12 critical electronics categories · 8 prime supplier entry points · SBOM + BFT audit trail · ITAR / CMMC boundary enforcement · Curl-verifiable
The UK defence-electronics supply chain is a £14.2B sector (FY2025-26) spanning 12 critical categories from semiconductor fabrication to electronic warfare subsystems. Unlike conventional defence procurement, electronics supply chains face three unique risks: (a) ITAR/CMMC exposure — US-origin defence articles embedded in UK systems trigger mandatory compliance with US International Traffic in Arms Regulations and Cybersecurity Maturity Model Certification; (b) sub-tier opacity — Tier-3/Tier-4 semiconductor and PCB suppliers are often invisible to the MOD prime; (c) software bill-of-materials (SBOM) gaps — firmware and embedded software in defence electronics rarely carry auditable SBOMs.
DEFONEOS provides the defence-electronics sector with a sovereign, BFT-governed supply-chain assurance layer. The mcp-dynamic-sbom MCP generates real-time SBOMs for every firmware artefact; the mcp-cspm MCP audits cloud security posture; and the bft-council-probe MCP provides 33-agent quorum-gated audit decisions for supply-chain risk. This pack maps the 12 critical categories, the 8 prime supplier entry points, and the DEFONEOS assurance architecture.
All entries are BFT-signed (Ed25519 / RFC 8032 / 2026-Q3 rotation) and curl-verifiable. Supplier data sourced from MOD Defence Electronics & Components Agency (DECA) directory (2026-Q1) + publicly available MOD contract registers + ADS Group defence-electronics report.
| # | Category | UK market (£B) | Risk tier | DEFONEOS assurance |
|---|---|---|---|---|
| E1 | Radar subsystems (AESA / PESA) | £2.1B | HIGH — ITAR + single-source | mcp-dynamic-sbom · bft-council-probe · mcp-cspm — real-time SBOM for radar firmware + BFT-governed supplier risk decisions |
| E2 | Electronic warfare (EW) / DIRCM | £1.8B | HIGH — ITAR + classified | mcp-dynamic-sbom · bft-council-probe — SBOM for EW firmware at OFFICIAL boundary + BFT audit trail |
| E3 | Electronic warfare (EW) / DIRCM | £1.8B | HIGH — ITAR + classified | mcp-dynamic-sbom · bft-council-probe — SBOM for EW firmware at OFFICIAL boundary + BFT audit trail |
| E4 | Missile guidance & seekers | £1.5B | CRITICAL — ITAR + CMMC | mcp-dynamic-sbom · mcp-cspm · bft-council-probe — missile firmware SBOM + CMMC Level 2 boundary enforcement |
| E5 | Navigation & GPS (M-code) | £0.8B | HIGH — single-source + ITAR | mcp-dynamic-sbom · bft-council-probe — navigation firmware SBOM + BFT-governed GPS-denied fallback decisions |
| E6 | Secure communications (SATCOM / ESS) | £1.2B | HIGH — ITAR + TEMPEST | mcp-dynamic-sbom · mcp-cspm — comms firmware SBOM + TEMPEST boundary assurance |
| E7 | Semiconductor / FPGA fabricators | £1.9B | CRITICAL — global supply chain + export controls | mcp-dynamic-sbom · bft-council-probe — silicon provenance tracking + BFT-governed foundry risk assessment |
| E8 | PCB / PCB assembly (PCBA) | £0.9B | MEDIUM — sub-tier opacity | mcp-dynamic-sbom · mqtt-bridge — PCB assembly traceability + IoT-based factory monitoring |
| E9 | Power electronics / PSU | £0.6B | MEDIUM — UK-sourced | mcp-dynamic-sbom — SBOM for power-supply firmware |
| E10 | Sensor fusion processors | £0.7B | HIGH — ITAR + single-source | mcp-dynamic-sbom · bft-council-probe — sensor-fusion firmware SBOM + BFT audit |
| E11 | Displays / HMIs (cockpit / vehicle) | £0.5B | LOW — multiple UK sources | mcp-dynamic-sbom — display firmware SBOM |
| E12 | Cabling / harnesses / connectors | £0.4B | LOW — UK-sourced | mcp-dynamic-sbom — harness traceability |
| # | Supplier | Electronics categories | ITAR exposure | DEFONEOS integration |
|---|---|---|---|---|
| S1 | Leonardo UK (Edinburgh / Luton / Southampton) | E1 (radar) · E2 (EW) · E10 (sensor fusion) | HIGH — US-origin subsystems | mcp-dynamic-sbom · bft-council-probe · mcp-cspm — SBOM for AESA radar firmware + ITAR boundary enforcement |
| S2 | Thales UK (Crawley / Templecombe / Reading) | E4 (missile guidance) · E6 (SATCOM) · E1 (sonar) | HIGH — ITAR + CMMC | mcp-dynamic-sbom · mcp-cspm · bft-council-probe — missile firmware SBOM + CMMC Level 2 boundary |
| S3 | BAE Systems (Electronic Systems — Rochester / Edinburgh) | E5 (GPS/M-code) · E10 (sensor fusion) · E11 (displays) | HIGH — M-code GPS is US-origin | mcp-dynamic-sbom · bft-council-probe — GPS firmware SBOM + BFT-governed GPS-denied fallback |
| S4 | MBDA UK (Stevenage / Bristol / Bolton) | E4 (missile seekers) · E10 (sensor fusion) | CRITICAL — missile ITAR is the tightest | mcp-dynamic-sbom · mcp-cspm · bft-council-probe — missile seeker firmware SBOM + ITAR + CMMC enforcement |
| S5 | Ultra Electronics (Greenford / Bridgewater) | E6 (secure comms) · E3 (EW) · E12 (cables) | MEDIUM — some US-origin comms | mcp-dynamic-sbom · bft-council-probe — comms firmware SBOM + BFT audit trail |
| S6 | Cobham Advanced Electronic Solutions (Christchurch / Dorset) | E6 (SATCOM) · E9 (power electronics) | MEDIUM — SATCOM US-origin | mcp-dynamic-sbom · mcp-cspm — SATCOM firmware SBOM + cloud security posture |
| S7 | DECA (MoD Abbey Wood / Fleetlands) | E8 (PCB/PCBA) · E12 (cabling) · E9 (power) | LOW — MOD-owned | mcp-dynamic-sbom — PCBA traceability + harness provenance |
| S8 | QinetiQ (Farnborough / Malvern) | E7 (FPGA) · E10 (sensor fusion) · E2 (EW) | MEDIUM — FPGA export controls | mcp-dynamic-sbom · bft-council-probe — FPGA provenance tracking + BFT-governed foundry risk |
| Layer | Capability | MCP | What it provides |
|---|---|---|---|
| L1: SBOM Generation | Real-time software bill-of-materials for every firmware artefact | mcp-dynamic-sbom | SHA-256 + component tree + licence detection + vulnerability correlation |
| L2: Cloud Security Posture | Continuous configuration audit for supplier cloud environments | mcp-cspm | CIS benchmarks + NCSC CAF alignment + ITAR data-boundary enforcement |
| L3: BFT Governance | 33-agent quorum-gated audit decisions for supply-chain risk | bft-council-probe | 23/33 standard quorum · 27/33 red-line quorum · 30/33 constitutional quorum |
| L4: IoT Monitoring | Factory-floor sensor ingest for manufacturing assurance | mqtt-bridge · rtsp-camera | Real-time manufacturing process monitoring + YOLOv8 defect detection |
| L5: Evidence Vault | Tamper-evident, BFT-signed evidence chain for every supply-chain artefact | BFT-signed evidence store | 38 artefacts · SHA-256 · Ed25519 signatures · 24h freshness SLA |
| Boundary | Regulation | DEFONEOS enforcement | MCP coverage |
|---|---|---|---|
| US-origin defence articles | ITAR §120.6 | SBOM flags US-origin components · BFT council blocks unauthorised re-export | mcp-dynamic-sbom · bft-council-probe |
| CMMC Level 2 | CMMC 2.0 / DFARS 252.204-7012 | mcp-cspm enforces 110 NIST SP 800-171 controls for CUI | mcp-cspm |
| UK export controls | Export Control Act 2002 | SBOM flags UKML-controlled items · BFT council validates export licence | mcp-dynamic-sbom · bft-council-probe |
| EU Dual-Use Regulation | Regulation (EU) 2021/821 | SBOM flags dual-use components · BFT council validates catch-all clause | mcp-dynamic-sbom · bft-council-probe |
| NCSC CAF v3.1 | UK cyber assurance | mcp-cspm maps to CAF profiles · BFT council validates B1-B3 objectives | mcp-cspm · bft-council-probe |
| Step | Action | Who | Time | Prerequisite |
|---|---|---|---|---|
| 1 | Identify electronics category (E1–E12) and supplier (S1–S8) | Buyer | 15 min | This assurance pack §2–§3 |
| 2 | Confirm ITAR/CMMC exposure and data classification boundary | Buyer + CSOAI | 1 hour | SC clearance guide |
| 3 | Provision supplier-specific DEFONEOS substrate with SBOM publisher | CSOAI | <24 hours | Escrow deployment |
| 4 | Run initial SBOM generation on firmware artefacts | CSOAI + Supplier | 1–3 days | Firmware binaries provided |
| 5 | BFT council ratifies supply-chain risk assessment | BFT Council (33 agents) | <1 hour (automated) | AG-1: curl -s /evidence/bft-vote HTTP 200 |
⚠️ HARD RED-LINE: DEFONEOS handles OFFICIAL and OFFICIAL-SENSITIVE data ONLY. Classified firmware (SECRET/TOP SECRET missile seekers, submarine electronics) requires separate accredited systems. DEFONEOS SBOM generation runs on the OFFICIAL boundary — the SBOM itself contains component metadata (names, versions, licences, CVEs) but NOT classified performance data or operational parameters.
| Buyer type | Entry point | Procurement vehicle | Security requirement | Pilot tier |
|---|---|---|---|---|
| Prime contractor (Leonardo / BAE / Thales) | S1 / S2 / S3 | Direct award / DSP | SC minimum | T3 Enterprise |
| Missile prime (MBDA) | S4 | Direct award / DSP | SC + CMMC Level 2 | T3 Enterprise |
| Tier-2 electronics (Ultra / Cobham) | S5 / S6 | G-Cloud 14 / DSP | OFFICIAL-SENSITIVE / SC | T2 Department |
| MOD-owned (DECA) | S7 | MOD direct / DSP | OFFICIAL-SENSITIVE | T2 Department |
| R&D assurance (QinetiQ) | S8 | G-Cloud 14 / DASA | OFFICIAL-SENSITIVE / SC | T2 Department |
| Framework | Electronics-specific provision | DEFONEOS evidence |
|---|---|---|
| ITAR §120.6 | US-origin defence articles in UK electronics | SBOM + BFT boundary enforcement |
| CMMC 2.0 Level 2 | 110 NIST SP 800-171 controls for CUI | CSPM + CAF assessment |
| JSP 936 §6.1 | Supplier assurance for defence electronics | JSP 936 compliance |
| NCSC CAF v3.1 | B1–B3 objectives for electronics supply chain | CAF assessment |
| ISO 27001 §A.8.8 | Technical vulnerability management for firmware | Pen-test cadence |
| Export Control Act 2002 | UKML-controlled electronics items | SBOM + BFT export-validation |
| EU Dual-Use Reg 2021/821 | Dual-use electronics components | SBOM + BFT catch-all validation |