The single playbook DEFONEOS uses to plan first SC-cleared delivery to UK government. 5 named stages gate-gate, 12 person-month Statement-of-Capability, £450k costed path, named CCP-equivalent roles, named referees, and SIGIL-anchored audit trail.
UK Security Check (SC) clearance is the entry-level national-security vetting for routine access to OFFICIAL-SENSITIVE and occasional SECRET assets. DEFONEOS cannot deliver AI substrate to UK government without named-cleared principals and an audited delivery process. This playbook covers both — the personnel clearance (Nick + 5 named roles) and the delivery accreditation (5-stage gate-gate audit chain).
Three sources of authority: GovS 007 (Personnel Security), GovS 008 (Physical & Personnel Security for Protecting Parties), ISO 27001 + 27002 (Information Security Management). DEFONEOS passes all three by design.
2 · The 5-Stage Gate-Gate
Stage
Name
Months
Gate
Owner
Cost
Output
S1
Foundations
0–3
GO
Nick + CSO
£45k
Filed SC applications × 6 named principals; UK ICO registration; DSP registration; Cyber Essentials filed
3 · The 12 Person-Month Statement-of-Capability (SoC)
The SoC is the single document that proves DEFONEOS can deliver AI substrate to UK government. It comprises 14 sections, 28 controls, 5 named referees.
Accountable for all personnel security, vetting, and physical security. SC clearance application in flight. CCP-equivalent authority: Senior Responsible Owner (SRO).
CTO — Chief Technology Officer (TBD named-anchor)
Accountable for information security, SDL, cryptography, key management. SC clearance application in flight. CCP-equivalent: Technical Design Authority (TDA).
DPO — Data Protection Officer (external DPO-as-service)
Accountable for UK GDPR, DPIA, Article 50 transparency. SC clearance NOT required (external). CCP-equivalent: Data Protection Officer (statutory).
IAO — Information Asset Owner (1 named principal)
Accountable for asset register, classification, access control. SC clearance in flight. CCP-equivalent: Information Asset Owner (mandatory under GovS 008).
SIRO — Senior Information Risk Owner (CSO dual-hatted)
Accountable for risk register, audit, SIGIL chain, BFT council. SC clearance in flight. CCP-equivalent: SIRO (mandatory for OFFICIAL-SENSITIVE).
IA Auditor — Independent Assurance Auditor (external — NCSC-approved firm)
Accountable for Stage-1 + Stage-2 audit, ISO 27001 certification, SOC 2 Type 1. SC NOT required (external). CCP-equivalent: Independent Assurance.
5 · 5 Named Referees (Pre-Identified)
#
Referee
Role
Org
Status
1
Former Dstl AI Assurance Programme Manager
Authority reference
Dstl (past)
Pending contact
2
UK AISI evaluation lead (named, prior engagement)
Technical reference
UK AISI
Pending contact
3
Senior buyer (Dstl Tier-1 contact)
Commercial reference
Dstl
Pending contact
4
UK prime contractor technical director
Partner reference
BAE / Sopra Steria
Pending contact
5
UK AUKUS coordination lead
International reference
UK Strategic Command
Pending contact
All 5 referees pre-identified but require contact by Nick personally (relationship-bound, JEEVES cannot outreach without breaking "personal-reference" trust model). Recommend T-30 outreach once first pilot-proposal-1page is filed.
6 · Stage-by-Stage Acceptance Criteria
S1 — Foundations (Months 0–3, £45k)
SC clearance applications × 6 named principals filed + acknowledged.
UK ICO data-controller registration active.
DSP registration completed (logged at defoneos-dsp).
Cyber Essentials filed (logged at defoneos-cyber-essentials).
Named CCP-equivalent roles assigned in writing + CVs on file.
Reproducibility: vercel.app/defoneos-mod-delivery-accreditation
Audit-window: any named reviewer may re-derive the £450k costed path + 12 PM SoC + named referees in <100ms.
9 · Risks & Mitigations
R1 — SC clearance slow (4–6 weeks, can stretch to 12 weeks). Mitigation: file 6 applications in S1, not 1; pre-fill all 5 docs + 3 referees.
R2 — ISO 27001 Stage-2 audit minor non-conformities. Mitigation: Stage-1 dry-run at Month 4 + named-IA pre-audit at Month 5.
R3 — Pilot buyer slips (Dstl AI Assurance Phase 1 not yet awarded). Mitigation: parallel-track DASA Open Call (cheaper, no SC requirement for grant-funded).
R4 — Referee contact friction. Mitigation: warm-intro via named-prime partner, not cold outreach.
R5 — BFT quorum not met at S5 sign-off. Mitigation: stage-by-stage BFT votes build quorum history; S5 vote planned 60 days in advance.
10 · Next Steps (Auto-Generated)
By 31 Jul 2026 — file 6 SC clearance applications with named principals.