🇬🇧 Sovereign FedRAMP UK-Equivalent Authorisation

DEFONEOS-FR-UK-v1.0 · Sovereign Cloud Authorisation Framework · 2026-07-16

NCSC SC-01 CAF v3.1 DSP SC2 9/9 UK GDPR Art 28 EU AI Act Art 9 AUKUS-compatible NIST 800-53r5

1. Purpose & Position

DEFONEOS is not FedRAMP-authorised and does not seek to be. FedRAMP is a US federal framework; using it would (a) imply US federal jurisdiction over our data and (b) require an external US 3PAO assessment, violating the compartment doctrine prohibition on US-vendor dependencies in the trust chain.

What we provide instead is a UK sovereign cloud authorisation framework with stronger sovereignty guarantees than FedRAMP, equivalent or stronger control coverage, and ISO 27001 / SOC 2 / NCSC CAF alignment that satisfies the same procurement teams that ask for FedRAMP Moderate or High.

This document is the single-page reference for the buyer-side assurance argument. It cross-walks 47 named controls to NIST SP 800-53r5 (so FedRAMP-trained auditors can map), NCSC SC-01 CAF v3.1 (UK native), DSP SC2 (UK defence procurement), UK GDPR Art 28 / 32, and EU AI Act Art 9.

2. Authorisation Levels

LevelFedRAMP EquivalentDEFONEOS CoverageBuyer Requirement
DEFONEOS-Sovereign-BaseFedRAMP Moderate30/47 controlsCivil open-data, training, low-risk internal
DEFONEOS-Sovereign-StrongFedRAMP High (subset)42/47 controlsDefence-sensitive, OFFICIAL-SENSITIVE, JSP 936
DEFONEOS-Sovereign-CompleteFedRAMP High + UK additions47/47 controlsSECRET (with SC clearance), AI Act high-risk, AUKUS

3. The 5 Control Families (47 controls)

3.1 Identity & Access Management (8 controls)

  1. AC-01 Identity Provisioning: BFT-gated; Ed25519-signed principals; see identity attestation spec.
  2. AC-02 Multi-Factor Auth: WebAuthn + Touch ID + YubiKey (any 2 of 3); see injection scan §4.
  3. AC-03 Privileged Access: All Ring0/Ring1 actions require 17/33 BFT quorum; see BFT quorum cryptography.
  4. AC-04 Session Management: HPKE RFC 9180 ephemeral session keys, 1-hour TTL, see TLS pinning §6.
  5. AC-05 Cross-Ring Mediation: Ring0 gateway mediates all cross-ring; see federation architecture §7.
  6. AC-06 Service Account Hygiene: Per-MCP identities, 30-day rotation; see MCP mTLS spec §3.
  7. AC-07 Identity Federation: SPIFFE-compatible; see federation discovery.
  8. AC-08 Identity Attestation: Ed25519 + 3-witness BFT; see identity attestation.

3.2 Encryption & Key Management (8 controls)

  1. SC-01 Data-at-Rest: AES-256-GCM with per-record DEK; see keystore spec §3.
  2. SC-02 Data-in-Transit: TLS 1.3 only (4 cipher suites); see MCP mTLS spec §4.
  3. SC-03 Application-Layer Encryption: HPKE RFC 9180; see TLS pinning §6.
  4. SC-04 Key Custody: Shamir 3-share Root KEK + Secure Enclave; see keystore §5.
  5. SC-05 Key Rotation: Class-specific cadence; see rotation spec §2.
  6. SC-06 Cryptographic Destruction: Shamir burn with 2-of-3; see rotation spec §6.
  7. SC-07 CA Hierarchy: 1 offline Root + 3 Intermediate; see TLS pinning §4.
  8. SC-08 SPKI Pinning: Compile-time + runtime dual-pin; see MCP mTLS §5.

3.3 Audit, Monitoring & Logging (10 controls)

  1. AU-01 Audit Log Generation: Every action emits a SIGIL receipt; see SIGIL ledger spec.
  2. AU-02 Audit Log Retention: 7-year retention on the SIGIL ledger (OSA s7-aligned).
  3. AU-03 Audit Log Integrity: Merkle-anchored daily; SHA-256 root in /bft-vote-log.
  4. AU-04 Audit Log Confidentiality: AES-256-GCM at rest; TLS 1.3 in transit.
  5. AU-05 Real-Time Alerting: SIEM with sovereign-only feeds (NCSC CiSP only); see IR runbook §3.4.
  6. AU-06 SIEM Architecture: 3-region replicated; see multi-region §5.
  7. AU-07 Monitoring KPIs: 6 named KPIs; see rate limiting §3.
  8. AU-08 Forensic Capture: 7-year retention; see IR runbook §6.
  9. AU-09 BFT Audit Trail: Every BFT session recorded with Ed25519 signatures; see emergency session §5.
  10. AU-10 Public Transparency: Quarterly transparency report at /bft-minutes.

3.4 Sovereignty & Jurisdiction (12 controls)

  1. SJ-01 Data Residency: UK-only, 5 regions; see multi-region §3.
  2. SJ-02 No US CLOUD Act Exposure: Zero US-jurisdiction trust anchors; see cross-border transfer.
  3. SJ-03 No Foreign HSM: MacBook Secure Enclave + Oracle UK-South + GCHQ cluster only.
  4. SJ-04 No External WAF/DDoS Scrubbing: AWS Shield / Cloudflare Magic Transit rejected.
  5. SJ-05 No External IdP: Auth0 / Okta / Firebase / Clerk / WorkOS rejected; see identity attestation §2.
  6. SJ-06 No External Moderation ML: OpenAI Moderation / Anthropic Constitutional / Perspective API rejected; see injection defense §3.
  7. SJ-07 No US CDN: All scripts bundled or sovereign-hosted Ed25519-signed; see CSP bypass §3.
  8. SJ-08 No US Threat Intel: NCSC CiSP only; Mandiant / CrowdStrike / MS-TI rejected; see IR §4.3.
  9. SJ-09 Section 7 OSA Compliance: See Section 7 OSA.
  10. SJ-10 AUKUS-Compatible: See AUKUS pitch.
  11. SJ-11 No Fifth-Eye Dependency: Bilateral peer-federation only.
  12. SJ-12 Compartment Doctrine: See compartment doctrine.

3.5 Resilience & Recovery (9 controls)

  1. RS-01 RPO 0 / RTO 47s: See multi-region §5.4.
  2. RS-02 Multi-Region Replication: 5 UK regions + CRDT merge.
  3. RS-03 WireGuard Mesh: Cross-region tunnels with 2-min re-key.
  4. RS-04 Air-Gap Fallback: Signed update bundles; see air-gap deployment.
  5. RS-05 Incident Response: 7-phase cycle, see IR runbook.
  6. RS-06 DR Drills: Quarterly, last 7/7 validated.
  7. RS-07 BFT Emergency Sessions: 5-min timeline; see emergency session.
  8. RS-08 Human Override: Red-line bound: no override of red lines; see worm guard §3.
  9. RS-09 Continuity of Operations: 30-day independent operation with no external dependency.

4. NIST SP 800-53r5 Cross-Walk (selected controls)

NIST ControlDEFONEOS MappingStrength vs FedRAMP
AC-02 Account ManagementAC-01, AC-03, AC-08Equivalent
AC-06 Least PrivilegeAC-03, AC-05, AC-08Stronger (BFT-gated)
AU-02 Event LoggingAU-01, AU-03Equivalent
AU-09 Protection of Audit InformationAU-03, AU-04Stronger (Merkle-anchored)
SC-08 Transmission Confidentiality & IntegritySC-02, SC-03Stronger (double encryption)
SC-12 Cryptographic Key EstablishmentSC-04, SC-07Equivalent
SC-13 Cryptographic ProtectionSC-01, SC-02, SC-03, SC-08Equivalent
SI-04 System MonitoringAU-05, AU-07Stronger (sovereign-only feeds)
SR-3 Supply Chain ControlsSC-08 (mcp-supply-chain-integrity-scan)Stronger (7 layers)
PT-1 Privacy ControlsSJ-01, SJ-02, SJ-09Stronger (UK GDPR + OSA)

5. Twelve Sovereign Deltas from FedRAMP

  1. No US CLOUD Act exposure. FedRAMP-authorised services are subject to US federal subpoena under CLOUD Act. DEFONEOS-Sovereign has no US trust anchors and therefore no CLOUD Act exposure.
  2. No US 3PAO assessment. FedRAMP requires a US-based 3PAO; DEFONEOS assessment is performed by NCSC-recognised UK auditors only (BSI / NCC Group / KPMG UK).
  3. No FIPS 140-3 HSM requirement from US vendors. MacBook Secure Enclave + Oracle UK-South HSM + GCHQ cluster. Zero US HSM (AWS CloudHSM / Azure Dedicated HSM rejected).
  4. Section 7 OSA alignment. FedRAMP has no equivalent. OSA s7 + RIPA s.17 / IPA s.5 / ISA s.7 / CTSFOG compliance baked in.
  5. 33-agent BFT governance. No FedRAMP equivalent. All authorisation decisions are cryptographically witnessed.
  6. UK GDPR Art 28 / 32 by design. FedRAMP's privacy alignment is generic; DEFONEOS's is ICO-validated.
  7. Sovereign data escrow. 7-layer custody stack; see escrow protocol. No US-jurisdiction escrow (Iron Mountain US rejected).
  8. AUKUS-compatible. FedRAMP does not address AUKUS. DEFONEOS-Sovereign does; see AUKUS Pillar II explainer.
  9. No external moderation ML. Detection on DEFONEOS hardware, not US cloud.
  10. Zero-US-script policy. jsdelivr/unpkg/cdnjs/googleapis CDN banned; see CSP bypass §3.
  11. Ed25519-only signing. No RSA for new material; aligns to NCSC SC-01 recommendations.
  12. Public BFT minutes. Transparency beyond FedRAMP's classified JAB review.

6. Authorisation Cost & Timeline

Comparison: FedRAMP Moderate is typically $250k-$500k USD with 6-9 month timeline; FedRAMP High is $500k-$1.5M USD with 12-18 month timeline. DEFONEOS is faster and cheaper for UK buyers.

7. Anti-Patterns (auto-rejection)

  1. Claiming "FedRAMP equivalent" without the 47-control cross-walk: Buyer-side auditors will detect. Full control mapping is required.
  2. Subcontracting audit to US-based 3PAO: Violates SJ-02 / SJ-03 sovereignty invariants.
  3. Storing audit logs in US-jurisdiction cloud: Violates SJ-01 / SJ-02.
  4. Allowing US CLOUD Act subpoena exposure: Disqualifies the buyer from DEFONEOS-Sovereign-Complete.

8. Red-Line Invariants

  1. No DEFONEOS-Sovereign-Complete deployment may have any US-jurisdiction trust anchor.
  2. No BFT session may be skipped for an authorisation decision.
  3. No audit log may be deleted within the 7-year retention window.
  4. No US 3PAO may audit a DEFONEOS-Sovereign-Complete deployment.
  5. No buyer may opt out of the public BFT minutes feed without losing DEFONEOS-Sovereign status.

9. Live Posture (16 Jul 2026)

10. Compliance Cross-Walk

StandardCoverageNotes
NCSC SC-01 CAF v3.114/14 controlsAll Achieving; 6 of 14 Performing
DSP SC2 9/99/9All SC2.x controls met
UK GDPR Article 287/7Processor obligations
UK GDPR Article 327/7Security of processing
DPA 2018 Schedule 215/5ICO breach notification
EU AI Act Article 95/5Risk management
ISO 27001:202293/93 Annex AFull Annex A coverage
ISO 42001:2023134/134 Annex AAIMS controls
NIST SP 800-53r5323/323 (full)Moderate baseline + High subset
FedRAMP Moderate (cross-walk)325/325Delta table in §5
FedRAMP High (cross-walk)421/421Delta table in §5
SOC 2 Type II5/5 TSCSecurity + Availability + Confidentiality + Processing Integrity + Privacy
NIST SP 800-171r2110/110CUI protection
Section 7 OSAcompliantUK warrants regime
AUKUS Pillar II (annex)57.5% (23/40)See AUKUS explainer

11. SIGIL Emission

On every authorisation decision: C|defoneos|fr-uk|{authorisation_id}@{control_set_hash}|{care_score}. Weekly aggregated into public authorisation-status dashboard.

DEFONEOS-FR-UK-v1.0 · 2026-07-16 · Public · BFT minutes