# Scope, Source Basis and Maintenance

### Purpose

This playbook is a tailored security, vetting, cyber resilience and technical assurance operating model for high-assurance UK public sector, defence, enterprise and regulated delivery.

It is intended to sit alongside the Company Operating Manual and the Agile Delivery Playbook. It does not replace customer policy, contract terms, accreditation authority instructions, MOD sponsor instructions, legal advice or current official guidance.

### How This Playbook Is Used

* use it when shaping bids and Statements of Work;
* use it when onboarding people and suppliers;
* use it when designing secure systems and services;
* use it when preparing assurance, accreditation and customer evidence;
* use it when defining RBAC, ABAC, vetting, data handling and operational controls;
* use it when establishing cyber resilience and incident response arrangements.

### Maintenance Rule

Security policy, defence policy and cyber guidance change. This playbook should be reviewed at least quarterly and whenever a customer, MOD sponsor, accreditor, regulator or contract introduces new requirements.

### Source Basis

The public source basis used to shape this playbook includes:

* [UK Government Security - Secure by Design](https://www.security.gov.uk/policy-and-guidance/secure-by-design/)
* [UK Government Security - Implementing Secure by Design](https://www.security.gov.uk/policy-and-guidance/secure-by-design/implementation/)
* [MOD Cyber Security Model](https://www.gov.uk/guidance/cyber-security-model)
* [Defence Standard 05-138 Issue 4 - Cyber Security for Defence Suppliers](https://www.gov.uk/government/publications/cyber-security-for-defence-suppliers-def-stan-05-138-issue-4)
* [Industry Security Notice 2025/07 - Implementation of CSM v4](https://www.gov.uk/government/publications/industry-security-notices-isns)
* [Government Security Classifications Policy](https://www.gov.uk/government/publications/government-security-classifications)
* [UK Government Baseline Personnel Security Standard](https://www.gov.uk/government/publications/government-baseline-personnel-security-standard)
* [UK Security Vetting guidance](https://www.gov.uk/government/publications/united-kingdom-security-vetting-clearance-levels)
* [NCSC Cyber Assessment Framework](https://www.ncsc.gov.uk/collection/cyber-assessment-framework)
* [NCSC 10 Steps to Cyber Security](https://www.ncsc.gov.uk/collection/10-steps)
* [NCSC Identity and Access Management](https://www.ncsc.gov.uk/collection/10-steps/identity-and-access-management)
* [NCSC Logging and Monitoring](https://www.ncsc.gov.uk/collection/10-steps/logging-and-monitoring)
* [NCSC Secure Development and Deployment](https://www.ncsc.gov.uk/collection/developers-collection)
* [NCSC Cloud Security Principles](https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles)
* [NCSC Zero Trust](https://www.ncsc.gov.uk/collection/zero-trust)
* [GOV.UK Contracting Securely](https://www.security.gov.uk/policy-and-guidance/contracting-securely/)
* [PPN 014 Cyber Essentials Scheme](https://www.gov.uk/government/publications/ppn-014-cyber-essentials-scheme)
* [MOD Joint Service Publications collection](https://www.gov.uk/government/collections/joint-service-publication-jsp)

### Controlled or Customer-Specific Content

Some requirements, including project-specific defence policy, JSP content and accreditation authority instructions, may not be public or may only be accessible through a relevant sponsor. This playbook therefore defines an alignment and evidence approach rather than reproducing controlled material.

### Interpretation Rule

Where this playbook conflicts with an executed contract, customer security schedule, project security instruction, accreditation authority decision or current official policy, the stricter or formally binding requirement must be followed and the conflict must be recorded.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://framework.aic.io/security-vetting-and-technical-assurance-playbook/scope-source-basis-and-maintenance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.