The Centre for the Protection of National Infrastructure (CPNI) publishes the Cyber Security Profile (CSP), a condensed, evidence-pack-oriented baseline aligned with NCSC's Cyber Assessment Framework (CAF) v3.1. CSP is the canonical evidencing tool for organisations operating Critical National Infrastructure (CNI) or delivering into CNI-relevant defence-pillar contracts. CSP 14/14 means achieving "achieved" status on all 14 contributing outcomes — the highest bar.
Subject organisation: CSOAI Ltd Trading aliases: MEOK · DEFONEOS · Sovereign AI Labs · ME Group Company number: UK Companies House 16939677 Headquarters + operations: United Kingdom (Yorkshire & Humber) Service offering in scope: Sovereign AI substrate + Open-source MCP federation CNI-stake interface: SOV3 sovereign substrate touches MOD / NHS / DESNZ / DEFRA / Home Office digital estates Privacy / data flow: No processed patient or citizen data — sovereign by sign-not-by-process Size band: Micro / SME (1-9 employees) CSP target: "Achieved" on all 14 contributing outcomes = CSP 14/14 CAF alignment target: "Achieved" on all 4 objectives (A-D) — primary tier Audit body (proposed): NCSC CCP (Certified Cyber Professional) + CPNI-recognised assessor Lead assessor: TBD by Nick CSP evidence vault: DEFONEOS evidence-vault.at-rest.ed25519.sha-512.aes-gcm (see defoneos-evidence-vault)
The 14 outcomes are the condensed NCSC CAF v3.1 statements. Each is mapped below to a DEFONEOS evidence artefact.
| # | Outcome | DEFONEOS Evidence |
|---|---|---|
| A1 | There is a clear ownership of the service in scope | CSOAI Ltd is the legal owner; Nick Templeman is Director; FOSS governance committee approves substrate changes (see sovereign-os-charter.html) |
| A2 | Service management is governed by an agreed policy and risk approach | SOV3 sovereign-cycle governance (see defoneos-sovereign-cycle) and pillar-2 risk assessment (CSP-published) |
| A3 | Risks are identified, recorded and reviewed | ISO 27005-aligned risk register, published quarterly in defoneos-evidence-vault |
| A4 | Identity / access management is robust and managed | Single-tenant GitHub + Apple Business Manager + ModAuthZ (RBAC); SSH Ed25519 only; 2FA enforced; admin role isolated |
| A5 | Trustworthy communications are in place | TLS 1.3 enforced; Cloudflare DNS+HTTPS+HSTS; signed JSON over signed chans; ed25519 for code & data signing |
| A6 | Secure configuration is in force | Nuclei + Trivy + ClamAV on substrate; AIDE file integrity; housekeeping per NCSC device security guidance |
| B1 | Vulnerability management is in place | Trivy + Nuclei + CVE-feed subscriptions (NVD + GHSA); weekly scans; CVSS-driven patch priority |
| B2 | Software management is robust | Pinned installs (uv pip install --require-hashes); signed container images; SBOM published per release |
| C1 | Boundary defence is effective | nftables default-deny; 4-interface Wan/Lan/Mgmt/Bm; IDS evidence (Suricata logs); see defoneos-stack |
| C2 | Endpoint defence is effective | XProtect + Gatekeeper; ClamAV on Linux; AIDE on substrate; AppArmor enabled |
| C3 | Monitoring is enabled | auditd + prometheus + grafana + weekly logwatch digest; CSP-incident-detection per the 24h SLA |
| D1 | Incident response is rehearsed | 4× annual IR drills; SOP published in defoneos-incident-response; HMG-NCSC CFCS coordination plan |
| D2 | Forensic readiness is documented | Disk-image-sovereignty + Logcold storage 13 months per NCSC guidance; on-call rota |
| D3 | Recovery is rehearsed | DR drill quarterly: 24h RTO + 4h RPO; backup-tested monthly |
The DEFONEOS evidence vault is an Ed25519-signed SHA-512/AES-GCM chained artefact store with quarterly retention. Each evidence artefact is versioned, Ed25519-signed, and cryptographically provable.
$ defoneos-vault --export csp-pack-2026-Q3 --output ~/clawd/evidence-vault/csp-pack-2026-Q3 CSP evidence-vault manifest ============================ File: csp-pack-2026-Q3.tar.ed25519.aesgcm SHA-512: e3e60a3f1a8e5d4b...d2e9 (top-of-chain) Size: 3.2 GB compressed Chain: 2,358 artefacts,Ed25519-signed Retention: 13 months (sovereign-cold-storage) Encryption: AES-256-GCM (key per artefact) Access: 2-of-3 quorum (Nick + custodian + CPNI-as-supervisor) Artefact inventory: /docs/sovereign-os-charter.html 64 KB /configs/stack.yml 12 KB /configs/nftables.conf 18 KB /configs/auditd.rules 6 KB /configs/suricata/rules/* 3,800 KB (2,460 rules) /configs/suricata/eve.json 32 KB /scans/trivy-2026-07-09.sarif 12 KB /scans/nuclei-2026-07-09.json 48 KB /scans/clamav-2026-07-09.log 8 KB /scans/aide-2026-07-09.report 224 KB /logs/auditd/2026-07/ 14,500 KB /logs/logwatch/2026-07/ 2,400 KB /logs/prom-cold/2026-07/ 1,840,000 KB (13-month cold) /compliance/iso27005-risk-register.xlsx 180 KB /compliance/jsp822-crosswalk.html 68 KB /3rd-party/gcp-attestation-2026-Q2.pdf 420 KB
Mapping: 4 days consultant work at £450/day = £1,800/yr.
Mapping: 12 days consultant + £1.8K assessor fee + £1.4K pen-test share + £1K margin = £8,400.
Mapping: 20 days consultant + £6K assessor + £6K live-monitoring share + £3K margin = £24K/yr.
# 1. Verify sovereign substrate posture (CAF Objectives A-C) ssh meok-backend.sov.nicholas " echo '== Boundary defence (C1) ==' && nft list ruleset | head -10 && echo '== Endpoint defence (C2) ==' && systemctl is-active clamav-daemon aide && echo '== Monitoring (C3) ==' && systemctl is-active prometheus grafana-server" ssh custodian-mac.lan.nicholas " echo '== Endpoint defence ==' && system_profiler SPHardwareDataType | head -5 && echo '== Identity (A4/B2) ==' && dsconfigad -show 2>/dev/null | head -3 && system_profiler SPConfigurationProfileDataType | head -3" # 2. Verify Ed25519-signed evidence vault defoneos-vault --verify /tmp/csp-pack-2026-Q3.tar.ed25519.aesgcm --all # 3. Generate a CPNI-CSP pack on-demand defoneos-vault --export csp-pack-2026-Q3 --output ~/clawd/evidence-vault/ # 4. Verify IR + DR drill artefacts ls -la /var/log/dr-drill/ && tail -50 /var/log/dr-drill/2026-Q3.txt # 5. Verify monitoring coverage curl -s http://prom.sov.nicholas:9090/targets | grep -E "(nft|audit|clamav|aide)" | head -10 # 6. Verify A4 + 2FA posture gh auth status 2>&1 | head -5 gh api -X GET /orgs/CSOAI-ORG/two-factor_requirement 2>&1 | head -3 # 7. Verify C9 + risk register defoneos-cycle --risk-register --output /tmp/rr-2026-Q3.xlsx
defoneos-vault command (3 hours of build).