EU AI Act Article 50 — 20 days to seal | Get passport
Co-pilot commercial pack · DEFCON 760 family · Owner-executable

DEFCON 760 Cross-Walk

The short-form mapping from a 90-day DEFONEOS pilot to a DEFCON 760 work-package structure. Use this page when a buyer, prime, or procurement officer asks how DEFONEOS language translates into the actual MOD DEFCON 760 contract family.

3work packages
90dpilot horizon
4DEFCON 760 stages
5acceptance criteria
Use now: open this page when a procurement-led buyer asks where DEFONEOS fits in DEFCON 760. Walk through the four stages, show the cross-walk table, and route to the SoW for the formal submission.

Purpose of this cross-walk

DEFCON 760 is the actual MOD contract family used for many digital and AI-related procurements. Buyers, primes, and procurement officers routinely ask how a small supplier pilot maps onto the DEFCON 760 work-package structure. This page answers that question honestly without overclaiming.

DEFCON 760 stage overview

The four-stage structure below is the standard MOD contract progression. DEFONEOS pilots fit naturally into stages 1-3. Stage 4 requires the owner gates.

StageMOD intentDEFONEOS pilot fitOwner gate
Stage 1 - Discovery and feasibilityValidate problem, scope, route, and feasibility before committing budget.Direct fit. The DEFONEOS 90-day pilot can be framed as a Stage 1 discovery with bounded evidence output.DSP registration (in progress).
Stage 2 - Design and prototypeProduce a working prototype, control map, and procurement route.Direct fit. The pilot work packages 1-3 align with prototype, assurance, and route.Cyber Essentials Plus (in progress).
Stage 3 - Demonstration and validationDemonstrate the prototype in an operational or simulated environment with evidence.Direct fit. The pilot evidence-room bundle and demo fall back into Stage 3 acceptance criteria.SC clearance (in progress for the named owner).
Stage 4 - Scaling and sustainmentMove the prototype into operational use with full MOD assurance, support, and supplier security.Requires all owner gates completed and a prime partnership or framework listing.All three gates plus framework route or prime sponsorship.

Work-package cross-walk

The table below maps each DEFONEOS pilot work package to the most likely DEFCON 760 clause family. Use this when writing the SoW or responding to a procurement clarification request.

DEFONEOS WPDEFONEOS deliverableDEFCON 760 mappingNotes
WP1 - Evidence and controlsSigned evidence-room bundle, red-line register, control map.760.04 Design services, assurance case work.Maps to Stage 2 design output. Honest framing: design mapping, not certification.
WP2 - Public-source integration demoWorking common operating picture with audit log, human oversight record, and signed artefacts.760.05 Build and prototype, integration and demonstration.Maps to Stage 3 demonstration. Data boundary must be public-source or synthetic.
WP3 - Assurance and procurement routeGo or no-go report, residual-risk register, framework route, or prime referral letter.760.06 Closeout and route recommendation.Maps to Stage 3 closeout. Always include a named next procurement vehicle.

Acceptance criteria mapped to DEFCON 760

Each acceptance criterion is phrased in DEFCON 760 language so the buyer commercial team can read it without translation.

Acceptance criterionDEFCON 760 evidenceOwner verification
All pilot pages and evidence artefacts return HTTP 200 from canonical URLs.760.05 build evidence, operational availability.Curl-based byte verification before each milestone.
Buyer receives an OSCAL-ready control map for the scoped use case.760.04 design services, assurance case artefacts.Control map attached to evidence-room bundle.
Human oversight log exists for every AI-assisted recommendation.760.05 build evidence, human factors integration.Named human owner signs off each pilot output.
No red-line pattern appears in demo, data, or documentation.760.06 closeout, compliance attestation.Red-line register signed and attached to evidence-room bundle.
Commercial next step is explicit: stop, extend, framework route, prime route, or grant route.760.06 closeout, commercial next-step recommendation.Go or no-go report states next step.

Owner-gate language for DEFCON 760 progression

The language below is safe starter language for DEFCON 760 progression conversations. It is not legal advice and should be reviewed before signature.

DEFONEOS 90-day pilot - DEFCON 760 owner-gate statement

Stage 1 progression: requires Defence Sourcing Portal registration. Nick must complete the registration using the personal details supplied. Registration is owner-gated until that step is finished.

Stage 2 progression: requires Cyber Essentials Plus certification. The certification is owner-gated until Nick completes the IASME application. Without Cyber Essentials Plus, Stage 2 work packages cannot be invoiced.

Stage 3 progression: requires UK SC clearance for the named owner. Clearance is owner-gated until the application is approved. Until then, Stage 3 deliverables are reviewed through documented controls and named owner supervision.

Stage 4 progression: requires all three owner gates plus a framework listing (G-Cloud, DOS, or AI Growth Zone) or a named prime partnership. Stage 4 is not within the scope of the current 90-day pilot.

Honesty: DEFONEOS is an open sovereign OS surface, not a DEFCON 760 prime contractor. The pilot is designed to fit Stages 1-3. Stage 4 requires a separate procurement vehicle and owner-gated compliance.

DEFCON 760 supplier security expectations

The list below mirrors the supplier-security expectations DEFCON 760 buyers routinely apply. DEFONEOS is honest about which items are met, in progress, or owner-gated.

When DEFCON 760 is the wrong frame

DEFCON 760 is the right frame for many MOD digital and AI procurements. It is the wrong frame for some other routes. Use the list below to redirect a buyer when DEFCON 760 is not the natural fit.

12-framework crosswalk

Every page in this tick is written as an owner-executable artefact and an audit trail. These mappings are design mappings, not third-party certifications.

FrameworkHow this page mapsHonesty status
EU AI ActTransparency, human oversight, logging, post-market monitoring, and high-risk discipline when a workflow crosses into regulated public-service use.Designed control language. Verify per-buyer before external submission.
GDPR and UK GDPRData minimisation, lawful basis notes, retention windows, subject-access response path, and no personal-surveillance pattern.Designed control language. Verify per-buyer before external submission.
JSP 936Assurance case language, operator accountability, safety case evidence, and escalation logging suitable for UK defence AI review.Designed control language. Verify per-buyer before external submission.
JSP 440Protective marking, supplier-security posture, evidence handling, and separation of public facts from owner-gated sensitive data.Designed control language. Verify per-buyer before external submission.
NIST AI RMFMap, Measure, Manage, and Govern rows for every buyer artefact, with clear residual-risk ownership.Designed control language. Verify per-buyer before external submission.
ISO 42001AI management-system controls, role ownership, change control, review cadence, and documented competence.Designed control language. Verify per-buyer before external submission.
NIST PQCCryptographic-agility language, no false PQC certification claim, and upgrade path for signed evidence bundles.Designed control language. Verify per-buyer before external submission.
NATO STANAGInteroperability language only, no NATO endorsement claim, and neutral alliance-compatible evidence formatting.Designed control language. Verify per-buyer before external submission.
AUKUS Pillar IIAUKUS-compatible technology framing only, no partnership claim unless a signed letter exists.Designed control language. Verify per-buyer before external submission.
OSCALMachine-readable control catalogue and component-definition path for the evidence room.Designed control language. Verify per-buyer before external submission.
Five Eyes export disciplinePublic-source and EAR/ITAR awareness note, no controlled technical data in this page.Designed control language. Verify per-buyer before external submission.
C2PA 2.0Content provenance, artefact signing, and media lineage notation for decks, screenshots, and demo recordings.Designed control language. Verify per-buyer before external submission.

Honesty register

The register below is deliberately explicit so this page stays usable in a UK-sovereign procurement conversation without overclaiming.