EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Defence RFQ · v1.0
12 Jul 2026 Crown / BAE / Rolls / Leonardo DEFCON 760 / JSP 440 / JSP 936

DEFONEOS Defence Request for Quotation (RFQ) — pre-completed for the UK defence supply chain.

This is the canonical RFQ form DEFONEOS issues to UK defence primes (BAE Systems, Rolls-Royce, Leonardo UK, Thales, Babcock, QinetiQ, Marshall, Serco, Capita) and Crown procurement authorities (CCS, MOD DE&S, Dstl, RAF, Royal Navy, British Army procurement commands). It is structured to mirror the Crown's DEFCON 760 short-form contract template (when used as a prime contract) and the DefSTAN 05-138 procurement-specific security-requirements format. Where the buyer has their own RFQ format, this form maps one-to-one against standard MOD acquisition templates (the JFD / DEFCAR / ITN / ITT family).

12RFQ sections
52Pre-completed fields
7Defence standards
£252kPilot fixed fee

Section 1 — Supplier information

Section 2 — Buyer information

Section 3 — Requirement

Section 4 — Security

4.1 Security baseline — JSP 440, JSP 936, DefSTAN 05-138

RequirementReferenceDEFONEOS evidence
Cyber Essentials PlusJSP 936 §3.2Certified Mar 2026 (CYB-2026-DEFONEOS-001)
ISO 27001:2022JSP 440 §6Stage 1 audit passed Jun 2026; Stage 2 Sep 2026
ISO 42001:2023JSP 936 §3.7 (AI deployments)Stage 1 booked Q4 2026
SC-cleared personnel (≥5)JSP 440 §10; UKSV framework6 personnel SC-cleared, 2 in process
DV-cleared personnel (≥2)JSP 440 §10; UKSV DV2 personnel in DV process (target Q4 2026)
Security incident reportingJSP 440 §1424/7 SOC + 60-min SLA + SIGIL evidence pack
OFFICIAL-SENSITIVE handlingSPF 2023Air-gap option; AES-256-GCM + TLS 1.3
List X facility (SECRET)DefSTAN 05-138 SRL5Tier-2 data centre (Telehouse North); List X target Q1 2027
Security Requirements Level (SRL)DefSTAN 05-138SRL 1-3 implemented; SRL 5+ via air-gap + List X
Cyber Security Model LevelJSP 936 §3.4Level 2 confirmed
Personnel security (BPSS baseline)JSP 440 §8All 8 staff BPSS-checked baseline
Physical security of premisesJSP 440 §12Tier-2 data centre physical security
Supply chain assuranceJSP 936 §4 (Supply Chain)Supplier risk register + SIGIL-signed third-party assurances
Cyber Risk AssessmentJSP 440 §15Annual risk assessment; quarterly review; BFT Council sign-off

4.2 Security classification of this RFQ

Section 5 — Technical architecture

DEFONEOS Technical Architecture (defence deployment) ═════════════════════════════════════════════════════════════ Layer 1 — Sovereign Edge (Buyer premises or Tier-2 UK cloud) • Hardware: NCSC-approved Hypervisor (see NCSC cloud principle 1) • OS: Ubuntu 22.04 LTS (CC EAL2) or RHEL 8 (CC EAL4+) • Hypervisor: VMware vSphere 8 (CC EAL4+) or KVM (CC EAL2) • Hardware root of trust: TPM 2.0 • Encryption: AES-256-GCM (storage) + TLS 1.3 (transit) Layer 2 — Sovereign Compute (DEFONEOS runtime) • Container: gVisor (defence-grade sandbox) or Kata Containers • Service mesh: Istio + mTLS + zero-trust • Identity: SPIFFE / SVID for workload identity • Crypto: Ed25519 (current) + ML-DSA-65 (PQC migration Q4 2026) • KEM: ML-KEM-768 (PQC) by Q4 2026 Layer 3 — Sovereign Data (UK-resident only) • Database: PostgreSQL 16 with TDE + pgcrypto • Vector store: Qdrant (in-memory + on-disk) • Object store: MinIO with server-side encryption • Backup: 3-2-1 immutable WORM (S3 Object Lock) • Geographic residency: 100% UK / EU (no third-country) Layer 4 — Sovereign AI (DEFONEOS models) • LLM: SOV3-small (1.5B, in-house) + Llama-3-8B-Instruct • Reasoning: Mamba-2 + Transformer hybrid • Embeddings: nomic-embed-text-v1.5 (sovereign-tuned) • Fine-tuning: QLoRA on sovereign data only Layer 5 — Sovereign Governance (33-agent BFT Council) • BFT council: 33 sovereign agents (BFT quorum = 23/33) • SIGIL chain: Ed25519-signed hash-chained audit log • Watchdog: HORUS real-time monitoring • ZK-proofs: DORADO sovereign switch position SOVEREIGN • 30-framework compliance cross-walk Layer 6 — Sovereign Interfaces (Open Hands OS) • Protocols: MCP, A2A, x402, DID, JWT, ANP, AGNTCY, IBC • API: REST + gRPC + WebSocket • Auth: OAuth 2.1 + WebAuthn + TOTP • Export: OpenAPI 3.1 + AsyncAPI 3.0 ───────────────────────────────────────────────────────────── Compliance: NCSC Cloud Principles 1-14 (all 14 implemented) Standards: JSP 440, JSP 936, DefSTAN 05-138, Cyber Essentials+ PQC status: ML-KEM-768 + ML-DSA-65 by Q4 2026

Section 6 — Deployment options

OptionDescriptionIndicative costSecurity classification ceiling
A — UK sovereign cloudDEFONEOS-hosted on Tier-2 UK infrastructure (Telehouse North)£180,000 (90-d pilot) / £420,000 (12-mo)OFFICIAL-SENSITIVE
B — Buyer-cloud (UK)Deployed on buyer's own UK sovereign cloud (AWS UK, Azure UK, GCP UK)£180,000 + £40,000 setupOFFICIAL-SENSITIVE
C — Air-gapped on-premiseFully isolated, no network connectivity, dedicated hardware£240,000 + £60,000 deploymentSECRET (with List X)
D — List X facilityDeployed in MOD-approved List X data centre£300,000+ (case-by-case)SECRET / TOP SECRET (with DV)

Section 7 — Acceptance criteria

Acceptance is gated by the 240-test pytest suite published at github.com/csoai-org/defoneos-acceptance. The acceptance schedule is:

Acceptance milestoneDays from contract awardPass criteriaPayment trigger
P1 — Mobilisation & security baselineDay 0-30SC-cleared personnel in place; cyber-baseline complete; test environment available30% of pilot fee (£54,000)
P2 — Functional delivery + 240-test gateDay 30-60240-test pytest suite ≥98% pass; SIGIL chain live; ≥1,000 SIGILs emitted; BFT Council convened30% of pilot fee (£54,000)
P3 — Pilot operations + acceptanceDay 60-90Sustained operation 30 days; ≥99% uptime; DEFONEOS-SEAL issued; final report accepted40% of pilot fee (£72,000)

Section 8 — Commercial

Line itemQuantityUnit priceTotal (ex VAT)
DEFONEOS Platform pilot fee (90-day)1£180,000£180,000
Air-gap deployment option (if required)1£60,000£60,000
DEFONEOS-SEAL sovereign compliance certificate1£12,000£12,000
TOTAL EX VAT£252,000
VAT (20%)£50,400
TOTAL INC VAT£302,400

Payment milestone-billed against P1/P2/P3 acceptance (30/30/40). Invoices raised by CSOAI Ltd on the 5th working day after acceptance sign-off. Payment terms: 30 days end of month + 5 working days. Late payment: interest at 8% above Bank of England base rate under the Late Payment of Commercial Debts (Interest) Act 1998.

Extension options: 2 × 90-day extensions at +25% per extension (priced in Schedule 2 of the Form of Contract). Conversion to 12-month deployment: negotiable; typical conversion discount 8% versus fresh procurement.

Section 9 — IPR & Crown Copyright

Section 10 — Governance (BFT Council)

DEFONEOS is governed by a 33-agent Byzantine Fault Tolerant (BFT) council — a quorum of 23/33 is required for any material decision. The BFT Council comprises:

Material decisions (changes to the Charter, the SoW, the pricing, the security baseline, the BFT composition) require 2/3 majority (≥22 of 33). Operational decisions are made by the on-call duty sovereign agent under SOP. All decisions are SIGIL-signed and audit-trailed.

Section 11 — Case studies (defence-relevant)

Case studySectorOutcomeReference
NHS pilot — compliance assuranceHealth / NHS Digital7-day evaluation; 98.6% acceptance pass; 240-test gate greenNHS-DSPT-2025
Dstl proof-of-concept — sovereign AIDefence R&D60-day PoC; 19,040 SIGILs emitted; 33 BFT quorum metDstL-PoC-2025
Royal Navy FLEET OS trialMaritime defence90-day Tier-2 deployment; incident reporting 60-min SLA metRN-FLEET-2026
UK AI Bill sandbox (BCS cohort 4)RegulatoryGraduated May 2026; cited as exemplification by DSITBCS-C4-2026
European Defence Agency workshopEU defenceEU AI Act conformity assessment exemplarEDA-WS-2026

Section 12 — Signature block

For the Supplier (CSOAI Ltd)

For the Buyer


Annex A — DEFONEOS-SEAL issuance

On successful completion of the 90-day pilot (or the 12-month deployment), the Authority is issued a DEFONEOS-SEAL sovereign compliance certificate. The seal is Ed25519-signed and embeds the following attributes:

Annex B — Points of contact

Procurement: contracts@defoneos.org
Defence / security: defence@defoneos.org
Charter / constitutional: charter@defoneos.org
Audit / evidence: audit@defoneos.org
DPO / GDPR: dpo@defoneos.org
SIGIL receipts: sigil@defoneos.org
Security incident (24/7): +44 (0)20 7946 0999