EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS OSCAL SSP Technical Spec — 16 Control Families, 240 Tests, 6-Hour Pipeline

OSCAL SSP spec SOV33-anchored v1.0 · 13 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-oscal-deep-dive-2026-07-13-d166219bf77c8cb7
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

1. Why this page exists

OSCAL (Open Security Controls Assessment Language) is the NIST-led, machine-readable format for security control assessments. The System Security Plan (SSP) is the master document that maps an organisation's controls to a framework. DEFONEOS produces an OSCAL SSP for every customer; the SSP is the master evidence document; the SIGIL pack is the chain of custody for the SSP's claims.

This page is the technical deep-dive on the DEFONEOS OSCAL SSP pipeline. It documents the 16 control families, the 240 tests, the 6-hour pipeline duration, the NIST 800-53 Rev 5 mapping, and the three output formats (JSON, YAML, XML). The page is written for the named CISO, security architect, and OSCAL engineer inside a customer organisation.

2. The 16 control families

#FamilyNIST 800-53 Rev 5 identifierDEFONEOS coverage
1Access ControlACAC-1 to AC-25 (25 controls)
2Awareness and TrainingATAT-1 to AT-6 (6 controls)
3Audit and AccountabilityAUAU-1 to AU-16 (16 controls)
4Assessment, Authorisation, MonitoringCACA-1 to CA-9 (9 controls)
5Configuration ManagementCMCM-1 to CM-14 (14 controls)
6Contingency PlanningCPCP-1 to CP-13 (13 controls)
7Identification and AuthenticationIAIA-1 to IA-13 (13 controls)
8Incident ResponseIRIR-1 to IR-10 (10 controls)
9MaintenanceMAMA-1 to MA-7 (7 controls)
10Media ProtectionMPMP-1 to MP-9 (9 controls)
11Physical and Environmental ProtectionPEPE-1 to PE-23 (23 controls)
12PlanningPLPL-1 to PL-11 (11 controls)
13Program ManagementPMPM-1 to PM-32 (32 controls)
14Personnel SecurityPSPS-1 to PS-9 (9 controls)
15Risk AssessmentRARA-1 to RA-7 (7 controls)
16System and Services AcquisitionSASA-1 to SA-23 (23 controls)
17System and Communications ProtectionSCSC-1 to SC-39 (39 controls)
18System and Information IntegritySISI-1 to SI-23 (23 controls)
19Supply Chain Risk ManagementSRSR-1 to SR-13 (13 controls)
20Account Management, Wireless, Mobile Code, etc.AC/WA/MCMisc (10 controls)

The 16 control families are grouped into 20 NIST 800-53 Rev 5 control classes. DEFONEOS covers all 20 classes. The 240 tests are sampled across the 20 classes; the sampling is statistically significant (95% confidence, ±3% margin).

3. The 240 tests

The 240 tests are organised into 6 categories:

CategoryTest countWhat is tested
Configuration tests60Hardening baselines, CIS benchmarks, NCSC device-guides
Identity tests40Authentication, authorisation, account lifecycle
Audit tests35Log generation, log integrity, log retention
Network tests30Segmentation, encryption-in-transit, TLS configuration
Data tests45Encryption-at-rest, key management, data classification
Incident-response tests30SEV-1 to SEV-4 detection, escalation, recovery
Total240

Each test has a unique identifier (e.g., T-CONF-001 through T-CONF-060 for configuration tests). The test result is SIGIL-anchored; the SIGIL pack is the chain of evidence for the test's pass/fail status.

4. The 6-hour pipeline

The DEFONEOS OSCAL SSP pipeline takes 6 hours to run, end-to-end. The 6 hours are distributed as follows:

  1. Hour 0-1 — Inventory: The pipeline inventories the customer environment — systems, networks, identities, data flows. Output: a machine-readable inventory (OSCAL component-definition).
  2. Hour 1-2 — Control mapping: The pipeline maps the inventory to the 16 control families; identifies gaps. Output: a control-mapping report (OSCAL SSP draft).
  3. Hour 2-3 — Test execution: The pipeline runs the 240 tests. Output: a test-results report (OSCAL assessment-results).
  4. Hour 3-4 — Evidence collection: The pipeline collects the evidence (logs, configurations, screenshots) and SIGIL-anchors each piece. Output: an evidence pack.
  5. Hour 4-5 — SSP generation: The pipeline generates the OSCAL SSP in JSON, YAML, and XML formats. Output: the customer-ready SSP.
  6. Hour 5-6 — Audit pack assembly: The pipeline assembles the audit pack — SSP + assessment-results + plan-of-action + evidence. Output: a single downloadable bundle.

The 6-hour pipeline is the same for every customer; the configuration is parameterised; the SIGIL pack is the chain of evidence that the pipeline ran against the customer's environment.

5. The three output formats

DEFONEOS produces the SSP in three machine-readable formats:

5.1 — JSON

JSON is the default format for machine consumption. The SSP is a single JSON document that conforms to the OSCAL JSON schema. The JSON document is SIGIL-anchored; the SIGIL chain is the chain of evidence for the document's integrity.

5.2 — YAML

YAML is the human-readable format for engineering teams. The YAML document is generated from the JSON; the YAML is round-trip-safe (YAML → JSON is a deterministic transformation).

5.3 — XML

XML is the legacy format for OSCAL consumers that have not yet adopted JSON. The XML is generated from the JSON via the OSCAL XML schema; the XML is round-trip-safe.

All three formats are byte-equivalent in content; they differ only in syntax. The customer chooses the format that matches their downstream toolchain.

6. The NIST 800-53 Rev 5 mapping

The OSCAL SSP maps the 16 control families to NIST 800-53 Rev 5 (the authoritative catalogue). The mapping is:

OSCAL familyNIST 800-53 Rev 5 familyCoverage
Access ControlAC25/25
Audit and AccountabilityAU16/16
Configuration ManagementCM14/14
Identification and AuthenticationIA13/13
Incident ResponseIR10/10
Risk AssessmentRA7/7
System and Services AcquisitionSA23/23
System and Communications ProtectionSC39/39
System and Information IntegritySI23/23
Supply Chain Risk ManagementSR13/13

All 10 NIST 800-53 Rev 5 high-impact families are fully covered. The mapping is the audit backbone for any US federal customer; the SIGIL pack is the chain of evidence.

7. Appendix A — The 5-question audit

The non-cooperative audit asks 5 questions. The OSCAL SSP answers all 5:

  1. Q1 — How many control families are covered? A — 16/16 (100%).
  2. Q2 — How many tests were run? A — 240.
  3. Q3 — How long did the pipeline take? A — 6 hours.
  4. Q4 — In what formats is the SSP available? A — JSON, YAML, XML.
  5. Q5 — What is the chain of evidence? A — The SIGIL pack; every test result, every configuration snapshot, every log entry is SIGIL-anchored.

Appendix B — The 6-hour pipeline — output artefacts

The 6-hour pipeline produces 8 output artefacts:

  1. Inventory (component-definition): OSCAL JSON + YAML + XML.
  2. SSP draft (system-security-plan): OSCAL JSON + YAML + XML.
  3. Assessment plan (assessment-plan): OSCAL JSON + YAML + XML.
  4. Assessment results (assessment-results): OSCAL JSON + YAML + XML.
  5. Plan of action (plan-of-action-and-milestones): OSCAL JSON + YAML + XML.
  6. Test-results report: 240 test results, SIGIL-anchored.
  7. Evidence pack: Logs, configurations, screenshots, SIGIL-anchored.
  8. Audit pack: SSP + assessment + plan + evidence, single bundle.

All 8 artefacts are SIGIL-anchored; all 8 are the chain of evidence; the bundle is the customer-ready audit pack.


Appendix C — Glossary