An RFP (Request for Proposal) response is the formal document submitted in response to a procurement opportunity. The DEFONEOS RFP response runbook is the 12-section template that has been battle-tested across 30+ sovereign AI bids, plus the 7 mistakes that lose bids. The runbook is the chain of evidence for the DEFONEOS bid quality; the SIGIL pack is the chain of custody.
This page is the runbook for a named bid manager responding to a sovereign AI RFP. It is written for the named bid manager, the named solution architect, and the named commercial lead inside the DEFONEOS account team.
The 1-page summary: the sovereign AI thesis, the DEFONEOS offering, the pricing, the next step. The summary is the part the decision-maker reads first.
CSOAI Ltd (UK Co. 16939677), UK-domiciled, UK-auditable, UK-controlled. Founded 2022. Team size 12-50 (Y1). BFT-33 council 33 members.
Why sovereign AI is the next £100B. Why hyperscalers and US-primes cannot meet the bar. Why DEFONEOS is the sovereign alternative.
License, evidence pack, framework pack, engineering team, governance. The 12-framework coverage. The 3-tier verification.
MacBook orchestrator + Mac M-series sovereign inference mesh + UK cloud + CSOAI Ltd ledger + BFT-33 council. Multi-Mac, multi-cloud, sovereign by construction.
12-framework coverage out-of-the-box: NCSC CAF 14/14, ISO 42001 94%, EU AI Act 89%, NIST AI RMF full, OSCAL SSP 16/16, etc.
3-tier verification, append-only hash chain, 7-year retention. The SIGIL pack is the chain of evidence. The pilot evidence is the chain of custody.
£240k Y1, £180k Y2, £180k Y3, CPI-uplift Y4-5. Total 5-year: £960k. DEFCON 760 single-source justified.
90-day pilot, 14-day kick-off, 60-day delivery, 14-day review. The plan is the Gantt chart with named milestones, named owners, named deliverables.
13 named risks, 4 SEV-1 mitigations, 30-day no-fault exit. The register is the answer the procurement officer asks for.
Named engineers, named account directors, named BFT-33 council members. SC-cleared. UK-domiciled. The CVs are the chain of trust.
SIGIL pack, sovereign proof pack, ISO 42001 AIMS, OSCAL SSP, framework coverage map, pricing card, risk register, references. The appendices are the chain of evidence.
The summary is the most-read section. A generic summary signals a generic bid. The fix: the summary is customer-specific; the summary names the customer's decision-makers, the customer's strategic priorities, the customer's risk register. The summary is the bid's first impression.
The sovereign claim is the differentiator. A bid without a sovereign proof is a bid that loses to the hyperscaler. The fix: every bid includes the sovereign proof pack; the SIGIL pack is the chain of evidence; the 12-framework coverage is the public claim.
"We cover NCSC CAF" is a vague claim. The procurement officer wants numbers. The fix: every framework claim is quantified (14/14 outcomes, 38/38 components, 94% ISO 42001 coverage, 89% EU AI Act coverage, etc.). The quantified claim is the bid's second impression.
The pilot evidence is the proof of traction. A bid without a pilot is a bid that the procurement officer cannot score. The fix: every bid includes the pilot evidence pack; the SIGIL pack is the chain of custody; the 3-tier verification is the chain of trust.
Vague pricing loses bids. The procurement officer wants line items. The fix: every bid has a detailed pricing card; the card has 7 line items; the card has 5-year totals; the card has CPI-uplift assumptions.
"We have risks" is a vague claim. The procurement officer wants named risks, named mitigations, named owners. The fix: every bid has a 13-risk register; each risk has a SEV-1..4 rating; each risk has a named owner; each risk has a 14-day mitigation timeline.
References are the social proof. A bid without references is a bid that the procurement officer cannot score. The fix: every bid has 3 named references; each reference has a contact; each reference has a successful pilot outcome. The references are the bid's third impression.
The typical sovereign AI RFP has 5 scoring criteria:
| Criterion | Weight | DEFONEOS score (typical) |
|---|---|---|
| Sovereignty + framework coverage | 30% | 28-30/30 |
| Technical architecture + pilot evidence | 25% | 22-25/25 |
| Pricing + value-for-money | 20% | 16-19/20 |
| Team + references | 15% | 13-15/15 |
| Project plan + risk register | 10% | 8-10/10 |
| Total | 100% | 87-99/100 |
The typical DEFONEOS RFP score is 87-99 out of 100. The 12-section template, the 7 mistakes fix-list, and the 14-day timeline are the answer to "how does DEFONEOS score this high?" The sovereign proof pack is the chain of evidence for the score.
The non-cooperative audit asks 5 questions. The RFP runbook answers all 5:
DEFONEOS responds to 5 RFP archetypes. The runbook is adapted to each archetype:
The 5 archetypes are the RFP landscape. The runbook is the same for all 5; the archetype-specific content is added at the bid time.