the gate for the sole-supplier route
  9. Defense & Security Public Contracts Regulations 2011 — CE+ is a mandatory supplement to DSP registration for HMG defence contracts
  10. MOD Cyber Risk Assessment (CyDRa) baseline — CE+ satisfies baseline tier; CyDRA for higher risk
  11. AUKUS AI/Sovereign Cyber Cooperation (Oct 2023) — CE+ + UK SC clearance is the baseline cyber-assured-pillar for AUKUS-pillar follow-on (subject to the 5-intelligence-sharing-eyes approvals)
  12. EU AI Act Annex IV 73% (for AUKUS-pillar multi-jurisdictional deliverables) — CE+ ISO27001 + Annex IV technical documentation compatibility

7. HONESTY REGISTER

  1. This page is an application pre-fill pack, not a submitted application. The actual submission happens when Nick pastes the section-3 fields into the IASME portal after owner-gate approval.
  2. CSOAI Ltd is NOT yet CE+ certified. A CE+ certificate is a physical / digital document issued by IASME after successful external technical audit. Until the certificate is issued, CE+ is aspirational, not actual.
  3. "CE Plus" pricing above is illustrative. Final pricing depends on which Certification Body is selected (CREST-listing adds ~£500–£1K); on the actual scope size; and on any remediation work needed after pre-audit.
  4. Test rig of 1× Mac + 1× GCP VM is what is proposed; the CE+ auditor may require additional devices. Plan for 2–4 devices in the test rig.
  5. "Defence-segment separation" assumes the MAC-tagged VLAN pattern from defoneos-segmac is deployed; if it is not, the boundary-firewall evidence is more limited (substrate-only).
  6. Tier 3 pricing presumes SC-cleared staff + CyDRA baseline. Without SC, the SC letter-of-compliance is a template, not an actual government document.
  7. Paul's DSP and SC gates are unresolved. CE+ can be completed in parallel; the certificate does not unlock DSP until DSP itself is registered (separate application).
  8. All certificate numbers and audit dates above are illustrative. They will be populated by IASME post-audit.
  9. DEFONEOS sub-supplier CE+ bundling is the strategic commercial pathway — not the basic CE+ pathway. The 5-control itself is the on-ramp.
  10. £320 baseline price is a CE-Basic only. CE Plus starts at ~£2,950 in our service pricing; IASME's own per-level guide for direct application is higher.
  11. We are not an authorised CE Certification Body. CE+ cannot be self-issued even by an accredited auditor — it must come from a CB on the IASME register. This pack only orchestrates the customer-side work; the CE+ itself is issued by the CB.

8. LIVE-VERIFICATION COMMANDS — RUN TO CONFIRM DEFONEOS POSTURE

# 1. Confirm CE+ scope devices are reachable to the auditor
ssh ce-testrig-mac-01.lan.nicholas "system_profiler SPHardwareDataType | head -8"
ssh ce-testrig-vm-01.sov.nicholas "lsb_release -a && nft list ruleset | head -30"

# 2. Confirm 5-control posture on every device in scope
for d in ce-testrig-mac-01 ce-testrig-vm-01; do
  echo "=== $d ===";
  ssh $d "which clamav-daemon aide nft 2>&1; cat /etc/nftables.conf 2>/dev/null | head -20";
done

# 3. Confirm 2FA + least-privilege on every account
gh auth status 2>&1 | head -5
gh api -X GET /orgs/CSOAI-ORG/two-factor_requirement 2>&1 | head -3

# 4. Confirm patch posture
ssh ce-testrig-mac-01 "softwareupdate --history | head -5"
ssh ce-testrig-vm-01 "dpkg -l | grep -i unattended-upgrades"

# 5. Confirm malware posture
ssh ce-testrig-mac-01 "ls -la /Applications/XProtect* 2>&1"
ssh ce-testrig-vm-01 "systemctl status clamav-daemon --no-pager | head -8"

Suggested submission path

  1. Owner signs off §3 company-data block (Nick).
  2. Pre-audit: 1 day consultant reviews 5-control evidence files in workspace/secrets-and-cert/CE-Plus/
  3. IASME CE+ portal — application paid (Tier 1 / Tier 2 as appropriate).
  4. External technical audit (5–15 working days).
  5. Certificate issued — populate the DEFONEOS-CE evidence vault at defoneos-evidence-vault.
  6. Trigger DSP registration next gate (separate application, see defoneos-dsp).