What is OSCAL?
OSCAL (Open Security Controls Assessment Language) is a NIST-standardized set of XML, JSON, and YAML formats for representing security control information. DEFONEOS encodes its compliance posture as machine-readable OSCAL artifacts โ enabling automated assessment, continuous monitoring, and real-time compliance gap detection.
OSCAL Document Layers
| Layer | OSCAL Document | DEFONEOS Implementation |
| 1. Catalog | Control definitions (NIST SP 800-53) | defoneos-catalog.json โ 147 controls across 12 frameworks |
| 2. Profile | Tailored control baselines | defoneos-profile.json โ UK MOD + NATO + EU AI Act baseline |
| 3. Component Definition | System component control implementations | 30 MCP component definitions |
| 4. System Security Plan (SSP) | Documented implementation | defoneos-ssp.json โ generated from live system state |
| 5. Assessment Plan | Audit scope and procedures | Automated assessment plan generated quarterly |
| 6. Assessment Results | Findings and evidence | SIGIL chain โ Ed25519-signed assessment evidence |
| 7. Plan of Action & Milestones (POA&M) | Remediation tracking | defoneos-poam.json โ 13 open items, auto-tracked |
AC-3 ยท NIST 800-53 / A.9.4 ยท ISO 27001
Access Enforcement
All DEFONEOS MCP tool calls require Ed25519-signed identity tokens. Role-based access control enforced at the MCP JSON-RPC layer. 47 RBAC permissions across 4 roles.
ENFORCED โ Automated
AU-2 ยท NIST 800-53 / A.12.4 ยท ISO 27001
Audit Events
Every MCP call, BFT vote, model inference, and human action generates a SIGIL receipt. SHA-256 hash-chained, Ed25519-signed, anchored to Bitcoin OP_RETURN every 1K receipts. 351K receipts generated to date.
ENFORCED โ Continuous
SC-13 ยท NIST 800-53
Cryptographic Protection
Ed25519 signatures for all SIGIL entries. AES-256-GCM for data at rest. mTLS for all service-to-service communication. NIST PQC migration roadmap: ML-DSA-65 (signing) + ML-KEM-768 (key exchange) ready for deployment.
ENFORCED โ Automated
SI-4 ยท NIST 800-53 / A.12.1 ยท ISO 27001
System Monitoring
Gods-Eye CISO continuous monitoring: 6 vulnerability scanners, real-time intrusion detection, Morris-II worm detection (Aegis Gate), SIGIL chain integrity verification every 5 minutes.
ENFORCED โ Continuous
EU AI Act Art 9
Risk Management System
STRIDE threat model with 28 mitigations. Quarterly threat review. Annual penetration test. Bi-annual red team exercise. Weekly chaos engineering. Daily CVE scan. All findings tracked in POA&M.
ENFORCED โ Automated
EU AI Act Art 14
Human Oversight
5-level action hierarchy. Level 3+ requires human approval. Level 4+ requires dual approval + BFT vote. Level 5 requires command authority. Kill switch (<100ms). Any 1/33 BFT node can halt any action.
ENFORCED โ Automated
RA-5 ยท NIST 800-53
Vulnerability Scanning
6 automated scanners running (ruff, bandit, safety, pip-audit, trivy, npm-audit). Missing: continuous container image scanning at deploy time.
PARTIAL โ 80% implemented
ISO 27001 A.8.25
Secure Development Lifecycle
CI/CD pipeline with 10 gates, code review, testing pyramid. Missing: formal SAST/DAST integration in CI pipeline.
PARTIAL โ 75% implemented
UK AI Bill ยง4
Safety & Robustness Evaluation
Property-based testing (389 properties), adversarial robustness (5K inputs), chaos engineering (5 experiments). Missing: formal external evaluation (UK AISI submission pending).
PARTIAL โ Awaiting external evaluation
Cyber Essentials ยท CEM
Cyber Essentials Certification
Mandatory for UK MOD contracting. Requires IASME application with company details, network diagram, boundary scope.
NOT STARTED โ ๐ด Human gate: Nick's company info needed
ISO 27001 ยท A.5.1
Information Security Policy (Formal)
Policy framework written but requires formal adoption by company board, management review, and signed acceptance.
NOT STARTED โ ๐ด Human gate: Board adoption
NIST 800-53 ยท CA-2
Independent Security Assessment
Internal assessment complete. Requires external assessor engagement for formal certification.
NOT STARTED โ ๐ด Human gate: External assessor contract
Every DEFONEOS MCP server generates an OSCAL component definition automatically:
{
"component-definition": {
"metadata": {
"title": "DEFONEOS Sentinel-Hub MCP Component Definition",
"published": "2026-07-06T09:30:00Z",
"last-modified": "2026-07-06T09:30:00Z",
"version": "1.0.0",
"oscal-version": "1.1.2"
},
"components": [{
"uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"type": "software",
"title": "defoneos-sentinel-hub-mcp",
"description": "ESA Sentinel satellite imagery MCP server",
"control-implementations": [{
"uuid": "b2c3d4e5-f6a7-8901-bcde-f23456789012",
"source": "NIST_SP800-53_rev5",
"implemented-requirements": [
{
"control-id": "AC-3",
"description": "Ed25519-signed identity token required for all tool calls",
"remarks": "Enforced at JSON-RPC layer"
},
{
"control-id": "AU-2",
"description": "Every satellite query generates SIGIL receipt",
"remarks": "SHA-256 hash-chained, Ed25519-signed"
},
{
"control-id": "SC-13",
"description": "mTLS for all upstream API calls, AES-256-GCM cache at rest",
"remarks": "PQC migration ready ML-KEM-768"
}
]
}]
}]
}
}
SIGIL CHAIN โ LIVE SYSTEM STATE
โ
OSCAL ASSESSMENT PLAN GENERATOR
โ (quarterly)
ASSESSMENT RESULTS (findings, evidence)
โ
POA&M UPDATE (13 items auto-tracked)
โ
SSP REGENERATION (from live state)
โ
COMPLIANCE DASHBOARD UPDATE
โ
BFT-33 COUNCIL NOTIFICATION (if regression)
โ
HUMAN ALERT (if P0 control fails)
This pipeline runs continuously. Any control regression triggers an immediate BFT-33 notification and human alert. The SSP is regenerated from live system state every 24 hours, ensuring the compliance posture always reflects the actual running system.