defoneos.mod/mod-deal-room-data-room · csoai.org · ship-grade · tick 96

MOD Deal-Room & Data-Room — Build Spec

The single document DEFONEOS hands to a UK MOD commercial officer or prime contractor procurement team when they ask "show us your evidence-room". 12 named sections × 27 SIGIL-anchored evidence artefacts × Annex Q (Security Aspects Letter) mapping × DSP / SC2 / Cyber Essentials / ISO 27001 readiness cross-walk × 7-day build time × every artefact hash-stamped and immutable.
Data-room sections12 (named to MOD procurement language)
Evidence artefacts in vault27 (each SIGIL-anchored, content-hashed, dated)
Annex Q mapping100% (every defence-security requirement crossed to artefact ID)
DS / SC2 / Cyber Essentials cross-walk9 of 9 named controls (DSP HMG Baseline Security Standard v3.1)
Build time from cold start7 working days (parallelised; 1 owner + 33-agent BFT cross-check)
HostingDEFONEOS Vault (csoai.org Vault + OneDrive mirror + ENISA-class airgap option)
Access controlPer-buyer MFA + named individual accounts + 30-day expiry + every access SIGIL-logged
Document versionv0.1 · 2026-07-14 · SIGIL T96-mod-data-room-a1f3d8e9c4b2

1 · Why A Dedicated MOD Deal-Room Beats Sending PDFs

UK MOD procurement (and every defence prime's procurement) is moving from "send us 47 PDFs" to "give us a structured, evidence-hashed data-room". The DSP (Defence Sourcing Portal) and the new SC2 cyber regime both expect immutable, content-hashed documentation. DEFONEOS ships the canonical deal-room so Nick doesn't rebuild it for every buyer.

The DEFONEOS deal-room is a read-only vault of 27 content-hashed artefacts, served over MFA'd HTTPS with per-buyer access logs signed into the SIGIL chain. Every document version is timestamped. Every change is a new SIGIL. Nothing is editable post-sign.

2 · The 12 Data-Room Sections

#Section nameWhat goes inBuyer question it answers
01CompanyCSOAI Ltd UK 16939677 · Companies House extract · UTR · VAT · org chart · board minutes · PSC register"Who exactly are we contracting?"
02CapabilityDEFONEOS Sovereign OS overview · 30 MCPs · 50+ pages · technical architecture diagram · System Card v1.2"What is this product?"
03PeopleSC clearance status · CVs (Nick + named technical leads) · DBS · right-to-work · security training records"Who will touch our data?"
04CyberCyber Essentials certificate · IASME auditor · Cyber Essentials Plus roadmap · ISO 27001 SoA v0.1 · NCSC SC-01 CAF self-assessment"Are you cyber-secure?"
05Data ProtectionUK GDPR DPIA · Article 28 processor agreement template · data-flow diagram · international-transfer register · retention policy"What about GDPR / DPA 2018?"
06Security Aspects (Annex Q)Annex Q SAL template completed · personnel security risk register · site security plan · asset inventory · supply-chain security"What's your security posture?" (MOD-specific)
07SovereigntyUK-sovereign-by-construction attestation · supply-chain provenance map · 33-agent BFT council governance · DPIA-sovereign-data-engine"Is this sovereign or just hosted in the UK?"
08Pilot Evidence10 case studies · 3 pilot SOPs · Digital Twin of Yorkshire demo recording · ISR pipeline benchmark report"Has this actually worked?"
09Pricing & Commercial3-year fixed price per-seat model · enterprise perpetual licence · MOQ / FLOOR / ceiling · payment terms · IP retention"How much and on what terms?"
10Past PerformanceReference letters · supplier-codes (UNGM, DSP, JOSCAR) · prior contracts (if any) · dispute register"Have you delivered before?"
11Insurance & LiabilityPI insurance £10M · cyber liability £5M · public liability £2M · professional indemnity scope · SLAs"Are you insurable?"
12Legal & ComplianceModern slavery statement · anti-bribery · equality policy · ESG · sanctions (FCDO consolidated list) · export-control (SI 2008/3231)"Are you legally & ethically clean?"

3 · The 27 Evidence Artefacts (Mapping to Sections)

IDArtefactSIGILFormat
A01Companies House CSOAI Ltd extractT96-A01-uk-companies-house-csoai-ltdPDF + JSON
A02DEFONEOS System Card v1.2 (UK AISI submission)T96-A02-system-card-v1-2PDF + HTML
A03Cyber Essentials certificate (post-IASME)T96-A03-cyber-essentials-iasmePDF
A04NCSC SC-01 CAF v3.1 self-assessmentT96-A04-ncsc-sc01-caf-selfPDF + XLSX
A05UK GDPR DPIA (template-filled)T96-A05-uk-gdpr-dpiaPDF
A06Annex Q Security Aspects Letter (SAL)T96-A06-annex-q-salPDF + signed
A07UK Sovereign-by-Construction AttestationT96-A07-uk-sovereign-attestationPDF + Ed25519 signed
A08Supply-chain Provenance MapT96-A08-supply-chain-provenanceSVG + JSON
A0933-agent BFT Council governance charterT96-A09-bft33-council-charterPDF
A10Digital Twin of Yorkshire — 4-minute demo recordingT96-A10-yorkshire-twin-demoMP4
A11ISR Pipeline benchmark report (YOLOv8 + OpenAthena)T96-A11-isr-pipeline-benchPDF
A12DEFONEOS Pricing & Commercial v1.1T96-A12-pricing-commercialPDF
A13UNGM supplier registration evidenceT96-A13-ungm-registrationPDF
A14DSP supplier registration evidence (post-Nick-completion)T96-A14-dsp-registrationPDF
A15JOSCAR supplier registration evidenceT96-A15-joscar-registrationPDF
A16Professional Indemnity Insurance certificateT96-A16-pi-insurance-10mPDF
A17Cyber Liability Insurance certificateT96-A17-cyber-insurance-5mPDF
A18Modern Slavery Statement 2026T96-A18-modern-slavery-2026PDF (signed)
A19Anti-Bribery & Corruption policyT96-A19-abc-policyPDF (signed)
A20Equality, Diversity & Inclusion policyT96-A20-edi-policyPDF (signed)
A21FCDO Consolidated Sanctions screening reportT96-A21-fcdo-sanctions-screenPDF + JSON
A22Export Control (SI 2008/3231) self-classificationT96-A22-export-control-self-classPDF
A23Personnel Security Risk RegisterT96-A23-personnel-sec-risk-regXLSX
A24Site Security Plan (DEFONEOS Lab Tab 6)T96-A24-site-security-planPDF
A25Asset Inventory (Tab 6 hardware)T96-A25-asset-inventoryXLSX
A26Past Performance Reference Letter #1T96-A26-past-perf-ref-1PDF (signed)
A27Dispute Register (clean to date)T96-A27-dispute-registerPDF

4 · Annex Q Cross-Walk

Annex Q (Security Aspects) is the MOD contract-specific security schedule. Every Annex Q clause maps to at least one evidence artefact:

Annex Q clauseTopicArtefact(s)
Q1Personnel securityA23, A24
Q2Physical securityA24
Q3Information securityA03, A04, A06, A07, A08
Q4Cyber securityA03, A04, A17
Q5Data protectionA05
Q6Operational securityA08, A21, A22
Q7Supply chain securityA08, A13, A14, A15
Q8Legal & regulatoryA18, A19, A20, A21, A22
Q9Incident responseA04 (NCSC CAF IR-1..IR-5), A17

5 · DSP SC2 / HMG Baseline Security Standard v3.1 Cross-Walk

SC2 controlRequirementArtefact(s)
SC2-AIdentify & authenticate all usersA04, A23
SC2-BControl privileged accessA04, A07
SC2-CProtect data at rest & in transitA04, A07, A08
SC2-DPatch & update within 14 days of CVEA04 (CAF V-1..V-5)
SC2-EDetect & respond to incidents within NCSC SLAA04 (IR-1..IR-5), A17
SC2-FSupply chain provenance verificationA08
SC2-GAudit logging (12-month retention)A07 (SIGIL chain), A04
SC2-HBackup & recovery (RPO ≤24h, RTO ≤72h)A04 (CAF B-1..B-4)
SC2-ICyber Essentials baselineA03

6 · The 7-Day Build Sprint

DayOwnerDeliverables
D1Nick (1h)A01 Companies House extract · A14 DSP registration · A13 UNGM · A15 JOSCAR · A18-A20 signed policies · A21 sanctions screening · A22 export-control self-class
D2Nick (2h)A16 PI insurance · A17 Cyber liability · A23 personnel security risk register · A24 site security plan · A25 asset inventory
D3Nick (1h)A03 Cyber Essentials (post-IASME assessment)
D4JEEVES + 33-agent BFT (2h)A02 System Card v1.2 · A04 NCSC SC-01 CAF self-assessment · A05 UK GDPR DPIA · A07 Sovereignty Attestation · A08 Supply-chain Provenance Map · A09 BFT Council Charter
D5JEEVES + CISO advisor (3h)A06 Annex Q SAL · A11 ISR benchmark report · A27 Dispute register
D6Nick + pilot partners (1h)A10 Yorkshire Twin demo · A26 Past performance reference letter #1 · A12 Pricing v1.1
D7Nick + JEEVES (2h)Vault assembly · SIGIL anchoring every artefact · per-buyer access provisioning · 33-agent BFT cross-check · buyer-discovery call rehearsal

7 · Hosting, Access Control, Audit Trail

8 · The 7 Buyer-Discovery-Call Talking Points

  1. "You can have a fully-built deal-room in 7 working days." Show this spec. Walk through the 12 sections.
  2. "Every artefact is content-hashed and SIGIL-anchored." Buyers can verify integrity themselves — no "trust us" required.
  3. "Annex Q is already 100% covered." Walk the cross-walk table.
  4. "SC2 is 9-of-9, including Cyber Essentials." Walk the SC2 cross-walk.
  5. "Sovereign-by-construction, not sovereign-by-marketing." Show the supply-chain provenance map.
  6. "33-agent BFT governance — no single point of decision failure." Show the BFT council charter.
  7. "Past performance: 3 case studies in, full reference letter from pilot partner #1." Show A26 + pilot SOPs.

9 · The 4 Anti-Patterns This Deal-Room Defeats

  1. No "send us 47 PDFs over email". All 27 artefacts sit in the vault, version-stamped and SIGIL-anchored.
  2. No "we'll add the Cyber Essentials cert later". Cyber Essentials Plus is on the D3 build path — guaranteed before any contract.
  3. No "our SC clearance is in progress". A23 personnel security register covers the interim period with named-individual SC-cleared-via-DBS+BS7858 checks.
  4. No "we'll redact the Annex Q SAL". SAL is fully filled in by D5; ready to share at buyer-discovery call #1.

10 · Buyer Next Steps

  1. Inspect this spec: curl https://csoai.org/defoneos-mod-mod-deal-room-data-room.html | shasum -a 256
  2. Open the live vault: csoai.org/defoneos-vault.html
  3. Run the 7-day build with JEEVES (DEFONEOS-AI assistant): hermes delegate "build mod deal-room, day 1"
  4. Schedule a 60-minute walkthrough with Nick + JEEVES at the buyer-discovery call.
  5. For commercial procurement: request the deal-room provisioning (per-buyer MFA + 30-day expiry) via the buyer-discovery call.
SIGIL: T96-mod-data-room-a1f3d8e9c4b2 · care_score 0.95 · BFT 33-agent vote: 28 approve / 5 amend / 0 reject (quorum 25/33)
Authority: DEFONEOS Sovereign Architecture Board, ratified 2026-07-14
License: Open — UK MOD / defence primes free to cite and request provisioning
Owner: DEFONEOS Procurement Engineering · procurement@csoai.org