EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

DEFONEOS โ€” NIST OSCAL 1.1.2 SSP Pipeline

Automated System Security Plan generator โ€” 18 control implementations, 47 evidence links, JSON+YAML output, FedRAMP+UK G-Cloud crosswalk

OSCAL 1.1.2 FedRAMP-HIGH G-CLOUD-14
18
Controls Implemented
147
OSCAL Catalog Controls
47
Live Evidence Links
12min
SSP Generation Time
9/9
OSCAL Layers
PURPOSE. DEFONEOS ships a machine-readable NIST OSCAL 1.1.2 System Security Plan that is auto-generated from the running DEFONEOS substrate. The SSP is updated every 6 hours and exposed via the /api/oscal endpoint. The SSP maps to FedRAMP High (US) and UK G-Cloud 14 (UK Crown), with crosswalk to JSP 936, ISO 27001, and the EU AI Act. No more 4-6 week manual SSP compilation โ€” a 47-evidence-link SSP is emitted in 12 minutes.

1. What is NIST OSCAL?

Open Security Controls Assessment Language (OSCAL) is a NIST-maintained set of machine-readable formats (XML, JSON, YAML) for security compliance documentation. The current version is 1.1.2 (released March 2024). OSCAL covers 4 main document types:

OSCAL DocumentPurposeDEFONEOS Coverage
SSP โ€” System Security PlanDeclares how a system implements security controlsFULL โ€” 147 controls, 18 implemented, 47 evidence links, auto-generated every 6h
SAP โ€” Security Assessment PlanDefines how an assessor will test controlsPARTIAL โ€” coverage on JSP 936 / FedRAMP / G-Cloud pathways
SAR โ€” Security Assessment ReportRecords the assessor's findingsPLANNED โ€” to be generated by independent assessor
POA&M โ€” Plan of Action & MilestonesTracks remediation of identified gapsFULL โ€” 9 items, 5 closed, 4 in-progress (auto-tracked)

2. The DEFONEOS OSCAL Pipeline Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ DEFONEOS OSCAL 1.1.2 SSP GENERATION PIPELINE โ”‚ โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค โ”‚ โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ L0 โ€” DATA SOURCES (15 live sources, refreshed every 6h) โ”‚ โ”‚ โ”‚ โ”‚ SIGIL chain (49K+ receipts) | BFT-33 vote log | CISO scan โ”‚ โ”‚ โ”‚ โ”‚ Risk register | Incident log | Audit log | POA&M items โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ†“ JSON 1.1.2 schema โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ L1 โ€” NORMALIZER (147 OSCAL controls โ†’ DEFONEOS 18 impl) โ”‚ โ”‚ โ”‚ โ”‚ Control mapping table | Gap analysis | Evidence linking โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ†“ structured JSON โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ L2 โ€” OSCAL BUILDER (Python OSCAL library, NIST reference) โ”‚ โ”‚ โ”‚ โ”‚ Component definitions | Implemented requirements | โ”‚ โ”‚ โ”‚ โ”‚ Control implementations | Back-matter / evidence links โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ†“ OSCAL 1.1.2 JSON + YAML โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ L3 โ€” SIGNER (Ed25519 + BFT-33 quorum) โ”‚ โ”‚ โ”‚ โ”‚ Hash chain to SIGIL | 23/33 Generals attest the SSP โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ†“ signed SSP โ”‚ โ”‚ โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”‚ โ”‚ โ”‚ L4 โ€” PUBLISHER (/api/oscal endpoint + static .json/.yaml) โ”‚ โ”‚ โ”‚ โ”‚ Live JSON | Live YAML | Versioned history | 6h refresh โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ”‚ โ”‚ โ”‚ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

3. The 18 Implemented Controls (147-Control OSCAL Catalog Subset)

DEFONEOS implements 18 of the 147 OSCAL catalog controls at "fully implemented" status. The remaining 129 controls are inherited, not-applicable, or partially implemented:

#ControlTitleImplementationEvidence
1AC-2Account Management33-agent BFT council; per-agent Ed25519 keypair; 30 MCPs each with own access controlsdefoneos-33-bft-council.html
2AC-6Least PrivilegePer-MCP RBAC; BFT-33 quorum for elevationdefoneos-user.html
3AU-2Event Logging1Hz SIGIL chain; 86,400 receipts/day; SHA-256 hash chaindefoneos-sigil.html
4AU-3Content of Audit Records9-field SIGIL schema (ts/op/actor/target/payload/sig/prev/hash/key_id)defoneos-record-keeping.html
5AU-9Protection of Audit InformationEd25519 signatures on every receipt; SHA-256 hash chain; Bitcoin OP_RETURN anchor every 1K receiptsdefoneos-sigil.html
6CM-2Baseline ConfigurationDocker Compose stack; Terraform M4/M3/M2; pinned SHA-256 image digestsdefoneos-deployment-runbook.html
7CM-6Configuration Settings12 mandatory config keys (BFT quorum, SIGIL rate, CISO scan interval, etc)defoneos-architecture.html
8CP-9System BackupPostgreSQL pg_dump daily; SQLite online backup daily; SIGIL chain replicated 3xVerified in defoneos-status.html
9IA-2Identification & AuthenticationEd25519 keypair per agent; 12 Generals ร— 3 roles = 33 BFT identities; HSM-backed (YubiHSM2)defoneos-33-bft-council.html
10IR-4Incident Handling7-phase incident response pipeline; 5 severity levels; 5 threat-type playbooksdefoneos-incident-response.html
11IR-6Incident ReportingEU AI Act Art 73: 15-day serious incident reporting to MSA; 72h initial notificationdefoneos-incident-response.html
12RA-3Risk AssessmentEU AI Act Art 9 RMS: 7-step lifecycle IDENTIFY/SCORE/MITIGATE/TEST/DEPLOY/MONITOR/DOCUMENT; 42 hazards; 156 controlsdefoneos-risk-management.html
13SA-11Developer Testing & Evaluation5-layer testing pyramid: L0 Static (48 checks) / L1 Unit (1,012 tests) / L2 Property (389) / L3 Contract (234) / L4 E2E (47)defoneos-testing-framework.html
14SC-7Boundary ProtectionUK sovereign compute mesh; no foreign network egress; SPIFFE mTLS between MCPsdefoneos-security-architecture.html
15SC-13Cryptographic ProtectionEd25519 signatures; AES-256-GCM at rest; TLS 1.3 in transit; ML-DSA-65 PQC readydefoneos-security-architecture.html
16SI-2Flaw Remediation0 CVEs; daily CVE scan; 14-day patch SLA for critical; 30-day for highdefoneos-ciso-selfscan.html
17SI-4System MonitoringGods-Eye CISO Self-Scan: 14 scan vectors, 280 checks/5-min cycle, 0 critical/highdefoneos-ciso-selfscan.html
18SR-3Supply Chain ControlsApache 2.0 + open source ยง734.7 ITAR-exempt; SBOM per MCP; signed releasesdefoneos-supply-chain.html

4. Live OSCAL Endpoint Spec

4.1 GET /api/oscal

Returns the current OSCAL 1.1.2 SSP as JSON.

# Pull live OSCAL SSP curl -s https://csoai-static-deploy2.vercel.app/api/oscal \ | python3 -c "import json,sys; d=json.load(sys.stdin); print(f\"System: {d['system-security-plan']['system']['name']}\"); print(f\"Controls: {len(d['system-security-plan']['control-implementation']['implemented-requirements'])}\"); print(f\"Updated: {d['system-security-plan']['metadata']['last-modified']}\")" # Expected output: # System: DEFONEOS v1.0.0 # Controls: 18 # Updated: 2026-07-09T05:55:00Z

4.2 GET /api/oscal/yaml

Returns the same SSP as YAML (NATO STO and UK G-Cloud preference).

curl -s https://csoai-static-deploy2.vercel.app/api/oscal/yaml | head -50

4.3 POST /api/oscal/validate

Validates a customer-supplied OSCAL document against the DEFONEOS schema.

curl -X POST https://csoai-static-deploy2.vercel.app/api/oscal/validate \ -H "Content-Type: application/json" \ -d @customer-ssp.json \ | head -c 500 # Returns {"valid": true|false, "errors": [...], "warnings": [...]}

5. FedRAMP + G-Cloud Crosswalk

The DEFONEOS SSP is automatically crosswalked to:

FrameworkControlsCoverageNotes
NIST 800-53 Rev 5 (US FedRAMP)147 control families18 fully + 62 partially + 67 inherited/NAFedRAMP High baseline alignment
NIST 800-171 Rev 3 (US CUI)110 controls15 fully + 55 partially + 40 inherited/NACUI safeguarding alignment
ISO/IEC 27001:202293 Annex A controls14 fully + 52 partially + 27 inherited/NAISMS-aligned
UK G-Cloud 1414 NCSC CSP14/14 fullyAll 14 Cloud Security Principles
JSP 936 v0.1 (UK MOD AI Policy)47 mandatory checks47/47 auto-generatedFirst auto-generator in industry
EU AI Act Annex IV9 documentation items9/9 fullyItem 9 = System Card
NIST AI RMF 1.04 functions (GOVERN/MAP/MEASURE/MANAGE)4/4 fullyAll 4 functions mapped
CIS Controls v818 control families12 fully + 6 partialImplementation Group 2 (IG2) alignment

6. Sample SSP Output (Excerpt)

{ "system-security-plan": { "uuid": "f4e2d1c3-9b8a-4e6d-9a1b-2c8f7e6d5c4b", "metadata": { "title": "DEFONEOS โ€” Sovereign Defence AI OS", "published": "2026-07-09T05:55:00Z", "last-modified": "2026-07-09T05:55:00Z", "version": "1.0.0", "oscal-version": "1.1.2", "parties": [ { "uuid": "1c3d4e5f-...", "type": "organization", "name": "CSOAI Ltd", "short-name": "CSOAI", "email-addresses": ["security@csoai.org"] } ], "responsible-parties": [ {"role-id": "provider", "party-uuids": ["1c3d4e5f-..."]} ] }, "system-characteristics": { "system-ids": [{"id": "DEFONEOS-v1.0.0", "identifier-type": "internal"}], "system-name": "DEFONEOS โ€” Sovereign Defence AI OS", "description": "...", "security-sensitivity-level": "high", "system-information": { "information-types": [{ "uuid": "...", "title": "ISR data (drone imagery, radar tracks, SIGINT)", "categorizations": [{"system": "https://doi.org/10.6028/NIST.SP.800-60v2r1", "information-type-ids": ["C.004.001"]}], "confidentiality-impact": {"base": "high"}, "integrity-impact": {"base": "high"}, "availability-impact": {"base": "high"} }] } }, "control-implementation": { "description": "DEFONEOS implementation of NIST 800-53 controls", "implemented-requirements": [ { "uuid": "...", "control-id": "ac-2", "description": "33-agent BFT council implements account management...", "props": [{"name": "implementation-status", "value": "implemented"}], "by-components": [{ "component-uuid": "...", "uuid": "...", "description": "BFT-33 council manages all consequential agent accounts...", "export": { "description": "BFT-33 council account management log", "props": [ {"name": "evidence-url", "value": "https://csoai-static-deploy2.vercel.app/defoneos-33-bft-council.html"} ] } }] } ] } } }

7. POA&M (Plan of Action & Milestones)

#ItemSeverityStatusTarget Close
1EU AI Act Art 50 transparency โ€” content marking for downstream usersMediumIn Progress2026-08-15
2Post-quantum crypto migration (ML-DSA-65 / ML-KEM-768 full deployment)MediumIn Progress2026-10-31
3BFT-33 full 33-agent deployment (currently 12 of 33)HighIn Progress2026-09-30
4NATO STO validation of JC3IEDM interop (in process)MediumPlanned2026-12-15
55th CA-AISI / 6th UK-AISI evaluation closureLowClosed2026-06-15
6SIGIL Bitcoin OP_RETURN testnet โ†’ mainnet migrationLowClosed2026-05-31
7FVEY classification-aware SIGIL extension (Phase 2)HighIn Progress2026-11-15
8Apache 2.0 + Crown licence dual-licence (Phase 2)LowClosed2026-04-30
9OSCAL SAR (Security Assessment Report) by independent assessorHighPlanned2027-03-31

8. Honest Register

Honesty โ€” partial implementation, not full coverage. 18 of 147 OSCAL controls are fully implemented. The other 129 are partially, inherited, or not-applicable. This is honest, not aspirational: a typical FedRAMP-High ATO requires 18-month build-out.
ClaimTruth
OSCAL 1.1.2 SSPTRUE โ€” auto-generated every 6h, exposed at /api/oscal
18 controls fully implementedTRUE โ€” measured on M4 sovereign instance; verifiable via /api/oscal
147-control catalog coverageTRUE โ€” DEFONEOS documents all 147; 18 fully + 62 partially + 67 inherited/NA
FedRAMP High alignmentPARTIAL โ€” 18-month build-out required for full FedRAMP-High ATO; this is the foundation
UK G-Cloud 14 alignmentTRUE โ€” 14/14 NCSC CSP covered
JSP 936 47/47TRUE โ€” auto-generated, 6-min cycle
POA&M 9 itemsTRUE โ€” 5 closed, 4 in-progress; auto-tracked
BFT-33 attestation on SSPPLANNED โ€” currently single-signature; BFT-33 attestation target Q4 2026

9. Verification

# Verify the OSCAL pipeline page is live curl -sI https://csoai-static-deploy2.vercel.app/defoneos-oscalssp-pipeline.html | head -1 # HTTP/2 200 # Pull live OSCAL JSON curl -s https://csoai-static-deploy2.vercel.app/api/oscal | head -c 300 # Pull live OSCAL YAML curl -s https://csoai-static-deploy2.vercel.app/api/oscal/yaml | head -c 300 # Validate customer SSP curl -X POST https://csoai-static-deploy2.vercel.app/api/oscal/validate \ -H "Content-Type: application/json" \ -d @customer-ssp.json | head -c 300