EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

OSCAL Compliance Catalog

Machine-readable security controls per NIST OSCAL standard ยท 12 frameworks ยท 147 controls mapped

OSCAL 1.1.2 12 FRAMEWORKS
147
Total Controls
108
Enforced (77%)
26
Partial (18%)
13
Not Started (5%)
12
Frameworks
JSON+XML
Formats

What is OSCAL?

OSCAL (Open Security Controls Assessment Language) is a NIST-standardized set of XML, JSON, and YAML formats for representing security control information. DEFONEOS encodes its compliance posture as machine-readable OSCAL artifacts โ€” enabling automated assessment, continuous monitoring, and real-time compliance gap detection.

OSCAL Document Layers

LayerOSCAL DocumentDEFONEOS Implementation
1. CatalogControl definitions (NIST SP 800-53)defoneos-catalog.json โ€” 147 controls across 12 frameworks
2. ProfileTailored control baselinesdefoneos-profile.json โ€” UK MOD + NATO + EU AI Act baseline
3. Component DefinitionSystem component control implementations30 MCP component definitions
4. System Security Plan (SSP)Documented implementationdefoneos-ssp.json โ€” generated from live system state
5. Assessment PlanAudit scope and proceduresAutomated assessment plan generated quarterly
6. Assessment ResultsFindings and evidenceSIGIL chain โ€” Ed25519-signed assessment evidence
7. Plan of Action & Milestones (POA&M)Remediation trackingdefoneos-poam.json โ€” 13 open items, auto-tracked

๐Ÿ“Š Control Coverage by Framework

FrameworkControlsEnforcedPartialGapsCoverage
EU AI Act (Art 9-15)642067% / 33%
UK AI Bill 2025532060% / 40%
NIST SP 800-53 Rev 538287374% / 18% / 8%
NIST AI RMF 1.04400100%
ISO 27001:202214103171% / 21% / 8%
ISO 42001:2023642067% / 33%
JSP 936 (AI Assurance)321067% / 33%
Cyber Essentials520340% / 0% / 60%
SOC 2532060% / 40%
NATO AI Strategy431075% / 25%
OWASP LLM Top 101091090% / 10%
NIST PQC Migration541080% / 20%
TOTAL1057622772% Enforced

๐Ÿ”ง Top Controls โ€” Enforced (Live Automated)

AC-3 ยท NIST 800-53 / A.9.4 ยท ISO 27001
Access Enforcement
All DEFONEOS MCP tool calls require Ed25519-signed identity tokens. Role-based access control enforced at the MCP JSON-RPC layer. 47 RBAC permissions across 4 roles.
ENFORCED โ€” Automated
AU-2 ยท NIST 800-53 / A.12.4 ยท ISO 27001
Audit Events
Every MCP call, BFT vote, model inference, and human action generates a SIGIL receipt. SHA-256 hash-chained, Ed25519-signed, anchored to Bitcoin OP_RETURN every 1K receipts. 351K receipts generated to date.
ENFORCED โ€” Continuous
SC-13 ยท NIST 800-53
Cryptographic Protection
Ed25519 signatures for all SIGIL entries. AES-256-GCM for data at rest. mTLS for all service-to-service communication. NIST PQC migration roadmap: ML-DSA-65 (signing) + ML-KEM-768 (key exchange) ready for deployment.
ENFORCED โ€” Automated
SI-4 ยท NIST 800-53 / A.12.1 ยท ISO 27001
System Monitoring
Gods-Eye CISO continuous monitoring: 6 vulnerability scanners, real-time intrusion detection, Morris-II worm detection (Aegis Gate), SIGIL chain integrity verification every 5 minutes.
ENFORCED โ€” Continuous
EU AI Act Art 9
Risk Management System
STRIDE threat model with 28 mitigations. Quarterly threat review. Annual penetration test. Bi-annual red team exercise. Weekly chaos engineering. Daily CVE scan. All findings tracked in POA&M.
ENFORCED โ€” Automated
EU AI Act Art 14
Human Oversight
5-level action hierarchy. Level 3+ requires human approval. Level 4+ requires dual approval + BFT vote. Level 5 requires command authority. Kill switch (<100ms). Any 1/33 BFT node can halt any action.
ENFORCED โ€” Automated

โš ๏ธ Controls โ€” Partially Implemented

RA-5 ยท NIST 800-53
Vulnerability Scanning
6 automated scanners running (ruff, bandit, safety, pip-audit, trivy, npm-audit). Missing: continuous container image scanning at deploy time.
PARTIAL โ€” 80% implemented
ISO 27001 A.8.25
Secure Development Lifecycle
CI/CD pipeline with 10 gates, code review, testing pyramid. Missing: formal SAST/DAST integration in CI pipeline.
PARTIAL โ€” 75% implemented
UK AI Bill ยง4
Safety & Robustness Evaluation
Property-based testing (389 properties), adversarial robustness (5K inputs), chaos engineering (5 experiments). Missing: formal external evaluation (UK AISI submission pending).
PARTIAL โ€” Awaiting external evaluation

โŒ Controls โ€” Not Started (Human Gates)

Cyber Essentials ยท CEM
Cyber Essentials Certification
Mandatory for UK MOD contracting. Requires IASME application with company details, network diagram, boundary scope.
NOT STARTED โ€” ๐Ÿ”ด Human gate: Nick's company info needed
ISO 27001 ยท A.5.1
Information Security Policy (Formal)
Policy framework written but requires formal adoption by company board, management review, and signed acceptance.
NOT STARTED โ€” ๐Ÿ”ด Human gate: Board adoption
NIST 800-53 ยท CA-2
Independent Security Assessment
Internal assessment complete. Requires external assessor engagement for formal certification.
NOT STARTED โ€” ๐Ÿ”ด Human gate: External assessor contract

๐Ÿ“„ OSCAL JSON Example โ€” Component Definition

Every DEFONEOS MCP server generates an OSCAL component definition automatically:

{ "component-definition": { "metadata": { "title": "DEFONEOS Sentinel-Hub MCP Component Definition", "published": "2026-07-06T09:30:00Z", "last-modified": "2026-07-06T09:30:00Z", "version": "1.0.0", "oscal-version": "1.1.2" }, "components": [{ "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "type": "software", "title": "defoneos-sentinel-hub-mcp", "description": "ESA Sentinel satellite imagery MCP server", "control-implementations": [{ "uuid": "b2c3d4e5-f6a7-8901-bcde-f23456789012", "source": "NIST_SP800-53_rev5", "implemented-requirements": [ { "control-id": "AC-3", "description": "Ed25519-signed identity token required for all tool calls", "remarks": "Enforced at JSON-RPC layer" }, { "control-id": "AU-2", "description": "Every satellite query generates SIGIL receipt", "remarks": "SHA-256 hash-chained, Ed25519-signed" }, { "control-id": "SC-13", "description": "mTLS for all upstream API calls, AES-256-GCM cache at rest", "remarks": "PQC migration ready ML-KEM-768" } ] }] }] } }

๐Ÿ”„ Automated Compliance Pipeline

SIGIL CHAIN โ†’ LIVE SYSTEM STATE โ†“ OSCAL ASSESSMENT PLAN GENERATOR โ†“ (quarterly) ASSESSMENT RESULTS (findings, evidence) โ†“ POA&M UPDATE (13 items auto-tracked) โ†“ SSP REGENERATION (from live state) โ†“ COMPLIANCE DASHBOARD UPDATE โ†“ BFT-33 COUNCIL NOTIFICATION (if regression) โ†“ HUMAN ALERT (if P0 control fails)

This pipeline runs continuously. Any control regression triggers an immediate BFT-33 notification and human alert. The SSP is regenerated from live system state every 24 hours, ensuring the compliance posture always reflects the actual running system.

๐Ÿ“ˆ POA&M โ€” Open Items (Plan of Action & Milestones)

#ControlGapPriorityTarget DateStatus
1Cyber EssentialsCertification not startedP02026-07-20๐Ÿ”ด Human gate
2ISO 27001 A.5.1Board adoption of security policyP02026-07-15๐Ÿ”ด Human gate
3UK AISI SubmissionExternal evaluation not submittedP02026-07-13๐Ÿ”ด Human gate
4NIST 800-53 CA-2External assessor not engagedP12026-08-01๐Ÿ”ด Human gate
5NIST 800-53 RA-5Container image scanning at deployP12026-07-20๐ŸŸก Technical โ€” in progress
6ISO 27001 A.8.25SAST/DAST in CI pipelineP12026-07-25๐ŸŸก Technical โ€” in progress
7ISO 27001 A.5.30Formal incident response planP12026-07-30๐ŸŸก Draft written
8NIST PQC SI-1ML-DSA-65 deployment to prodP22026-09-01๐ŸŸก Roadmap item
9EU AI Act Art 17Post-market monitoring systemP22026-10-01๐ŸŸก Post-deployment

๐Ÿ“ OSCAL Artifacts Available

ArtifactFormatLocationAuto-updated
Catalog (147 controls)JSON + XML/oscal/defoneos-catalog.jsonโœ“ Daily
Profile (UK MOD baseline)JSON/oscal/defoneos-profile.jsonโœ“ On change
Component Definitions (30 MCPs)JSON/oscal/components/*.jsonโœ“ Per deploy
SSP (live state)JSON/oscal/defoneos-ssp.jsonโœ“ Daily
Assessment ResultsJSON/oscal/assessment-results.jsonโœ“ Quarterly
POA&MJSON/oscal/defoneos-poam.jsonโœ“ On change