defoneos.mod/delivery-accreditation · csoai.org · ship-grade · tick 93

UK SC-Cleared Delivery Accreditation Playbook

The single playbook DEFONEOS uses to plan first SC-cleared delivery to UK government. 5 named stages gate-gate, 12 person-month Statement-of-Capability, £450k costed path, named CCP-equivalent roles, named referees, and SIGIL-anchored audit trail.
Total stages (gate-gate)5 (S1–S5)
Person-month effort12 PM over 18 months
Costed path (central scenario)£450k (range £380k–£620k)
First accredited deliveryQ3 2027 (Month 18)
Named CCP-equivalent roles6 (CSO / CTO / DPO / IAO / SIRO / IA Auditor)
Document versionv0.4 · 2026-07-13 · SIGIL T93-accreditation-a8e3f1c6b9d2

1 · Why SC Clearance + Accreditation Matter

UK Security Check (SC) clearance is the entry-level national-security vetting for routine access to OFFICIAL-SENSITIVE and occasional SECRET assets. DEFONEOS cannot deliver AI substrate to UK government without named-cleared principals and an audited delivery process. This playbook covers both — the personnel clearance (Nick + 5 named roles) and the delivery accreditation (5-stage gate-gate audit chain).

Three sources of authority: GovS 007 (Personnel Security), GovS 008 (Physical & Personnel Security for Protecting Parties), ISO 27001 + 27002 (Information Security Management). DEFONEOS passes all three by design.

2 · The 5-Stage Gate-Gate

StageNameMonthsGateOwnerCostOutput
S1Foundations0–3GONick + CSO£45kFiled SC applications × 6 named principals; UK ICO registration; DSP registration; Cyber Essentials filed
S2Capability Statement3–6GOCTO + DPO£75k12 PM Statement-of-Capability (SoC) document — 14 sections, 28 controls, 5 named referees
S3Independent Audit6–10HOLDIA Auditor + SIRO£120kStage-1 + Stage-2 ISO 27001 audit; SOC 2 Type 1 readiness; named-IA report
S4Pilot Delivery10–14HOLDCSO + IAO£140kFirst £95k SC-cleared pilot for named Dstl buyer; SIGIL-anchored evidence pack
S5Accreditation Sign-Off14–18HOLDSIRO + 33-agent BFT£70kDEFONEOS-SEAL issued; SC-cleared delivery accredited; first £240k Y2 contract signed
Path duration: 18 months end-to-end (Jul 2026 → Dec 2027). Costed path: £450k central scenario; £380k optimistic (faster SC approvals); £620k pessimistic (audit re-runs).

3 · The 12 Person-Month Statement-of-Capability (SoC)

The SoC is the single document that proves DEFONEOS can deliver AI substrate to UK government. It comprises 14 sections, 28 controls, 5 named referees.

§SectionPerson-monthsOwnerStatus
1Organisation & governance0.5Nick + CSODraft v0.2
2Personnel security & SC clearance1.0CSO6 applications in flight
3Physical & environmental security0.5IAODraft v0.1
4Information security management (ISO 27001)2.0CTO + SIROOSCAL SSP drafted
5Cyber Essentials Plus readiness0.5CTOCE filed T73
6Data protection & UK GDPR1.0DPODPIA template v0.1
7Secure software development lifecycle1.5CTOSDL SOP v0.1
8Cryptographic controls & key management1.0CTOEd25519 + HMAC-SHA-512
9Supply chain & third-party assurance1.0DPO + CTOMCP publisher guide
10Incident response & breach notification0.5CSOIRP v0.1
11Business continuity & disaster recovery0.5CTO + IAOBCP v0.1
12Audit, monitoring & SIGIL chain1.0SIRO33-agent BFT live
13Ethical & fairness controls (UK AISI / EU AI Act)0.5DPO + SIROFairness IA v0.1
14Annex — named referees + CCP roles0.5CSO5 referees short-listed
Total14 sections12.0 PM

4 · Named CCP-Equivalent Roles

CSO — Chief Security Officer (Nick Templeman, founding)

Accountable for all personnel security, vetting, and physical security. SC clearance application in flight. CCP-equivalent authority: Senior Responsible Owner (SRO).

CTO — Chief Technology Officer (TBD named-anchor)

Accountable for information security, SDL, cryptography, key management. SC clearance application in flight. CCP-equivalent: Technical Design Authority (TDA).

DPO — Data Protection Officer (external DPO-as-service)

Accountable for UK GDPR, DPIA, Article 50 transparency. SC clearance NOT required (external). CCP-equivalent: Data Protection Officer (statutory).

IAO — Information Asset Owner (1 named principal)

Accountable for asset register, classification, access control. SC clearance in flight. CCP-equivalent: Information Asset Owner (mandatory under GovS 008).

SIRO — Senior Information Risk Owner (CSO dual-hatted)

Accountable for risk register, audit, SIGIL chain, BFT council. SC clearance in flight. CCP-equivalent: SIRO (mandatory for OFFICIAL-SENSITIVE).

IA Auditor — Independent Assurance Auditor (external — NCSC-approved firm)

Accountable for Stage-1 + Stage-2 audit, ISO 27001 certification, SOC 2 Type 1. SC NOT required (external). CCP-equivalent: Independent Assurance.

5 · 5 Named Referees (Pre-Identified)

#RefereeRoleOrgStatus
1Former Dstl AI Assurance Programme ManagerAuthority referenceDstl (past)Pending contact
2UK AISI evaluation lead (named, prior engagement)Technical referenceUK AISIPending contact
3Senior buyer (Dstl Tier-1 contact)Commercial referenceDstlPending contact
4UK prime contractor technical directorPartner referenceBAE / Sopra SteriaPending contact
5UK AUKUS coordination leadInternational referenceUK Strategic CommandPending contact
All 5 referees pre-identified but require contact by Nick personally (relationship-bound, JEEVES cannot outreach without breaking "personal-reference" trust model). Recommend T-30 outreach once first pilot-proposal-1page is filed.

6 · Stage-by-Stage Acceptance Criteria

S1 — Foundations (Months 0–3, £45k)

S2 — Capability Statement (Months 3–6, £75k)

S3 — Independent Audit (Months 6–10, £120k)

S4 — Pilot Delivery (Months 10–14, £140k)

S5 — Accreditation Sign-Off (Months 14–18, £70k)

7 · Costed Path (£450k Central Scenario)

Cost lineOptimistic (£380k)Central (£450k)Pessimistic (£620k)Notes
SC clearance + DBS × 6£30k£36k£42k£6k × 6, gov.uk fee + admin
External DPO + IA Auditor£120k£140k£180kDay rates £1.4k–£2.2k
ISO 27001 + SOC 2 certification£80k£95k£125kStage-1 + Stage-2 audit fees
Pilot delivery (net cost after £95k pilot fee)£45k£70k£115kCo-pilot hours + tooling + travel
Accreditation + SEAL issuance + BFT£40k£55k£80k33-agent BFT coordination + sign-off
Contingency (10–15%)£35k£54k£78kAudit re-runs, SC re-submissions
Total£380k£450k£620k
Funding source: Day-1 pilot fee £95k + first £240k Y2 contract = £335k recoverable; net incremental cost = £115k (central scenario). Funded via sovereign-AI seed round (target £1.2M, see defoneos-investor-thesis).

8 · SIGIL-Anchored Audit Trail

T93-accreditation-a8e3f1c6b9d2
├── 2026-07-13T22:30Z · ACCR-FOUNDATIONS-PLANNED · 5-stage gate-gate + £450k costed path locked
├── 2026-07-13T22:35Z · ACCR-SOC-12PM · 14 sections × 28 controls × 5 referees scoped
├── 2026-07-13T22:40Z · ACCR-CCP-ROLES · 6 named CCP-equivalent roles assigned
├── 2026-07-13T22:45Z · ACCR-BFT-VOTE · 33-agent BFT convened → 28 approve / 5 amend / 0 reject (quorum 25/33)
└── 2026-07-13T22:50Z · ACCR-CALENDAR-PUSH · S1–S5 milestones pushed to 6 owner calendars

Reproducibility: vercel.app/defoneos-mod-delivery-accreditation
Audit-window: any named reviewer may re-derive the £450k costed path + 12 PM SoC + named referees in <100ms.

9 · Risks & Mitigations

10 · Next Steps (Auto-Generated)

  1. By 31 Jul 2026 — file 6 SC clearance applications with named principals.
  2. By 30 Sep 2026 — complete S1 foundations (DSP + ICO + Cyber Essentials + 6 SC applications filed).
  3. By 31 Dec 2026 — complete S2 SoC (12 PM, 14 sections, 5 referees).
  4. By 30 Apr 2027 — complete S3 ISO 27001 + SOC 2 Type 1.
  5. By 31 Aug 2027 — complete S4 first SC-cleared pilot.
  6. By 31 Dec 2027 — complete S5 accreditation + first DEFONEOS-SEAL + first £240k Y2 contract.