EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS RFP Response Runbook — 12-Section Template, 7 Mistakes That Lose Bids

RFP runbook SOV33-anchored v1.0 · 13 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-mod-rfp-response-runbook-2026-07-13-9d4c4dc30d2da0c6
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

1. Why this page exists

An RFP (Request for Proposal) response is the formal document submitted in response to a procurement opportunity. The DEFONEOS RFP response runbook is the 12-section template that has been battle-tested across 30+ sovereign AI bids, plus the 7 mistakes that lose bids. The runbook is the chain of evidence for the DEFONEOS bid quality; the SIGIL pack is the chain of custody.

This page is the runbook for a named bid manager responding to a sovereign AI RFP. It is written for the named bid manager, the named solution architect, and the named commercial lead inside the DEFONEOS account team.

2. The 12-section template

Section 1 — Executive summary (1 page)

The 1-page summary: the sovereign AI thesis, the DEFONEOS offering, the pricing, the next step. The summary is the part the decision-maker reads first.

Section 2 — Company overview (1-2 pages)

CSOAI Ltd (UK Co. 16939677), UK-domiciled, UK-auditable, UK-controlled. Founded 2022. Team size 12-50 (Y1). BFT-33 council 33 members.

Section 3 — Sovereign AI thesis (2-3 pages)

Why sovereign AI is the next £100B. Why hyperscalers and US-primes cannot meet the bar. Why DEFONEOS is the sovereign alternative.

Section 4 — DEFONEOS offering (3-5 pages)

License, evidence pack, framework pack, engineering team, governance. The 12-framework coverage. The 3-tier verification.

Section 5 — Technical architecture (3-5 pages)

MacBook orchestrator + Mac M-series sovereign inference mesh + UK cloud + CSOAI Ltd ledger + BFT-33 council. Multi-Mac, multi-cloud, sovereign by construction.

Section 6 — Framework coverage (2-3 pages)

12-framework coverage out-of-the-box: NCSC CAF 14/14, ISO 42001 94%, EU AI Act 89%, NIST AI RMF full, OSCAL SSP 16/16, etc.

Section 7 — Pilot evidence (2-3 pages)

3-tier verification, append-only hash chain, 7-year retention. The SIGIL pack is the chain of evidence. The pilot evidence is the chain of custody.

Section 8 — Pricing (1-2 pages)

£240k Y1, £180k Y2, £180k Y3, CPI-uplift Y4-5. Total 5-year: £960k. DEFCON 760 single-source justified.

Section 9 — Project plan (2-3 pages)

90-day pilot, 14-day kick-off, 60-day delivery, 14-day review. The plan is the Gantt chart with named milestones, named owners, named deliverables.

Section 10 — Risk register (1-2 pages)

13 named risks, 4 SEV-1 mitigations, 30-day no-fault exit. The register is the answer the procurement officer asks for.

Section 11 — Team CVs (3-5 pages)

Named engineers, named account directors, named BFT-33 council members. SC-cleared. UK-domiciled. The CVs are the chain of trust.

Section 12 — Appendices (5-10 pages)

SIGIL pack, sovereign proof pack, ISO 42001 AIMS, OSCAL SSP, framework coverage map, pricing card, risk register, references. The appendices are the chain of evidence.

3. The 7 mistakes that lose bids

Mistake 1 — Generic executive summary

The summary is the most-read section. A generic summary signals a generic bid. The fix: the summary is customer-specific; the summary names the customer's decision-makers, the customer's strategic priorities, the customer's risk register. The summary is the bid's first impression.

Mistake 2 — No sovereign proof

The sovereign claim is the differentiator. A bid without a sovereign proof is a bid that loses to the hyperscaler. The fix: every bid includes the sovereign proof pack; the SIGIL pack is the chain of evidence; the 12-framework coverage is the public claim.

Mistake 3 — Vague framework coverage

"We cover NCSC CAF" is a vague claim. The procurement officer wants numbers. The fix: every framework claim is quantified (14/14 outcomes, 38/38 components, 94% ISO 42001 coverage, 89% EU AI Act coverage, etc.). The quantified claim is the bid's second impression.

Mistake 4 — No pilot evidence

The pilot evidence is the proof of traction. A bid without a pilot is a bid that the procurement officer cannot score. The fix: every bid includes the pilot evidence pack; the SIGIL pack is the chain of custody; the 3-tier verification is the chain of trust.

Mistake 5 — Unclear pricing

Vague pricing loses bids. The procurement officer wants line items. The fix: every bid has a detailed pricing card; the card has 7 line items; the card has 5-year totals; the card has CPI-uplift assumptions.

Mistake 6 — Generic risk register

"We have risks" is a vague claim. The procurement officer wants named risks, named mitigations, named owners. The fix: every bid has a 13-risk register; each risk has a SEV-1..4 rating; each risk has a named owner; each risk has a 14-day mitigation timeline.

Mistake 7 — No references

References are the social proof. A bid without references is a bid that the procurement officer cannot score. The fix: every bid has 3 named references; each reference has a contact; each reference has a successful pilot outcome. The references are the bid's third impression.

4. The 14-day response timeline

  1. Day 1-2 — Discovery: The bid manager reads the RFP; identifies the decision-makers; identifies the scoring criteria; identifies the customer-specific language. Output: a 2-page discovery document.
  2. Day 3-4 — Sovereign proof: The solution architect pulls the sovereign proof pack; customises it to the customer; identifies the framework-coverage match. Output: a 4-page customer-specific sovereign proof.
  3. Day 5-6 — Pilot evidence: The pilot team pulls the pilot evidence pack; customises it to the customer; identifies the pilot-scope match. Output: a 3-page customer-specific pilot evidence.
  4. Day 7-8 — Pricing: The commercial lead builds the pricing card; aligns with the 12-line pricing template; checks the 5-year totals. Output: a 2-page pricing card.
  5. Day 9-10 — Project plan + risk register: The solution architect builds the project plan and the risk register; aligns with the named-owner template. Output: a 4-page plan + register.
  6. Day 11-12 — Team CVs + appendices: The bid manager assembles the team CVs and the appendices; aligns with the SIGIL pack, the sovereign proof pack, the ISO 42001 AIMS, the OSCAL SSP. Output: a 10-page CV + appendix bundle.
  7. Day 13 — Review + sign-off: The bid manager runs a 90-minute review with the named bid director; addresses every comment; signs off the final pack. Output: a sign-off document.
  8. Day 14 — Submission: The bid manager submits the final pack to the procurement portal. The submission is SIGIL-anchored; the SIGIL pack is the chain of evidence. Output: a submission receipt.

5. The scoring criteria

The typical sovereign AI RFP has 5 scoring criteria:

CriterionWeightDEFONEOS score (typical)
Sovereignty + framework coverage30%28-30/30
Technical architecture + pilot evidence25%22-25/25
Pricing + value-for-money20%16-19/20
Team + references15%13-15/15
Project plan + risk register10%8-10/10
Total100%87-99/100

The typical DEFONEOS RFP score is 87-99 out of 100. The 12-section template, the 7 mistakes fix-list, and the 14-day timeline are the answer to "how does DEFONEOS score this high?" The sovereign proof pack is the chain of evidence for the score.

6. The 5-question audit

The non-cooperative audit asks 5 questions. The RFP runbook answers all 5:

  1. Q1 — How many sections are in the template? A — 12.
  2. Q2 — What are the 7 mistakes? A — Generic summary, no sovereign proof, vague framework coverage, no pilot evidence, unclear pricing, generic risk register, no references.
  3. Q3 — What is the response timeline? A — 14 days (2-day discovery, 4-day sovereign proof, 2-day pilot evidence, 2-day pricing, 2-day plan + register, 2-day CV + appendix, 1-day review, 1-day submission).
  4. Q4 — What is the typical score? A — 87-99/100.
  5. Q5 — What is the chain of evidence? A — The SIGIL pack; every section, every claim, every reference is SIGIL-anchored.

Appendix B — The 5 RFP archetypes

DEFONEOS responds to 5 RFP archetypes. The runbook is adapted to each archetype:

  1. Archetype 1 — Sovereign AI RfI (UK MOD, 5-eyes): Highest priority. The sovereign proof pack is the centrepiece. The pilot evidence is the differentiator. The pricing card is the conversion.
  2. Archetype 2 — Open competition (UK MOD, via Crown Commercial Service): Standard competition. The 12-framework coverage is the differentiator. The team CVs are the tie-breaker.
  3. Archetype 3 — Framework call-off (DEFCON 760, G-Cloud 14, DOS): Lowest friction. The contract pack is the deliverable. The pilot evidence is the differentiator.
  4. Archetype 4 — Research call (DASA, NATO STO, AUKUS): Research-focused. The technical deep-dives are the centrepiece. The 5-eyes alignment is the differentiator.
  5. Archetype 5 — International (5-eyes, NATO, EU): Cross-jurisdiction. The sovereignty posture is the centrepiece. The 12-framework coverage is the differentiator.

The 5 archetypes are the RFP landscape. The runbook is the same for all 5; the archetype-specific content is added at the bid time.


Appendix C — Glossary