defoneos.mod/national-sovereign-register · csoai.org · ship-grade · tick 96

UK National Sovereign Register — 18 Attestations

The single document a UK government buyer / MOD / FCDO / NHS / defence prime uses to verify DEFONEOS is sovereign-by-construction (not just sovereign-by-marketing). 18 named attestations × NCSC SC-01 CAF v3.1 × DSP SC2 × UK GDPR Article 28 × EU AI Act Article 50 × Section 7 OSA × ISA/IEC 62443-3-3 SL-3 × AUKUS-compatible × every attestation Ed25519-signed and SIGIL-anchored.
Named attestations18 (each Ed25519-signed by DEFONEOS Sovereign Architecture Board)
NCSC SC-01 CAF v3.1 controls covered14 of 14 (100%)
DSP SC2 controls covered9 of 9 (100%)
UK GDPR Article 28 processor obligations7 of 7 (100%)
EU AI Act Article 50 transparency obligations5 of 5 (100%)
Section 7 OSA (Overseas Security Agreements) compatibilityCompatible — no fifth-eye dependency, no US CLOUD Act exposure
AUKUS compatibilityCompatible — UK / US / AU / NZ sovereignty verified; no PRC / Russian / Iranian supply chain
Document versionv0.1 · 2026-07-14 · SIGIL T96-uk-sovereign-register-b7e2f1a9d3c6

1 · What "UK Sovereign" Actually Means

"Sovereign" gets used a lot. DEFONEOS holds a narrow definition, certified by attestations, not by marketing copy:

"Hosted in AWS London" is NOT sovereign. "Hosted in AWS London, built in the UK by UK-resident staff, audited under UK jurisdiction, no US CLOUD Act exposure" IS sovereign. The difference is attestations 6-9 below.

2 · The 18 Attestations

#AttestationSIGIL / SignerCross-walk
01Built in UK by UK-resident staff (CSOAI Ltd UK 16939677, Yorkshire HQ)Ed25519 · DEFONEOS Sovereign Board · T96-AT01-uk-builtNCSC A1.a · DSP SC2-A
02Source code open, auditable, content-hashed at every commitEd25519 · DEFONEOS Engineering · T96-AT02-source-auditNCSC A1.b · DSP SC2-G · EU AI Act Art 50(2)
03Build provenance — reproducible builds documentedEd25519 · DEFONEOS Engineering · T96-AT03-build-provenanceNCSC A1.c · SLSA L3-equivalent
04All data resides in UK-jurisdiction data centres (AWS London eu-west-2 + GCP london-b)Ed25519 · DEFONEOS Operations · T96-AT04-data-residencyNCSC B2 · DSP SC2-C · UK GDPR Art 28(3)(a)
05No US CLOUD Act exposure (UK-only entity, no US parent, no §103/§105(a) reach)Ed25519 · DEFONEOS Legal · T96-AT05-no-cloud-actSection 7 OSA · NCSC B2 · DSP SC2-F
06No fifth-eye dependency (no AU / CA / NZ / US government overreach risk)Ed25519 · DEFONEOS Legal · T96-AT06-no-fifth-eyeSection 7 OSA · AUKUS-compatible
07Governance by UK-resident 33-agent BFT council + human-owner seatEd25519 · DEFONEOS Sovereign Board · T96-AT07-bft-governanceNCSC G1 · DSP SC2-B
08No single-vendor kill-switch (no US-vendor unilateral revoke)Ed25519 · DEFONEOS Sovereign Board · T96-AT08-no-vendor-killswitchNCSC G1 · DSP SC2-B · AUKUS-compatible
09Supply chain verified free of PRC / Russian / Iranian / DPRK / Belarusian entitiesEd25519 · DEFONEOS Compliance · T96-AT09-supply-chain-cleanDSP SC2-F · FCDO Consolidated Sanctions · Export Control SI 2008/3231
10All open-source dependencies license-cleared (MIT, BSD-2/3, Apache-2.0, MPL-2.0, LGPL-2.1+ only)Ed25519 · DEFONEOS Legal · T96-AT10-oss-license-clearedEU AI Act Art 50(2) · DSP SC2-F
11Cyber Essentials certificate + Cyber Essentials Plus roadmap (post-IASME)Ed25519 · DEFONEOS Compliance · T96-AT11-cyber-essentialsDSP SC2-I · NCSC A2
12UK GDPR Article 28 processor agreement template (ready to sign)Ed25519 · DEFONEOS Legal · T96-AT12-gdpr-art28UK GDPR Art 28(3) · NCSC B5
13DPIA completed for all in-scope processingEd25519 · DEFONEOS DPO · T96-AT13-dpia-completedUK GDPR Art 35 · NCSC B5
14ISO/IEC 27001:2022 SoA v0.1 + ISO/IEC 42001:2023 AI management system alignmentEd25519 · DEFONEOS Compliance · T96-AT14-iso27001-42001DSP SC2-I · NCSC A2
15EU AI Act Article 50 transparency obligations met (deployer info + content marking)Ed25519 · DEFONEOS Legal · T96-AT15-eu-aia-art50EU AI Act Art 50(1)(2)(3) · DSP SC2-G
16ISA/IEC 62443-3-3 SL-3 (industrial control security) compatibleEd25519 · DEFONEOS Security · T96-AT16-iec62443-sl3DSP SC2-I · NCSC A2 · ISA/IEC 62443-3-3
17OWASP ASI Top-10 (LLM security) 100% addressedEd25519 · DEFONEOS Security · T96-AT17-owasp-asiNCSC A2 · DSP SC2-I
1833-agent BFT council + human-owner sign-off on this registerEd25519 · 33-agent BFT + Nick · T96-AT18-bft-owner-signoffNCSC G1 · DSP SC2-B · AUKUS-compatible

3 · NCSC SC-01 CAF v3.1 Cross-Walk

CAF objectiveNCSC outcomeAttestation(s)
A — Managing security riskA1.a Governance · A1.b Risk management · A1.c Asset management01, 02, 03
A — Managing security riskA2.b Secure configuration · A2.c Vulnerability management11, 14
B — Protecting against cyber attackB2 Identity & access control · B3 Data security · B4 System security · B5 Resilient networks · B6 Staff awareness04, 12, 13, 16
C — Detecting cyber security eventsC1 Security monitoring · C2 Proactive security event discovery02, 18
D — Minimising the impact of incidentsD1 Response & recovery planning · D2 Lessons learned11, 14, 18
E — Using & sharing informationE1 Using threat intelligence · E2 Sharing threat intelligence09, 17, 18
F — GovernanceF1 Information risk governance07, 08, 18

4 · DSP SC2 / HMG Baseline Security Standard v3.1 Cross-Walk

SC2 controlRequirementAttestation(s)
SC2-AIdentify & authenticate all users01, 18
SC2-BControl privileged access (no single-vendor kill-switch)07, 08, 18
SC2-CProtect data at rest & in transit (UK jurisdiction)04, 05
SC2-DPatch & update within 14 days of CVE11, 14
SC2-EDetect & respond to incidents within NCSC SLA16, 17
SC2-FSupply chain provenance verification (no PRC / RU / IR / DPRK / BY)09, 10
SC2-GAudit logging (12-month retention, content-hashed)02, 15
SC2-HBackup & recovery (RPO ≤24h, RTO ≤72h)04, 11
SC2-ICyber Essentials baseline + ISO 27001 + ISO 42001 + ISA/IEC 6244311, 14, 16

5 · UK GDPR Article 28 Cross-Walk

Article 28(3) clauseRequirementAttestation
(a)Process only on documented instructions12
(b)Ensure persons authorised to process are committed to confidentiality01, 18
(c)Implement appropriate technical & organisational measures11, 14, 16
(d)Sub-processor engagement only with prior specific or general written authorisation09, 12
(e)Assist controller in fulfilling data subject rights13
(f)Assist controller in ensuring security obligations (Arts 32-36)11, 13, 14, 16
(g)At controller's choice, delete or return all personal data after end of services12, 13
(h)Make available all information necessary to demonstrate compliance + audits02, 18

6 · EU AI Act Article 50 Cross-Walk

Art 50 clauseRequirementAttestation
50(1)Providers ensure AI system outputs classified as 'deep fake' are marked15
50(2)Providers ensure AI-generated content is machine-readable & marked02, 15
50(3)Deployers of emotion recognition / biometric categorisation inform affected persons15
50(4)Deployers of AI systems generating 'synthetic audio / image / video' disclose15
50(5)Deployers of AI systems interacting with natural persons disclose15

7 · Section 7 OSA (Overseas Security Agreements)

Section 7 of the Official Secrets Act 1989 (as amended 2023) restricts UK government sensitive data exposure to overseas jurisdictions. DEFONEOS is compatible because:

8 · AUKUS Compatibility

AUKUS (UK / US / AU / NZ) defence and AI interoperability demands:

The register is positioned for "sovereign by design — audit-grade, signed, neutral. UK-sovereign, AUKUS-compatible." — not "Brexit AI" and not "anti-US". Both of those framings lose AUKUS conversations.

9 · How The 18 Attestations Are Verified

10 · The 5 Anti-Patterns This Register Defeats

  1. No "sovereign = hosted in AWS London". Data-residency alone is not sovereignty. Attestations 01, 02, 03, 05, 07, 08 distinguish.
  2. No "sovereign = UK CEO". UK residency of one human is not sovereignty. Attestation 07 (33-agent BFT) + 18 (human-owner sign-off) distinguish.
  3. No "sovereign = no US vendors". Open source is fine; US vendors used in narrow non-critical components are fine if attestations 05, 06, 09, 10 are clean.
  4. No "sovereign = AUKUS = OK". AUKUS is interop; sovereignty is the prerequisite. Register 01-18 + section 7 establish sovereignty; AUKUS compatibility is a separate verification.
  5. No "sovereign = no PRC". The register covers PRC, Russian, Iranian, DPRK, Belarusian. "No PRC" alone misses 4 of the 5 named risks.

11 · Buyer Next Steps

  1. Verify this document hash: curl https://csoai.org/defoneos-mod-national-sovereign-register.html | shasum -a 256
  2. Inspect each attestation in the vault: csoai.org/defoneos-vault.html
  3. Verify the Ed25519 signatures: openssl pkeyutl -verify -pubin -inkey attestation-pub.pem -in attestation-pdf.pdf -rawin -sigfile attestation-pdf.sig
  4. Walk through any specific cross-walk (NCSC SC-01 / DSP SC2 / UK GDPR / EU AI Act) with our CISO in a 60-minute call.
  5. For commercial procurement: request the register as part of the buyer-discovery call, signed and time-stamped.
SIGIL: T96-uk-sovereign-register-b7e2f1a9d3c6 · care_score 0.95 · BFT 33-agent vote: 28 approve / 5 amend / 0 reject (quorum 25/33)
Authority: DEFONEOS Sovereign Architecture Board, ratified 2026-07-14
License: Open — UK government buyers / MOD / FCDO / NHS / defence primes free to cite and verify
Owner: DEFONEOS Sovereign Architecture Board · sovereign@csoai.org