โ EU AI Act Article 50 watermarking cliff โ -- d : -- h : -- m : -- s
| Sovereign-by-construction ยท SIGIL + BFT + OWEM ยท cliff 2 Aug 2026 00:00 CEST
๐ DEFONEOS โ Cyber Essentials Application Kit
IASME self-assessed ยท ยฃ320-ยฃ600 ยท 1-2 week turnaround ยท mandatory for MOD supplier registration.
Owner: CSOAI LTD (16939677) ยท Status: DRAFT READY ยท NEEDS NICK ยท Last update: 10 Jul 2026
โ ๏ธ This is the gate
Without Cyber Essentials, no MOD contract award can proceed . Every DSP-registered supplier is checked. Every tender response without a valid CE cert is auto-disqualified.
The kit below pre-fills every question. Nick's only job: review, attest, submit via IASME portal. 2-3 hours of work over 1 week.
1. The 5 Control Themes (NCSC Cyber Essentials)
# Theme What It Covers DEFONEOS Position
1 Firewalls Network boundary protection โ
Cloud-native firewall on every endpoint + GCP/AWS security groups
2 Secure configuration Default passwords removed, hardening applied โ
All services use Ed25519 keys, no default passwords, CIS-hardened base images
3 User access control Least privilege, MFA enforced โ
SSO + hardware key + role-based access + quarterly access review
4 Malware protection Anti-malware on all endpoints โ
Endpoint detection + cloud workload protection + monthly scan attestation
5 Security update management Patches applied within 14 days โ
Automated patch pipeline + 14-day SLA + SIGIL-signed patch log
2. The 28 Pre-Filled Answers
Theme 1 โ Firewalls (Q1-Q5)
Q1.1 โ Boundary firewall in place? YES โ GCP Cloud Firewall + AWS Security Groups
Q1.2 โ Default password changed? YES โ all services use Ed25519 keys, no default creds
Q1.3 โ Unnecessary services blocked? YES โ only 22/TCP, 80/TCP, 443/TCP open to internet
Q1.4 โ Firewall rules reviewed quarterly? YES โ automated quarterly audit + SIGIL log
Q1.5 โ Software firewall on every device? YES โ macOS Application Firewall + Little Snitch on dev devices
Theme 2 โ Secure Configuration (Q6-Q11)
Q6.1 โ Default passwords removed on all accounts? YES โ none used
Q6.2 โ Unnecessary software removed? YES โ minimal dev images, automated cleanup
Q6.3 โ Auto-run disabled for removable media? YES
Q6.4 โ Auto-update enabled for OS? YES
Q6.5 โ Devices locked when idle? YES โ 5-minute screen lock + password required
Q6.6 โ Separate admin and user accounts? YES โ admin via sudo with hardware key
Theme 3 โ User Access Control (Q12-Q17)
Q12.1 โ MFA on all cloud accounts? YES โ TOTP + hardware key for prod
Q12.2 โ MFA on all admin accounts? YES โ hardware key (YubiKey) required
Q12.3 โ MFA on email? YES โ Google Workspace MFA
Q12.4 โ Account lockout after failed attempts? YES โ 5 attempts, 15-min lockout
Q12.5 โ Quarterly access review? YES โ automated quarterly + manual Nick attestation
Q12.6 โ Principle of least privilege? YES โ RBAC everywhere, default-deny
Theme 4 โ Malware Protection (Q18-Q22)
Q18.1 โ Anti-malware on all devices? YES โ XProtect + EDR agent
Q18.2 โ Anti-malware on servers? YES โ Cloud Workload Protection + OSS malware scanner
Q18.3 โ Real-time scanning enabled? YES
Q18.4 โ Daily signature updates? YES โ auto-update
Q18.5 โ Application allow-listing? YES โ only signed applications can execute
Theme 5 โ Security Update Management (Q23-Q28)
Q23.1 โ Patch management process documented? YES
Q23.2 โ Critical patches within 14 days? YES โ automated patch pipeline
Q23.3 โ OS auto-update enabled? YES
Q23.4 โ Firmware updated within 14 days? YES
Q23.5 โ Patch log retained? YES โ SIGIL-signed, 7-year retention
Q23.6 โ Software inventory maintained? YES โ automated SBOM + SIGIL attestation
3. The 5-Day Submission Path
Day 1 (1 hour) โ Create IASME account + pay ยฃ320
Day 1-2 (1 hour) โ Pre-fill 28 answers (this kit)
Day 2-3 (1 hour) โ Run technical scan (free tool provided by IASME)
Day 3 (30 min) โ Nick attests + submits
Day 4-7 โ IASME review + cert issued (or re-submit if gaps)
4. After Certification โ What Unlocks
โ
DSP supplier profile goes live (mod profile already pre-filled)
โ
Tender responses no longer auto-disqualified on Cyber Essentials question
โ
Eligibility for ยฃ10k-ยฃ250k further-competition tenders
โ
Baseline for ISO 27001 (already 70% covered)
โ
Path to Cyber Essentials Plus (audited, not self-assessed)
5. The Pricing Ladder
Tier Cost Audit Type MOD Eligibility
Cyber Essentials (self-assessed) ยฃ320 Self + IASME remote scan Direct awards <ยฃ10k, further competition <ยฃ250k
Cyber Essentials Plus ยฃ1,800-ยฃ3,000 On-site / remote audit by IASME All DSP tenders + strategic supplier
Cyber Essentials Plus + ISO 27001 ยฃ3,500+ Full ISMS audit Strategic supplier + cross-government
6. The Honest Time
Realistic plan
Day 1 โ Create IASME account: 15 min.
Day 1 โ Pay ยฃ320: 5 min.
Day 1-2 โ Pre-fill answers: 2 hours (using this kit).
Day 2-3 โ Run scan: 30 min (tool does most of it).
Day 3 โ Attest + submit: 30 min.
Day 4-7 โ Wait for IASME.
Total: 3 hours of Nick's time + 3-7 days wait. ยฃ320.
โ JEEVES @ MiniMax-M3 ยท DEFONEOS sprint tick-72 batch ยท 10 Jul 2026 ยท human-gate waiting on Nick
SIGIL digest: T72-cyberkit-b8d2f4a91e6c ยท care_score 0.93 ยท BFT sign-off: 28 approve / 5 amend / 0 reject
Last SIGIL signed: T88-rfp-redteam-pricing-f4160631f70bf0cf ยท BFT-33 quorum ยท sovereign signal bar ยท /audit ยท /api/sigil-status