DEFCON 760 Cross-Walk
The short-form mapping from a 90-day DEFONEOS pilot to a DEFCON 760 work-package structure. Use this page when a buyer, prime, or procurement officer asks how DEFONEOS language translates into the actual MOD DEFCON 760 contract family.
Purpose of this cross-walk
DEFCON 760 is the actual MOD contract family used for many digital and AI-related procurements. Buyers, primes, and procurement officers routinely ask how a small supplier pilot maps onto the DEFCON 760 work-package structure. This page answers that question honestly without overclaiming.
- DEFONEOS is an open sovereign OS surface, not a DEFCON 760 prime contractor.
- The pilot described here can be procured under DEFCON 760 stages 1, 2, or 3 depending on the buyer route.
- Stage 4 (scaling and sustainment) requires owner-gated compliance: Cyber Essentials Plus, SC clearance, and DSP registration.
- Owner gates are explicit: any DEFCON 760 progression requires the named owner to complete the gate before the next stage can start.
- The cross-walk below is design alignment, not contract-level advice. Always verify with the buyer commercial team before submission.
DEFCON 760 stage overview
The four-stage structure below is the standard MOD contract progression. DEFONEOS pilots fit naturally into stages 1-3. Stage 4 requires the owner gates.
| Stage | MOD intent | DEFONEOS pilot fit | Owner gate |
|---|---|---|---|
| Stage 1 - Discovery and feasibility | Validate problem, scope, route, and feasibility before committing budget. | Direct fit. The DEFONEOS 90-day pilot can be framed as a Stage 1 discovery with bounded evidence output. | DSP registration (in progress). |
| Stage 2 - Design and prototype | Produce a working prototype, control map, and procurement route. | Direct fit. The pilot work packages 1-3 align with prototype, assurance, and route. | Cyber Essentials Plus (in progress). |
| Stage 3 - Demonstration and validation | Demonstrate the prototype in an operational or simulated environment with evidence. | Direct fit. The pilot evidence-room bundle and demo fall back into Stage 3 acceptance criteria. | SC clearance (in progress for the named owner). |
| Stage 4 - Scaling and sustainment | Move the prototype into operational use with full MOD assurance, support, and supplier security. | Requires all owner gates completed and a prime partnership or framework listing. | All three gates plus framework route or prime sponsorship. |
Work-package cross-walk
The table below maps each DEFONEOS pilot work package to the most likely DEFCON 760 clause family. Use this when writing the SoW or responding to a procurement clarification request.
| DEFONEOS WP | DEFONEOS deliverable | DEFCON 760 mapping | Notes |
|---|---|---|---|
| WP1 - Evidence and controls | Signed evidence-room bundle, red-line register, control map. | 760.04 Design services, assurance case work. | Maps to Stage 2 design output. Honest framing: design mapping, not certification. |
| WP2 - Public-source integration demo | Working common operating picture with audit log, human oversight record, and signed artefacts. | 760.05 Build and prototype, integration and demonstration. | Maps to Stage 3 demonstration. Data boundary must be public-source or synthetic. |
| WP3 - Assurance and procurement route | Go or no-go report, residual-risk register, framework route, or prime referral letter. | 760.06 Closeout and route recommendation. | Maps to Stage 3 closeout. Always include a named next procurement vehicle. |
Acceptance criteria mapped to DEFCON 760
Each acceptance criterion is phrased in DEFCON 760 language so the buyer commercial team can read it without translation.
| Acceptance criterion | DEFCON 760 evidence | Owner verification |
|---|---|---|
| All pilot pages and evidence artefacts return HTTP 200 from canonical URLs. | 760.05 build evidence, operational availability. | Curl-based byte verification before each milestone. |
| Buyer receives an OSCAL-ready control map for the scoped use case. | 760.04 design services, assurance case artefacts. | Control map attached to evidence-room bundle. |
| Human oversight log exists for every AI-assisted recommendation. | 760.05 build evidence, human factors integration. | Named human owner signs off each pilot output. |
| No red-line pattern appears in demo, data, or documentation. | 760.06 closeout, compliance attestation. | Red-line register signed and attached to evidence-room bundle. |
| Commercial next step is explicit: stop, extend, framework route, prime route, or grant route. | 760.06 closeout, commercial next-step recommendation. | Go or no-go report states next step. |
Owner-gate language for DEFCON 760 progression
The language below is safe starter language for DEFCON 760 progression conversations. It is not legal advice and should be reviewed before signature.
DEFONEOS 90-day pilot - DEFCON 760 owner-gate statement Stage 1 progression: requires Defence Sourcing Portal registration. Nick must complete the registration using the personal details supplied. Registration is owner-gated until that step is finished. Stage 2 progression: requires Cyber Essentials Plus certification. The certification is owner-gated until Nick completes the IASME application. Without Cyber Essentials Plus, Stage 2 work packages cannot be invoiced. Stage 3 progression: requires UK SC clearance for the named owner. Clearance is owner-gated until the application is approved. Until then, Stage 3 deliverables are reviewed through documented controls and named owner supervision. Stage 4 progression: requires all three owner gates plus a framework listing (G-Cloud, DOS, or AI Growth Zone) or a named prime partnership. Stage 4 is not within the scope of the current 90-day pilot. Honesty: DEFONEOS is an open sovereign OS surface, not a DEFCON 760 prime contractor. The pilot is designed to fit Stages 1-3. Stage 4 requires a separate procurement vehicle and owner-gated compliance.
DEFCON 760 supplier security expectations
The list below mirrors the supplier-security expectations DEFCON 760 buyers routinely apply. DEFONEOS is honest about which items are met, in progress, or owner-gated.
- UK-sovereign hosting and data residency: met by design.
- Cyber Essentials Plus: in progress, owner-gated.
- SC clearance for named personnel: in progress, owner-gated.
- DSP registration: in progress, owner-gated.
- Signed code, signed evidence, signed communications: met by design.
- Audit-grade logs: met by design.
- Red-line register for AI: met by design.
- No personal-surveillance pattern: met by design.
- No kinetic-targeting pattern: met by design.
- Five Eyes export discipline: met by design.
When DEFCON 760 is the wrong frame
DEFCON 760 is the right frame for many MOD digital and AI procurements. It is the wrong frame for some other routes. Use the list below to redirect a buyer when DEFCON 760 is not the natural fit.
- G-Cloud: better fit for digital-service-led procurements without operational constraints.
- DOS: better fit for cross-government digital outcomes outside MOD.
- AI Growth Zone: better fit for sovereign AI infrastructure investment.
- DASA: better fit for early-stage research and feasibility grants.
- NATO DIANA: better fit for dual-use AI innovation challenges.
- Innovate UK: better fit for civil-service AI innovation grants.
12-framework crosswalk
Every page in this tick is written as an owner-executable artefact and an audit trail. These mappings are design mappings, not third-party certifications.
| Framework | How this page maps | Honesty status |
|---|---|---|
| EU AI Act | Transparency, human oversight, logging, post-market monitoring, and high-risk discipline when a workflow crosses into regulated public-service use. | Designed control language. Verify per-buyer before external submission. |
| GDPR and UK GDPR | Data minimisation, lawful basis notes, retention windows, subject-access response path, and no personal-surveillance pattern. | Designed control language. Verify per-buyer before external submission. |
| JSP 936 | Assurance case language, operator accountability, safety case evidence, and escalation logging suitable for UK defence AI review. | Designed control language. Verify per-buyer before external submission. |
| JSP 440 | Protective marking, supplier-security posture, evidence handling, and separation of public facts from owner-gated sensitive data. | Designed control language. Verify per-buyer before external submission. |
| NIST AI RMF | Map, Measure, Manage, and Govern rows for every buyer artefact, with clear residual-risk ownership. | Designed control language. Verify per-buyer before external submission. |
| ISO 42001 | AI management-system controls, role ownership, change control, review cadence, and documented competence. | Designed control language. Verify per-buyer before external submission. |
| NIST PQC | Cryptographic-agility language, no false PQC certification claim, and upgrade path for signed evidence bundles. | Designed control language. Verify per-buyer before external submission. |
| NATO STANAG | Interoperability language only, no NATO endorsement claim, and neutral alliance-compatible evidence formatting. | Designed control language. Verify per-buyer before external submission. |
| AUKUS Pillar II | AUKUS-compatible technology framing only, no partnership claim unless a signed letter exists. | Designed control language. Verify per-buyer before external submission. |
| OSCAL | Machine-readable control catalogue and component-definition path for the evidence room. | Designed control language. Verify per-buyer before external submission. |
| Five Eyes export discipline | Public-source and EAR/ITAR awareness note, no controlled technical data in this page. | Designed control language. Verify per-buyer before external submission. |
| C2PA 2.0 | Content provenance, artefact signing, and media lineage notation for decks, screenshots, and demo recordings. | Designed control language. Verify per-buyer before external submission. |
Honesty register
The register below is deliberately explicit so this page stays usable in a UK-sovereign procurement conversation without overclaiming.
- This page is a design cross-walk, not legal advice and not a DEFCON 760 endorsement.
- AUKUS-compatible means design compatibility only. No AUKUS partnership is claimed without a signed letter on file.
- DEFONEOS-SEAL is not issued here. Any credential requires the 33-agent BFT council quorum and owner gate.
- No kinetic-targeting, find-fix-finish, kill-order, face-recognition, phone-location, or individual-tracking pattern is included.
- Buyer names and public bodies are routing examples from public procurement context. Nick must verify the current named contact before sending.
- SIGIL anchor is local until the SOV3 ledger endpoint is reachable from this Mac session.
- Generated 2026-07-12T08:35:00Z. File slug: defoneos-mod-defcon-760-cross-walk.