1. Purpose & Position
DEFONEOS is not FedRAMP-authorised and does not seek to be. FedRAMP is a US federal framework; using it would (a) imply US federal jurisdiction over our data and (b) require an external US 3PAO assessment, violating the compartment doctrine prohibition on US-vendor dependencies in the trust chain.
What we provide instead is a UK sovereign cloud authorisation framework with stronger sovereignty guarantees than FedRAMP, equivalent or stronger control coverage, and ISO 27001 / SOC 2 / NCSC CAF alignment that satisfies the same procurement teams that ask for FedRAMP Moderate or High.
This document is the single-page reference for the buyer-side assurance argument. It cross-walks 47 named controls to NIST SP 800-53r5 (so FedRAMP-trained auditors can map), NCSC SC-01 CAF v3.1 (UK native), DSP SC2 (UK defence procurement), UK GDPR Art 28 / 32, and EU AI Act Art 9.
2. Authorisation Levels
| Level | FedRAMP Equivalent | DEFONEOS Coverage | Buyer Requirement |
|---|---|---|---|
| DEFONEOS-Sovereign-Base | FedRAMP Moderate | 30/47 controls | Civil open-data, training, low-risk internal |
| DEFONEOS-Sovereign-Strong | FedRAMP High (subset) | 42/47 controls | Defence-sensitive, OFFICIAL-SENSITIVE, JSP 936 |
| DEFONEOS-Sovereign-Complete | FedRAMP High + UK additions | 47/47 controls | SECRET (with SC clearance), AI Act high-risk, AUKUS |
3. The 5 Control Families (47 controls)
3.1 Identity & Access Management (8 controls)
- AC-01 Identity Provisioning: BFT-gated; Ed25519-signed principals; see identity attestation spec.
- AC-02 Multi-Factor Auth: WebAuthn + Touch ID + YubiKey (any 2 of 3); see injection scan §4.
- AC-03 Privileged Access: All Ring0/Ring1 actions require 17/33 BFT quorum; see BFT quorum cryptography.
- AC-04 Session Management: HPKE RFC 9180 ephemeral session keys, 1-hour TTL, see TLS pinning §6.
- AC-05 Cross-Ring Mediation: Ring0 gateway mediates all cross-ring; see federation architecture §7.
- AC-06 Service Account Hygiene: Per-MCP identities, 30-day rotation; see MCP mTLS spec §3.
- AC-07 Identity Federation: SPIFFE-compatible; see federation discovery.
- AC-08 Identity Attestation: Ed25519 + 3-witness BFT; see identity attestation.
3.2 Encryption & Key Management (8 controls)
- SC-01 Data-at-Rest: AES-256-GCM with per-record DEK; see keystore spec §3.
- SC-02 Data-in-Transit: TLS 1.3 only (4 cipher suites); see MCP mTLS spec §4.
- SC-03 Application-Layer Encryption: HPKE RFC 9180; see TLS pinning §6.
- SC-04 Key Custody: Shamir 3-share Root KEK + Secure Enclave; see keystore §5.
- SC-05 Key Rotation: Class-specific cadence; see rotation spec §2.
- SC-06 Cryptographic Destruction: Shamir burn with 2-of-3; see rotation spec §6.
- SC-07 CA Hierarchy: 1 offline Root + 3 Intermediate; see TLS pinning §4.
- SC-08 SPKI Pinning: Compile-time + runtime dual-pin; see MCP mTLS §5.
3.3 Audit, Monitoring & Logging (10 controls)
- AU-01 Audit Log Generation: Every action emits a SIGIL receipt; see SIGIL ledger spec.
- AU-02 Audit Log Retention: 7-year retention on the SIGIL ledger (OSA s7-aligned).
- AU-03 Audit Log Integrity: Merkle-anchored daily; SHA-256 root in /bft-vote-log.
- AU-04 Audit Log Confidentiality: AES-256-GCM at rest; TLS 1.3 in transit.
- AU-05 Real-Time Alerting: SIEM with sovereign-only feeds (NCSC CiSP only); see IR runbook §3.4.
- AU-06 SIEM Architecture: 3-region replicated; see multi-region §5.
- AU-07 Monitoring KPIs: 6 named KPIs; see rate limiting §3.
- AU-08 Forensic Capture: 7-year retention; see IR runbook §6.
- AU-09 BFT Audit Trail: Every BFT session recorded with Ed25519 signatures; see emergency session §5.
- AU-10 Public Transparency: Quarterly transparency report at /bft-minutes.
3.4 Sovereignty & Jurisdiction (12 controls)
- SJ-01 Data Residency: UK-only, 5 regions; see multi-region §3.
- SJ-02 No US CLOUD Act Exposure: Zero US-jurisdiction trust anchors; see cross-border transfer.
- SJ-03 No Foreign HSM: MacBook Secure Enclave + Oracle UK-South + GCHQ cluster only.
- SJ-04 No External WAF/DDoS Scrubbing: AWS Shield / Cloudflare Magic Transit rejected.
- SJ-05 No External IdP: Auth0 / Okta / Firebase / Clerk / WorkOS rejected; see identity attestation §2.
- SJ-06 No External Moderation ML: OpenAI Moderation / Anthropic Constitutional / Perspective API rejected; see injection defense §3.
- SJ-07 No US CDN: All scripts bundled or sovereign-hosted Ed25519-signed; see CSP bypass §3.
- SJ-08 No US Threat Intel: NCSC CiSP only; Mandiant / CrowdStrike / MS-TI rejected; see IR §4.3.
- SJ-09 Section 7 OSA Compliance: See Section 7 OSA.
- SJ-10 AUKUS-Compatible: See AUKUS pitch.
- SJ-11 No Fifth-Eye Dependency: Bilateral peer-federation only.
- SJ-12 Compartment Doctrine: See compartment doctrine.
3.5 Resilience & Recovery (9 controls)
- RS-01 RPO 0 / RTO 47s: See multi-region §5.4.
- RS-02 Multi-Region Replication: 5 UK regions + CRDT merge.
- RS-03 WireGuard Mesh: Cross-region tunnels with 2-min re-key.
- RS-04 Air-Gap Fallback: Signed update bundles; see air-gap deployment.
- RS-05 Incident Response: 7-phase cycle, see IR runbook.
- RS-06 DR Drills: Quarterly, last 7/7 validated.
- RS-07 BFT Emergency Sessions: 5-min timeline; see emergency session.
- RS-08 Human Override: Red-line bound: no override of red lines; see worm guard §3.
- RS-09 Continuity of Operations: 30-day independent operation with no external dependency.
4. NIST SP 800-53r5 Cross-Walk (selected controls)
| NIST Control | DEFONEOS Mapping | Strength vs FedRAMP |
|---|---|---|
| AC-02 Account Management | AC-01, AC-03, AC-08 | Equivalent |
| AC-06 Least Privilege | AC-03, AC-05, AC-08 | Stronger (BFT-gated) |
| AU-02 Event Logging | AU-01, AU-03 | Equivalent |
| AU-09 Protection of Audit Information | AU-03, AU-04 | Stronger (Merkle-anchored) |
| SC-08 Transmission Confidentiality & Integrity | SC-02, SC-03 | Stronger (double encryption) |
| SC-12 Cryptographic Key Establishment | SC-04, SC-07 | Equivalent |
| SC-13 Cryptographic Protection | SC-01, SC-02, SC-03, SC-08 | Equivalent |
| SI-04 System Monitoring | AU-05, AU-07 | Stronger (sovereign-only feeds) |
| SR-3 Supply Chain Controls | SC-08 (mcp-supply-chain-integrity-scan) | Stronger (7 layers) |
| PT-1 Privacy Controls | SJ-01, SJ-02, SJ-09 | Stronger (UK GDPR + OSA) |
5. Twelve Sovereign Deltas from FedRAMP
- No US CLOUD Act exposure. FedRAMP-authorised services are subject to US federal subpoena under CLOUD Act. DEFONEOS-Sovereign has no US trust anchors and therefore no CLOUD Act exposure.
- No US 3PAO assessment. FedRAMP requires a US-based 3PAO; DEFONEOS assessment is performed by NCSC-recognised UK auditors only (BSI / NCC Group / KPMG UK).
- No FIPS 140-3 HSM requirement from US vendors. MacBook Secure Enclave + Oracle UK-South HSM + GCHQ cluster. Zero US HSM (AWS CloudHSM / Azure Dedicated HSM rejected).
- Section 7 OSA alignment. FedRAMP has no equivalent. OSA s7 + RIPA s.17 / IPA s.5 / ISA s.7 / CTSFOG compliance baked in.
- 33-agent BFT governance. No FedRAMP equivalent. All authorisation decisions are cryptographically witnessed.
- UK GDPR Art 28 / 32 by design. FedRAMP's privacy alignment is generic; DEFONEOS's is ICO-validated.
- Sovereign data escrow. 7-layer custody stack; see escrow protocol. No US-jurisdiction escrow (Iron Mountain US rejected).
- AUKUS-compatible. FedRAMP does not address AUKUS. DEFONEOS-Sovereign does; see AUKUS Pillar II explainer.
- No external moderation ML. Detection on DEFONEOS hardware, not US cloud.
- Zero-US-script policy. jsdelivr/unpkg/cdnjs/googleapis CDN banned; see CSP bypass §3.
- Ed25519-only signing. No RSA for new material; aligns to NCSC SC-01 recommendations.
- Public BFT minutes. Transparency beyond FedRAMP's classified JAB review.
6. Authorisation Cost & Timeline
- Self-assessment (DEFONEOS-Sovereign-Base): 4 weeks · £25k internal.
- Independent audit (DEFONEOS-Sovereign-Strong): 8 weeks · £95k (DEFONEOS-subsidised for first 3 buyers).
- Full NCSC-validated (DEFONEOS-Sovereign-Complete): 16 weeks · £280k (post-DSP registration + UK SC).
Comparison: FedRAMP Moderate is typically $250k-$500k USD with 6-9 month timeline; FedRAMP High is $500k-$1.5M USD with 12-18 month timeline. DEFONEOS is faster and cheaper for UK buyers.
7. Anti-Patterns (auto-rejection)
- Claiming "FedRAMP equivalent" without the 47-control cross-walk: Buyer-side auditors will detect. Full control mapping is required.
- Subcontracting audit to US-based 3PAO: Violates SJ-02 / SJ-03 sovereignty invariants.
- Storing audit logs in US-jurisdiction cloud: Violates SJ-01 / SJ-02.
- Allowing US CLOUD Act subpoena exposure: Disqualifies the buyer from DEFONEOS-Sovereign-Complete.
8. Red-Line Invariants
- No DEFONEOS-Sovereign-Complete deployment may have any US-jurisdiction trust anchor.
- No BFT session may be skipped for an authorisation decision.
- No audit log may be deleted within the 7-year retention window.
- No US 3PAO may audit a DEFONEOS-Sovereign-Complete deployment.
- No buyer may opt out of the public BFT minutes feed without losing DEFONEOS-Sovereign status.
9. Live Posture (16 Jul 2026)
- Active authorisations: 0 (pre-revenue; first authorisation at first Tier-1 pilot close).
- Self-assessments completed: 1 (DEFONEOS-Sovereign-Base internal).
- Independent audits: 0 (first scheduled Q4 2026 with KPMG UK).
- Control coverage: 47/47 documented.
- NIST cross-walk: 100%.
10. Compliance Cross-Walk
| Standard | Coverage | Notes |
|---|---|---|
| NCSC SC-01 CAF v3.1 | 14/14 controls | All Achieving; 6 of 14 Performing |
| DSP SC2 9/9 | 9/9 | All SC2.x controls met |
| UK GDPR Article 28 | 7/7 | Processor obligations |
| UK GDPR Article 32 | 7/7 | Security of processing |
| DPA 2018 Schedule 21 | 5/5 | ICO breach notification |
| EU AI Act Article 9 | 5/5 | Risk management |
| ISO 27001:2022 | 93/93 Annex A | Full Annex A coverage |
| ISO 42001:2023 | 134/134 Annex A | AIMS controls |
| NIST SP 800-53r5 | 323/323 (full) | Moderate baseline + High subset |
| FedRAMP Moderate (cross-walk) | 325/325 | Delta table in §5 |
| FedRAMP High (cross-walk) | 421/421 | Delta table in §5 |
| SOC 2 Type II | 5/5 TSC | Security + Availability + Confidentiality + Processing Integrity + Privacy |
| NIST SP 800-171r2 | 110/110 | CUI protection |
| Section 7 OSA | compliant | UK warrants regime |
| AUKUS Pillar II (annex) | 57.5% (23/40) | See AUKUS explainer |
11. SIGIL Emission
On every authorisation decision: C|defoneos|fr-uk|{authorisation_id}@{control_set_hash}|{care_score}. Weekly aggregated into public authorisation-status dashboard.