DEFENCE-ELECTRONICS SUPPLY-CHAIN ASSURANCE

12 critical electronics categories · 8 prime supplier entry points · SBOM + BFT audit trail · ITAR / CMMC boundary enforcement · Curl-verifiable

12Critical electronics categories
8Prime supplier entry points
30MCPs in federated supply-chain
38Evidence artefacts per supplier
£28,400T3 Enterprise 30-day pilot

1. WHY DEFENCE-ELECTRONICS NEEDS A DEDICATED ASSURANCE PACK

The UK defence-electronics supply chain is a £14.2B sector (FY2025-26) spanning 12 critical categories from semiconductor fabrication to electronic warfare subsystems. Unlike conventional defence procurement, electronics supply chains face three unique risks: (a) ITAR/CMMC exposure — US-origin defence articles embedded in UK systems trigger mandatory compliance with US International Traffic in Arms Regulations and Cybersecurity Maturity Model Certification; (b) sub-tier opacity — Tier-3/Tier-4 semiconductor and PCB suppliers are often invisible to the MOD prime; (c) software bill-of-materials (SBOM) gaps — firmware and embedded software in defence electronics rarely carry auditable SBOMs.

DEFONEOS provides the defence-electronics sector with a sovereign, BFT-governed supply-chain assurance layer. The mcp-dynamic-sbom MCP generates real-time SBOMs for every firmware artefact; the mcp-cspm MCP audits cloud security posture; and the bft-council-probe MCP provides 33-agent quorum-gated audit decisions for supply-chain risk. This pack maps the 12 critical categories, the 8 prime supplier entry points, and the DEFONEOS assurance architecture.

All entries are BFT-signed (Ed25519 / RFC 8032 / 2026-Q3 rotation) and curl-verifiable. Supplier data sourced from MOD Defence Electronics & Components Agency (DECA) directory (2026-Q1) + publicly available MOD contract registers + ADS Group defence-electronics report.

2. THE 12 CRITICAL DEFENCE-ELECTRONICS CATEGORIES × RISK × DEFONEOS COVERAGE

#CategoryUK market (£B)Risk tierDEFONEOS assurance
E1Radar subsystems (AESA / PESA)£2.1BHIGH — ITAR + single-sourcemcp-dynamic-sbom · bft-council-probe · mcp-cspm — real-time SBOM for radar firmware + BFT-governed supplier risk decisions
E2Electronic warfare (EW) / DIRCM£1.8BHIGH — ITAR + classifiedmcp-dynamic-sbom · bft-council-probe — SBOM for EW firmware at OFFICIAL boundary + BFT audit trail
E3Electronic warfare (EW) / DIRCM£1.8BHIGH — ITAR + classifiedmcp-dynamic-sbom · bft-council-probe — SBOM for EW firmware at OFFICIAL boundary + BFT audit trail
E4Missile guidance & seekers£1.5BCRITICAL — ITAR + CMMCmcp-dynamic-sbom · mcp-cspm · bft-council-probe — missile firmware SBOM + CMMC Level 2 boundary enforcement
E5Navigation & GPS (M-code)£0.8BHIGH — single-source + ITARmcp-dynamic-sbom · bft-council-probe — navigation firmware SBOM + BFT-governed GPS-denied fallback decisions
E6Secure communications (SATCOM / ESS)£1.2BHIGH — ITAR + TEMPESTmcp-dynamic-sbom · mcp-cspm — comms firmware SBOM + TEMPEST boundary assurance
E7Semiconductor / FPGA fabricators£1.9BCRITICAL — global supply chain + export controlsmcp-dynamic-sbom · bft-council-probe — silicon provenance tracking + BFT-governed foundry risk assessment
E8PCB / PCB assembly (PCBA)£0.9BMEDIUM — sub-tier opacitymcp-dynamic-sbom · mqtt-bridge — PCB assembly traceability + IoT-based factory monitoring
E9Power electronics / PSU£0.6BMEDIUM — UK-sourcedmcp-dynamic-sbom — SBOM for power-supply firmware
E10Sensor fusion processors£0.7BHIGH — ITAR + single-sourcemcp-dynamic-sbom · bft-council-probe — sensor-fusion firmware SBOM + BFT audit
E11Displays / HMIs (cockpit / vehicle)£0.5BLOW — multiple UK sourcesmcp-dynamic-sbom — display firmware SBOM
E12Cabling / harnesses / connectors£0.4BLOW — UK-sourcedmcp-dynamic-sbom — harness traceability

3. THE 8 PRIME SUPPLIER ENTRY POINTS × DEFONEOS FIT

#SupplierElectronics categoriesITAR exposureDEFONEOS integration
S1Leonardo UK (Edinburgh / Luton / Southampton)E1 (radar) · E2 (EW) · E10 (sensor fusion)HIGH — US-origin subsystemsmcp-dynamic-sbom · bft-council-probe · mcp-cspm — SBOM for AESA radar firmware + ITAR boundary enforcement
S2Thales UK (Crawley / Templecombe / Reading)E4 (missile guidance) · E6 (SATCOM) · E1 (sonar)HIGH — ITAR + CMMCmcp-dynamic-sbom · mcp-cspm · bft-council-probe — missile firmware SBOM + CMMC Level 2 boundary
S3BAE Systems (Electronic Systems — Rochester / Edinburgh)E5 (GPS/M-code) · E10 (sensor fusion) · E11 (displays)HIGH — M-code GPS is US-originmcp-dynamic-sbom · bft-council-probe — GPS firmware SBOM + BFT-governed GPS-denied fallback
S4MBDA UK (Stevenage / Bristol / Bolton)E4 (missile seekers) · E10 (sensor fusion)CRITICAL — missile ITAR is the tightestmcp-dynamic-sbom · mcp-cspm · bft-council-probe — missile seeker firmware SBOM + ITAR + CMMC enforcement
S5Ultra Electronics (Greenford / Bridgewater)E6 (secure comms) · E3 (EW) · E12 (cables)MEDIUM — some US-origin commsmcp-dynamic-sbom · bft-council-probe — comms firmware SBOM + BFT audit trail
S6Cobham Advanced Electronic Solutions (Christchurch / Dorset)E6 (SATCOM) · E9 (power electronics)MEDIUM — SATCOM US-originmcp-dynamic-sbom · mcp-cspm — SATCOM firmware SBOM + cloud security posture
S7DECA (MoD Abbey Wood / Fleetlands)E8 (PCB/PCBA) · E12 (cabling) · E9 (power)LOW — MOD-ownedmcp-dynamic-sbom — PCBA traceability + harness provenance
S8QinetiQ (Farnborough / Malvern)E7 (FPGA) · E10 (sensor fusion) · E2 (EW)MEDIUM — FPGA export controlsmcp-dynamic-sbom · bft-council-probe — FPGA provenance tracking + BFT-governed foundry risk

4. DEFONEOS SUPPLY-CHAIN ASSURANCE ARCHITECTURE

LayerCapabilityMCPWhat it provides
L1: SBOM GenerationReal-time software bill-of-materials for every firmware artefactmcp-dynamic-sbomSHA-256 + component tree + licence detection + vulnerability correlation
L2: Cloud Security PostureContinuous configuration audit for supplier cloud environmentsmcp-cspmCIS benchmarks + NCSC CAF alignment + ITAR data-boundary enforcement
L3: BFT Governance33-agent quorum-gated audit decisions for supply-chain riskbft-council-probe23/33 standard quorum · 27/33 red-line quorum · 30/33 constitutional quorum
L4: IoT MonitoringFactory-floor sensor ingest for manufacturing assurancemqtt-bridge · rtsp-cameraReal-time manufacturing process monitoring + YOLOv8 defect detection
L5: Evidence VaultTamper-evident, BFT-signed evidence chain for every supply-chain artefactBFT-signed evidence store38 artefacts · SHA-256 · Ed25519 signatures · 24h freshness SLA

5. ITAR / CMMC BOUNDARY ENFORCEMENT

BoundaryRegulationDEFONEOS enforcementMCP coverage
US-origin defence articlesITAR §120.6SBOM flags US-origin components · BFT council blocks unauthorised re-exportmcp-dynamic-sbom · bft-council-probe
CMMC Level 2CMMC 2.0 / DFARS 252.204-7012mcp-cspm enforces 110 NIST SP 800-171 controls for CUImcp-cspm
UK export controlsExport Control Act 2002SBOM flags UKML-controlled items · BFT council validates export licencemcp-dynamic-sbom · bft-council-probe
EU Dual-Use RegulationRegulation (EU) 2021/821SBOM flags dual-use components · BFT council validates catch-all clausemcp-dynamic-sbom · bft-council-probe
NCSC CAF v3.1UK cyber assurancemcp-cspm maps to CAF profiles · BFT council validates B1-B3 objectivesmcp-cspm · bft-council-probe

6. 5-STEP SUPPLY-CHAIN ASSURANCE WORKFLOW

StepActionWhoTimePrerequisite
1Identify electronics category (E1–E12) and supplier (S1–S8)Buyer15 minThis assurance pack §2–§3
2Confirm ITAR/CMMC exposure and data classification boundaryBuyer + CSOAI1 hourSC clearance guide
3Provision supplier-specific DEFONEOS substrate with SBOM publisherCSOAI<24 hoursEscrow deployment
4Run initial SBOM generation on firmware artefactsCSOAI + Supplier1–3 daysFirmware binaries provided
5BFT council ratifies supply-chain risk assessmentBFT Council (33 agents)<1 hour (automated)AG-1: curl -s /evidence/bft-vote HTTP 200

7. RED-LINE: OFFICIAL BOUNDARY ONLY

⚠️ HARD RED-LINE: DEFONEOS handles OFFICIAL and OFFICIAL-SENSITIVE data ONLY. Classified firmware (SECRET/TOP SECRET missile seekers, submarine electronics) requires separate accredited systems. DEFONEOS SBOM generation runs on the OFFICIAL boundary — the SBOM itself contains component metadata (names, versions, licences, CVEs) but NOT classified performance data or operational parameters.

8. SUPPLIER BUYER-TYPE MATRIX

Buyer typeEntry pointProcurement vehicleSecurity requirementPilot tier
Prime contractor (Leonardo / BAE / Thales)S1 / S2 / S3Direct award / DSPSC minimumT3 Enterprise
Missile prime (MBDA)S4Direct award / DSPSC + CMMC Level 2T3 Enterprise
Tier-2 electronics (Ultra / Cobham)S5 / S6G-Cloud 14 / DSPOFFICIAL-SENSITIVE / SCT2 Department
MOD-owned (DECA)S7MOD direct / DSPOFFICIAL-SENSITIVET2 Department
R&D assurance (QinetiQ)S8G-Cloud 14 / DASAOFFICIAL-SENSITIVE / SCT2 Department

9. COMPLIANCE CROSS-WALK — ELECTRONICS-SPECIFIC

FrameworkElectronics-specific provisionDEFONEOS evidence
ITAR §120.6US-origin defence articles in UK electronicsSBOM + BFT boundary enforcement
CMMC 2.0 Level 2110 NIST SP 800-171 controls for CUICSPM + CAF assessment
JSP 936 §6.1Supplier assurance for defence electronicsJSP 936 compliance
NCSC CAF v3.1B1–B3 objectives for electronics supply chainCAF assessment
ISO 27001 §A.8.8Technical vulnerability management for firmwarePen-test cadence
Export Control Act 2002UKML-controlled electronics itemsSBOM + BFT export-validation
EU Dual-Use Reg 2021/821Dual-use electronics componentsSBOM + BFT catch-all validation