# Security, Vetting and Technical Assurance Playbook ### Purpose This GitBook explains how we design, govern, assure and operate secure services in high-assurance environments. It covers: * security operating model; * Secure by Design; * MOD and defence-aligned assurance; * JSP 453 alignment approach; * personnel security and vetting; * BPSS and national security vetting dependencies; * RBAC, ABAC and zero trust access models; * government security classifications; * data handling and privacy; * cyber resilience; * NCSC CAF and 10 Steps alignment; * technical secure engineering standards; * accreditation and certification readiness; * supplier and subcontractor security; * reusable templates and evidence packs. ### Operating Principle Security is a delivery discipline, not a document exercise. Every engagement must show how security is translated into requirements, design decisions, access controls, technical implementation, supplier obligations, operational monitoring, resilience arrangements and evidence. ### Core Rules * No access without identity, business need, role mapping, attribute checks and approval. * Clearance enables eligibility; it does not automatically authorise access. * No sensitive data in unapproved tools, repositories or services. * No delivery without security requirements and acceptance criteria. * No supplier access without due diligence, contractual obligations and offboarding controls. * No release without security evidence, risk review and rollback capability. * No unresolved critical security risk without accountable risk acceptance. * No defence delivery without checking the applicable MOD, customer, CSM, Def Stan, DEFCON and sponsor requirements. ### How to Read This GitBook Use the operating model sections first, then apply the technical and assurance sections to each delivery phase. The templates section is designed for copy-and-paste use in projects, Statements of Work and assurance packs. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://framework.aic.io/security-vetting-and-technical-assurance-playbook.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.