# JSP 453 Alignment Approach ### Purpose This page defines how we align projects to JSP 453 and related MOD digital, security and assurance expectations without reproducing controlled or sponsor-provided content. ### Operating Position JSP 453 is treated as a project-specific requirement source. The project must obtain the applicable version, chapters, extracts, instructions or policy references through the customer, MOD sponsor or authorised route. The playbook does not assume that public references are complete. It creates a disciplined way to capture, map, implement and evidence compliance. ### Alignment Process 1. Confirm whether the engagement is MOD, defence, defence supplier, defence adjacent, or hosted in a defence environment. 2. Identify the customer security authority, MOD sponsor, accreditor, platform authority and information asset owner. 3. Request the applicable JSP 453 requirements and any related JSPs, security operating procedures or platform standards. 4. Create a JSP 453 alignment register. 5. Map each requirement to architecture, data, identity, hosting, monitoring, operations, supplier and evidence controls. 6. Identify gaps, assumptions and dependencies. 7. Raise deviations through project risk and formal customer approval. 8. Store approvals and implementation evidence in the evidence library. 9. Recheck alignment at design baseline, release, live transition and material change. ### Alignment Register Fields | Field | Description | | ----------------------- | ------------------------------------------------------------------------------------------ | | Requirement ID | Customer or JSP reference. Do not expose controlled text outside approved locations. | | Requirement summary | Short permitted summary. | | Source | MOD sponsor, customer schedule, JSP extract, security instruction or platform requirement. | | Classification | Handling caveat for the requirement and evidence. | | Control owner | Person accountable for implementation. | | Implementation approach | Design or operational control used to meet the requirement. | | Evidence | Document, test, architecture decision, approval or log proving implementation. | | Status | Not started, in progress, implemented, exception requested, accepted, not applicable. | | Residual risk | Risk remaining after control implementation. | | Approval authority | Customer, MOD sponsor, accreditor or internal risk owner. | ### Minimum Controls * confirm hosting model and platform authority; * confirm data classification and handling restrictions; * confirm identity, vetting and access requirements; * confirm audit, monitoring and evidence requirements; * confirm reuse, sustainability and operational support expectations; * confirm whether CSM, Def Stan 05-138, DEFCON 658 or DCC evidence is required; * confirm supplier and subcontractor flow-down obligations. ### Quality Gate No design baseline, production deployment or customer acceptance should proceed until applicable JSP 453 requirements have been reviewed, mapped and either implemented or formally accepted as residual risk. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://framework.aic.io/security-vetting-and-technical-assurance-playbook/secure-by-design-and-defence/jsp-453-alignment-approach.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.