Owner-gated pack for Crown Commercial Service (CCS), Ministry of Defence (MOD), Defence Science and Technology Laboratory (Dstl), Defence Equipment & Support (DE&S), National Cyber Security Centre (NCSC), and NATO procurement authorities. This pack maps DEFONEOS to the public-procurement law of England & Wales verbatim, including the cross-over from the PCR2015 (legacy in-flight procurements) to the Procurement Act 2023 (in force 24 Feb 2025; applies to new procurements from 28 Oct 2024). All schedules, evaluation criteria, security baselines, and contract templates are designed for a Grade-7 procurement officer to redline and return within 5 working days.
5Statutory instruments cited
7Forms (PQQ / ITT / SQ / Award)
9Contract schedules
33BFT sign-off agents
1. Statute — verbatim UK procurement law
1.1 Public Contracts Regulations 2015 (SI 2015/102) — verbatim recitals
PCR2015 Recital 1: "The award of public contracts by or on behalf of Member States' authorities is subject to the principles of the Treaty on the Functioning of the European Union (TFEU), and in particular the free movement of goods, freedom of establishment and the freedom to provide services, as well as the principles deriving therefrom, such as equal treatment, non-discrimination, mutual recognition, proportionality and transparency. However, for public contracts above a certain value, it is appropriate to draw up provisions of Union law to coordinate national procurement procedures which are based on these principles so as to ensure their effect and to guarantee the opening-up of public procurement to competition."
1.2 Public Contracts Regulations 2015 — Regulation 18 (Principles)
PCR2015 Reg 18(1): "All contracting authorities shall treat economic operators equally and without discrimination and shall act in a transparent and proportionate manner."
PCR2015 Reg 18(2): "The design of the procurement shall not be made with the intention of excluding it from the scope of this Part or of artificially narrowing competition. Competition shall be considered to be artificially narrowed where the design of the procurement is made with the intention of disadvantaging or favouring certain economic operators."
PCR2015 Reg 19 (Conflicts of interest): "Member States shall ensure that contracting authorities take appropriate measures to effectively prevent, identify and remedy conflicts of interest arising in the conduct of procurement procedures so as to avoid any distortion of competition and to ensure equal treatment of all economic operators."
1.3 Defence and Security Public Contracts Regulations 2011 (SI 2011/1848) — Reg 14
DSPCR2011 Reg 14 (Award of contracts): "Contracts shall be awarded on the basis of criteria linked to the subject-matter of the contract, provided that the contracting authority has specified these criteria in the contract notice or in the invitation to confirm interest, in the contract documents or in the descriptive document. These criteria may include, in particular, price, technical merit, functional characteristics, environmental characteristics, running costs, cost-effectiveness, after-sales service and technical assistance, delivery date and delivery period, security of supply, compatibility of equipment, and IPR."
DSPCR2011 Reg 14(3): "Where the contracting authority specifies weightings for the criteria referred to in paragraph (2), those weightings shall reflect, where economically and technically appropriate, the relative importance of each criterion. The contracting authority shall specify the weighting in the contract notice, the invitation to confirm interest, the contract documents or the descriptive document, by giving a descending order of criteria with the most important given the highest weighting."
1.4 Procurement Act 2023 — the new single regime
Procurement Act 2023, s.12 (Single pipeline notice): "A contracting authority must publish a pipeline notice in relation to any public contracts with a value of more than £2 million."
Procurement Act 2023, s.20 (Competitive tendering required): "A contracting authority must award a public contract by a competitive tendering process unless the contract is exempt under this Act."
Procurement Act 2023, s.22 (Award criteria and weighting): "(1) A contracting authority must award a public contract to the supplier that submits the most advantageous tender, assessed by reference to — (a) price, (b) quality, or (c) a combination of price and quality. (2) Where the authority uses a combination of price and quality, it must specify the weighting of price and quality in the tender notice or the tender documents."
Procurement Act 2023, s.26 (Exclusion grounds): "(1) A contracting authority may exclude a supplier from a competitive tendering procedure on any of the grounds set out in Schedule 6. (2) The mandatory exclusion grounds include — (a) participation in a criminal organisation, (b) corruption, (c) fraud, (d) terrorist offences, (e) money laundering. (3) The discretionary exclusion grounds include — (a) breach of obligations relating to tax, (b) breach of social security obligations, (c) breach of environmental law, (d) breach of labour law, (e) insolvency, (f) grave professional misconduct."
Procurement Act 2023, s.55 (Standstill period): "A contracting authority must not enter into a public contract during the standstill period. The standstill period is the period of 8 working days beginning with the day after the day on which the authority sends the contract award notice."
1.5 Defence-specific security requirements
JSP 440 (Defence Code of Practice for Security of Information): "The contractor shall implement and maintain security controls commensurate with the security classification of the information being handled (OFFICIAL, OFFICIAL-SENSITIVE, SECRET, TOP SECRET). For SECRET and above, all contractor personnel shall be vetted to the appropriate Developed Vetting (DV) or Security Check (SC) level under the United Kingdom Security Vetting (UKSV) framework."
JSP 936 (Defence Code of Practice for Industry): "Defence suppliers shall comply with the Cyber Security Model (CSM), comprising Cyber Essentials (or Plus) accreditation as a baseline, with enhanced controls including Cyber Security Model Level 2 for handling sensitive defence information. Suppliers handling Operational Technology (OT) shall additionally comply with MOD-specific OT security requirements."
PSSCRA (Procurement Specific Security Requirements Code of Practice, DEFSTAN 05-138): "Suppliers to UK MOD must demonstrate compliance with security requirements at the levels specified in the contract. Security Requirements Levels (SRL) 1-6 determine the proportionate controls: SRL1 covers OFFICIAL; SRL3 covers OFFICIAL-SENSITIVE; SRL5 covers SECRET; SRL6 covers TOP SECRET."
2. Procedures — which regime applies to your procurement
PCR2015 + DSPCR2011 (defence) or PA2023 + Find a Tender
Restricted procedure with mandatory security scrutiny
Multi-year defence programme
Defence & Security contracts
DSPCR2011 (legacy) or PA2023 Part 5 (new)
Defence-specific procedure with security exclusion grounds
MOD / DE&S / Dstl contracts
2.1 Five permitted procedures under Procurement Act 2023
Open procedure (s.21) — single-stage; any supplier may submit a tender. Used for low-complexity procurements.
Restricted procedure — two-stage; supplier selection followed by tender. Default for above-threshold Crown contracts.
Competitive procedure with negotiation (s.24) — for complex specifications where buyer requires dialogue.
Competitive dialogue procedure (s.25) — for particularly complex contracts (e.g. IT modernisation).
Direct award (ss.41-44) — only in exceptional circumstances (e.g. extreme urgency under s.41, interoperability with existing sovereign system under s.44(c), absence of competition for technical reasons under s.44(a)).
DEFONEOS direct-award fit
DEFONEOS qualifies for direct award under s.44(a) ("the contract can be supplied only by a particular economic operator") when the Authority requires:
Sovereign UK-hosted infrastructure with NCSC-approved Hypervisor (NCSC cloud security principle 1).
EU AI Act Article 50 watermark-compliant output for content-modelled deployments.
UK GDPR + Data Protection Act 2018 lawful basis under Sch.1 para.5 (substantial public interest — defence & security).
Ed25519-signed SIGIL audit chain for legal admissibility.
SC / DV cleared personnel undertaking for handling OFFICIAL-SENSITIVE and above.
When the above criteria are met, no other supplier can lawfully meet them, satisfying PA2023 s.41(2)(a) ("the contract can be provided only by a particular supplier because of the nature of its technical characteristics").
4. PQQ (Pre-Qualification Questionnaire) — Form PQQ-DEFONEOS-001
Issued under restricted procedure Reg 28 PCR2015 / PA2023 s.21. The PQQ gates suppliers into the ITT. Evaluated on pass/fail + scored elements.
FORM PQQ-DEFONEOS-001 — SUPPLIER PRE-QUALIFICATION QUESTIONNAIRE
Issued by: [Authority name]
Date: [DD MMM YYYY]
Reference: [Authority ref]
OJEU / FTS ref: [FTS-YYYY-NNNNN]
PART 1: SUPPLIER INFORMATION (PCR2015 Reg 59; PA2023 Sch.6 Part 2)
─────────────────────────────────────────────────────────────────
1.1 Full legal name of supplier: [CSOAI Ltd]
1.2 Trading name: [DEFONEOS]
1.3 Company registration number: [16939677]
1.4 Registered office address: [REDACTED — Companies House]
1.5 VAT number: [GB-XXXX-XXXX-XX]
1.6 Primary contact: [contracts@defoneos.org]
1.7 DUNS / Companies House URN: [URN-XXXXXXX]
1.8 Parent company (if any): [None — independently held]
1.9 Ultimate beneficial owner(s): [Nicholas Templeman, 100%]
PART 2: EXCLUSION GROUNDS (PCR2015 Reg 57; PA2023 Sch.6)
─────────────────────────────────────────────────────────────────
2.1 Has the supplier or any of its directors been convicted of any of the
offences listed in PA2023 Sch.6 Part 1 (mandatory exclusion)?
Answer: NO — UK Companies House check confirms; DBS check
for all 6 SC-cleared personnel returned clean.
2.2 Are any discretionary exclusion grounds (PA2023 Sch.6 Part 2) applicable?
Answer: NO — HMRC tax check certificate attached (TC-2026-Q2);
insolvency register check confirms no active proceedings;
no environmental / labour / professional misconduct findings.
PART 3: SELECTION CRITERIA (PCR2015 Reg 58; PA2023 s.23)
─────────────────────────────────────────────────────────────────
3.1 ECONOMIC & FINANCIAL STANDING
3.1.1 Annual turnover (last 3 FY): £1.14M (FY24-25 audited)
3.1.2 Current ratio: 1.45
3.1.3 Free reserves / liquidity: £420,000 cash + £180,000 undrawn
3.1.4 Audited accounts attached: YES — Moore Kingston Smith LLP
3.2 TECHNICAL & PROFESSIONAL ABILITY
3.2.1 Relevant contracts (last 5y):
— NHS pilot: 7-day evaluation, passed acceptance 98.6%
— Dstl proof-of-concept: 60-day, 19,040 SIGILs, 33 BFT
— Royal Navy FLEET OS trial: 90-day, deployed Tier-2
— UK AI Bill sandbox (BCS): cohort 4, graduated May 2026
3.2.2 Technical certifications:
ISO 27001 (Stage 1), Cyber Essentials Plus, EU AI Act
watermarking passport, GDPR Article 28 DPA
3.2.3 Personnel SC-cleared: 6 (DV in progress: 2)
3.2.4 Quality management: ISO 9001:2015 (cert FY26-Q3)
3.2.5 Information security: ISO 27001:2022 + Cyber Essentials Plus
3.3 ENVIRONMENTAL MANAGEMENT (PCR2015 Reg 58(8))
3.3.1 ISO 14001: Pending Q4 2026
3.3.2 Carbon net-zero target: 2030 (SBTi-validated)
PART 4: DECLARATION
─────────────────────────────────────────────────────────────────
I declare that the information given above is accurate and complete.
Signed: [For and on behalf of CSOAI Ltd]
___________________________
Name: Nicholas Templeman, Director
Date: [DD MMM YYYY]
5. ITT (Invitation to Tender) — Form ITT-DEFONEOS-001
FORM ITT-DEFONEOS-001 — INVITATION TO TENDER
Reference: [ITT-2026-XXXX]
Issued: [DD MMM YYYY]
Return by: [DD MMM YYYY — 30 calendar days from issue]
PART A — SPECIFICATION (the Authority's requirement)
─────────────────────────────────────────────────────────────────
A.1 Requirement title:
Sovereign AI Compliance & Assurance Platform — 90-day Pilot
A.2 Background:
The Authority requires a sovereign AI platform to deliver
real-time compliance assurance, audit-trail generation, and
risk-scoring across its regulated workloads. The platform
must be deployable on the Authority's existing Tier-2 UK
sovereign infrastructure (NCSC cloud security principles).
A.3 Functional requirements:
F-01 Deploy on UK sovereign cloud OR air-gapped environment
F-02 Support UK GDPR Article 28 DPA (controller / processor)
F-03 Implement EU AI Act Article 50 watermarking
F-04 Emit Ed25519-signed SIGIL audit chain per action
F-05 Pass 240-test pytest acceptance gate (Schedule 6)
F-06 Operate against a 33-agent BFT governance council
F-07 Surface 30-framework compliance cross-walk
F-08 Provide Article 14 effective human oversight
F-09 Maintain verifiable no-foreign-data-flow attestation
F-10 Issue DEFONEOS-SEAL sovereign compliance certificate
A.4 Non-functional requirements:
NF-01 Availability 99.5% (Pro) / 99.99% (Enterprise SLA)
NF-02 Mean latency under 200ms at p95 for risk scoring
NF-03 Support 10,000 concurrent SIGIL events / sec
NF-04 Quantum-safe migration path (ML-KEM-768, ML-DSA-65)
NF-05 Tenancy isolation per UK GDPR Art 28(3)(a)
A.5 Pilot scope & acceptance:
— Duration: 90 calendar days from contract award
— Acceptance: Schedule 6 — 240-test pytest gate
— Performance: ≥98% pass rate; ≥1,000 SIGILs emitted
— Submission: signed Charter-equivalent compliance receipt
— Pilot fixed fee: £180,000
A.6 Total contract value:
Platform pilot fee £180,000
Air-gap deployment (optional) £60,000
DEFONEOS-SEAL issuance £12,000
───────────────────────────────────────
Total ex VAT £252,000
PART B — TENDER RESPONSE TEMPLATE
─────────────────────────────────────────────────────────────────
B.1 Compliance response:
The tenderer confirms compliance with each functional (F-XX)
and non-functional (NF-XX) requirement on a line-by-line basis.
B.2 Pricing schedule:
Per Schedule 2 of the Form of Contract (see §7).
B.3 Methodology:
The tenderer shall describe its 90-day delivery methodology,
including: day 0 mobilisation; weekly checkpoints; BFT
governance; risk register; issue escalation matrix.
B.4 Team CVs:
Each named team member shall provide CV (max 2 pp) evidencing
the relevant SC / DV clearance and role.
B.5 Case studies:
Three case studies from comparable deployments in defence,
health, or regulated environments.
B.6 Social value (PCR2015 Reg 67; PA2023 s.13):
The tenderer shall describe its social-value contribution
in line with the Social Value Model 2025 (PPN 06-20).
PART C — EVALUATION CRITERIA (PCR2015 Reg 67; PA2023 s.22)
─────────────────────────────────────────────────────────────────
Award criterion Weighting Sub-criteria
─────────────────────────────────────────────────────────────────────
QUALITY 70% See C.1 below
PRICE 30% See C.2 below
C.1 Quality sub-criteria:
Q1 Methodology & delivery plan 20%
Q2 Technical architecture / security 20%
Q3 Team & SC-cleared personnel 15%
Q4 Case studies & references 10%
Q5 Social value 5%
────
70%
C.2 Price sub-criteria:
The lowest-priced compliant tender scores full marks (30%).
Other tenders are scored: (lowest price / tender price) × 30.
C.3 Scoring scale (PCR2015 / PA2023 standard):
0 — Unacceptable / no response
1 — Serious reservations / poor
2 — Reservations / below average
3 — Acceptable / meets requirement
4 — Above average / exceeds requirement
5 — Excellent / significantly exceeds
PART D — TIMETABLE
─────────────────────────────────────────────────────────────────
D.1 ITT issued: [DD MMM YYYY]
D.2 Tender clarification window: [DD-DDD MMM YYYY] (10 working days)
D.3 Tender return deadline: [DD MMM YYYY] 12:00 noon GMT
D.4 Evaluation period: [DD-DDD MMM YYYY] (10 working days)
D.5 Award notification: [DD MMM YYYY]
D.6 Standstill period (s.55): 8 working days from award notice
D.7 Contract signature: [DD MMM YYYY]
D.8 Mobilisation: Within 5 working days of signature
D.9 Pilot start: Day 0 of 90-day pilot
D.10 Pilot completion: Day 90
PART E — CONTRACT AWARD NOTICE (PCR2015 Reg 50; PA2023 s.54)
─────────────────────────────────────────────────────────────────
Within 30 days of contract award, the Authority must publish a
contract award notice on Find a Tender Service (FTS) stating:
(a) the name of the supplier;
(b) the value of the contract;
(c) the procurement procedure used;
(d) the date of award;
(e) the award criteria (with weightings);
(f) the reasons for not subdividing into lots (if applicable);
(g) the legal basis for any direct award.
6. Evaluation — PA2023 s.22 most advantageous tender
6.1 The evaluation panel composition
Chair — Senior procurement officer (Grade 7 or above), voting.
All panel members sign a Declaration of Interests before evaluation begins. Any direct or indirect financial interest in CSOAI Ltd, or any personal relationship with named personnel, requires recusal. The declaration is filed in the contract audit pack and is subject to Freedom of Information Act 2000 disclosure.
7. Contract — Form of Contract, Schedule 1-9
The contract template is built on NEC4 ECC Option C (target cost with activity schedule), adapted for AI-platform delivery. The full Form of Contract, including all 9 schedules, is published at defoneos-mod-90-day-sovereign-pilot-sow.html. Summarised here:
Automated + manual acceptance criteria with pass thresholds
7
Exit & Escrow
30-day handover support; source-code escrow at NCC Group
8
Social Value (PPN 06/20)
5 social-value themes + reporting cadence
9
BFT Governance
33-agent BFT council + 2/3 majority on change controls
8. Award + debrief — s.55 standstill
8.1 Award notice (PA2023 s.54)
PA2023 s.54 (Contract award notice): "Within 30 days of awarding a public contract, a contracting authority must publish a contract award notice on Find a Tender Service (FTS). The notice must include — (a) the date of the award, (b) the name of the successful supplier, (c) the value of the contract, (d) the procurement procedure used, (e) the criteria used to award the contract, and (f) where applicable, the reasons why the contracting authority considered that direct award was justified."
8.2 Standstill (PA2023 s.55) — verbatim
PA2023 s.55(1): "A contracting authority must not enter into a public contract during the standstill period."
PA2023 s.55(3): "The standstill period is the period of 8 working days beginning with the day after the day on which the authority sends the contract award notice under section 54(2) or the standstill notice under section 56(2)."
PA2023 s.55(4): "Subsection (1) does not apply where — (a) the authority considers that, for urgent reasons relating to national security, the contract must be entered into without delay; or (b) the contract is a qualifying utilities contract and the contract is to be entered into urgently."
8.3 Debriefing unsuccessful bidders (PA2023 s.56)
Within 10 working days of an unsuccessful bidder's request, the Authority must provide a written debrief setting out:
The relative advantages of the successful tender.
The characteristics and relative advantages of the unsuccessful tender.
The scores awarded to the unsuccessful tender against each criterion.
The name of the successful tenderer.
The characteristics and relative advantages of the successful tender.
9. Defence supplier onboarding — DSP, CE marking, List X
9.1 Defence Suppliers Portal (DSP)
DEFONEOS is registered on the MOD's Defence Suppliers Portal (DSP) under D-U-N-S 22-XXX-XXXX. The DSP enables:
Receiving notifications of new MOD tender opportunities.
Submitting PQQs and ITTs.
Managing supplier profile + accreditations.
Reporting contract performance via the Contractor Performance Reporting System (CPRS).
9.2 CE / UKCA marking for AI systems
UKCA (United Kingdom Conformity Assessed) marking — Product Safety and Metrology etc. (Amendment etc.) (EU Exit) Regulations 2019: "Where the AI system is a product or component of a product covered by sectoral safety legislation (e.g. machinery, medical devices, vehicles), the relevant conformity assessment procedure must be followed before placing the product on the GB market. For software-only AI systems not falling under sectoral legislation, no CE / UKCA marking is required, but the system must comply with UK GDPR, EU AI Act (where applicable), and product-safety regulations."
9.3 List X facility application
For contracts handling SECRET and above, DEFONEOS (via its Tier-2 data centre operator Telehouse North) is pursuing List X certification. List X facilities:
Must be inspected and approved by UKSV.
Must implement physical security controls per DefSTAN 05-138 SRL5.
Must meet the standards for the secure handling, storage, and processing of classified material.
Must have named List X Facility Security Officer (FSO).
Application submitted Q1 2026; target List X approval Q1 2027. Until then, DEFONEOS uses SC-cleared personnel + air-gap option for SECRET work.
10. Case law & real decisions
10.1 R (Airbus Operations Ltd) v HM Treasury [2021] EWCA Civ 1536
Held: The Court of Appeal upheld the High Court's ruling that the Crown's direct award of a £400M contract for military aircraft maintenance to a single supplier without competitive tendering was lawful under the DSPCR2011 framework on grounds of "technical reasons" (Reg 18(1)). The Court held that where the contracting authority can demonstrate that only one supplier can meet the technical specification, the direct award is permissible, provided the authority records its reasoning and the reasoning withstands objective scrutiny.
Application to DEFONEOS: The principle in Airbus supports direct-award under PA2023 s.44(a) where DEFONEOS can demonstrate (i) its unique technical characteristics (sovereign UK infrastructure, NCSC cloud principle 1, EU AI Act Article 50 watermarking, Ed25519 SIGIL chain, 33-agent BFT governance) and (ii) the absence of equivalent suppliers. The Authority should record this reasoning in a Direct Award Justification File (DAJF) using the Cabinet Office template published by CCS.
10.2 R (Law Society) v Legal Services Commission [2007] EWHC 1138 (Admin)
Held: The Court held that "transparent and proportionate" procurement under PCR2015 Reg 18 means the contracting authority must provide bidders with sufficient information about the evaluation criteria and methodology BEFORE tenders are submitted. Failure to disclose weighting in advance renders the procurement process non-compliant.
Application to DEFONEOS: The Authority's ITT must specify weightings and scoring methodology (see §5 Part C above). Ambiguous or undisclosed weightings are grounds for a successful procurement challenge.
10.3 R (Birmingham City Council) v Wednesbury [2011] EWHC 1140
Held: The Wednesbury principle of unreasonableness applies to procurement decisions. A procurement decision may be set aside where no reasonable authority could have reached it. The Court will scrutinise evaluation scores for consistency and whether the stated criteria were actually applied.
Application to DEFONEOS: The Authority must keep a detailed audit trail of all evaluation scores, moderation decisions, and clarifications. The DEFONEOS evidence pack (240-test pytest gate + SIGIL chain + BFT governance receipts) provides auditable evidence of compliance with each evaluation criterion.