Companion to defoneos-mod-30-60-90-customer.html. The QBR is the formal governance artefact between CSOAI and the buyer, held every 90 days from contract signature. It is the contractually-required executive checkpoint (per Schedule 2 of defoneos-mod-contract-award-letter.html). Its primary output is a counter-signed minutes document that becomes the basis for renewal-readiness scoring.
Status updates look backwards. QBRs look forward. The quarterly cadence forces three things that status updates miss:
defoneos-mod-30-60-90-customer.html §8). The first QBR where that score is < 0.60 triggers the churn-prevention playbook.| # | Item | Owner | Duration | Output |
|---|---|---|---|---|
| 1 | Roll-call, previous minutes, SIGIL verification | CSOAI CS lead | 5 min | Confirmed minutes from previous QBR |
| 2 | Operational KPI review (9 KPIs from 30-60-90 plan) | Joint (CS lead + buyer ops lead) | 15 min | KPI dashboard with red/amber/green |
| 3 | Incident review (closed SEV-1/2 from prior quarter) | CSOAI engineering + buyer SC officer | 10 min | Closed-incident ledger with post-mortem links |
| 4 | Security & compliance posture (12-framework crosswalk) | CSOAI compliance + buyer compliance | 10 min | Updated compliance scorecard |
| 5 | Adoption metrics (operator hours, workloads, certifications) | CSOAI CS lead + buyer training lead | 10 min | Adoption scorecard with trend arrows |
| 6 | Roadmap walkthrough (CSOAI next 90 days) | CSOAI product lead | 10 min | Slide deck + committed-feature list |
| 7 | Buyer 90-day change plan (operational / compliance / policy) | Buyer executive sponsor | 10 min | Named changes with dates |
| 8 | Open escalations (active SEV-3 / SEV-4) | CS lead + AE | 10 min | Closure plan for each escalation |
| 9 | Renewal-readiness signal + executive close | Joint (CSOAI CEO + buyer executive sponsor) | 10 min | Renewal-readiness score + executive close statement |
The same 9 KPIs from the 30-60-90 plan are reported every quarter, with a trend arrow and a red/amber/green status.
| KPI family | KPI | Target | Trend (QoQ) | RAG |
|---|---|---|---|---|
| Deploy | Environment uptime (rolling 90d) | ≥ 99.95% | — | — |
| Deploy | Patch lead time (advisory → deployed) | ≤ 14 d | — | — |
| Deploy | SIGIL receipt freshness | ≤ 24h from event | — | — |
| Adopt | Trained-operator coverage | ≥ 80% | — | — |
| Adopt | Production workloads on DEFONEOS | +1 per quarter target | — | — |
| Adopt | Operator median weekly usage | ≥ 60% | — | — |
| Govern | SEV-1 incidents (closed) | 0 | — | — |
| Govern | SEV-2 incidents (resolved within 5 bd) | 100% | — | — |
| Govern | Open escalations at quarter end | 0 | — | — |
Every SEV-1 and SEV-2 closed in the prior quarter is presented at the QBR. For each incident, the ledger entry contains:
See defoneos-compliance-suite.html for the full crosswalk. The QBR reviews the 12-framework scorecard for any framework that changed status in the prior quarter (e.g. new SOC 2 evidence, NCSC refresh, ISO 27001 surveillance audit).
| Framework | Last audit | Next audit | Status |
|---|---|---|---|
| ISO/IEC 27001:2022 | — | — | — |
| SOC 2 Type II | — | — | — |
| NCSC Cyber Essentials Plus | — | — | — |
| NCSC Cloud Security Principle 1..14 | — | — | — |
| EU AI Act Article 50 (transparency) | — | — | — |
| EU AI Act Annex IV (high-risk) | — | — | — |
| GDPR Art. 22 + 35 (DPIA) | — | — | — |
| UK DPA 2018 | — | — | — |
| HIPAA Security Rule | — | — | — |
| FedRAMP Moderate (US public sector) | — | — | — |
| JSP 440 (UK MOD SECRET) | — | — | — |
| NATO INFOSEC | — | — | — |
Adoption is measured monthly and presented quarterly. The trend arrow (↑/→/↓) is computed against the previous quarter. The RAG thresholds: green = on or above target, amber = within 20% of target, red = below 80% of target.
| Metric | Q1 | Q2 | Q3 | Q4 | Target |
|---|---|---|---|---|---|
| Operators trained & certified | — | — | — | — | ≥ 80% |
| Production workloads migrated | — | — | — | — | ≥ 4 by EO Q4 |
| Median operator usage (% week) | — | — | — | — | ≥ 60% |
| Help-desk tickets opened | — | — | — | — | ≤ 5 per operator per quarter |
| Help-desk median time-to-resolve (hr) | — | — | — | — | ≤ 8 hr |
CSOAI commits to a 90-day roadmap in writing at each QBR. The roadmap names each committed feature, advisory release, regulatory update, and CS-process improvement, with the planned ship date and the buyer impact.
The renewal-readiness score (computed per defoneos-mod-30-60-90-customer.html §8) is presented at every QBR. The first QBR where the score drops below 0.60 activates the churn-prevention playbook within 5 business days.
The minutes are the formal artefact of the QBR. They are drafted by CSOAI within 5 business days, reviewed by the buyer within 5 business days, and counter-signed by both executive sponsors. The counter-signed minutes are recorded as a SIGIL receipt.
| Section | Content |
|---|---|
| Header | Date, attendees, prior minutes confirmation, SIGIL chain reference |
| KPI dashboard | 9 KPIs with red/amber/green, trend arrows, narrative on outliers |
| Incident ledger | All SEV-1 / SEV-2 closed in prior quarter |
| Compliance scorecard | 12-framework crosswalk update |
| Adoption scorecard | Operator coverage, workloads, usage, tickets |
| Roadmap commitments | 90-day CSOAI commitments in writing |
| Buyer 90-day change plan | Named buyer changes with dates |
| Open escalations | Each escalation with closure plan and named owner |
| Renewal-readiness score | Computed score + tier classification |
| Action register | All named actions with owner, due date, status |
| Executive close | Joint executive close statement |
| SIGIL receipt | Counter-signature, timestamp, hash |
defoneos-mod-renewal-negotiation.html).defoneos-mod-30-60-90-customer.htmldefoneos-mod-renewal-negotiation.htmldefoneos-mod-customer-success-scorecard.htmldefoneos-mod-escalation-runbook.htmldefoneos-mod-churn-prevention.htmldefoneos-compliance-suite.htmldefoneos-mod-90-day-sovereign-pilot-sow.html