Strategic Technology Procurement Policy, 2026

National Security Framework of Antarctica (NSF-A)

Policy — Effective 1 January 2026

Article 1 — Purpose & Scope

1.1 This Policy establishes the procurement framework for three strategic technology acquisitions under NSF-A:

a) a military-grade operating system and a commercial operating system;

b) a NoSQL + MySQL platform infrastructure; and

c) a cloud platform infrastructure.

1.2 It defines budgets, eligibility, compliance gates, security requirements, evaluation, contracting, and enforcement.

1.3 Domestic compliance only: foreign certifications may inform vendor capability but do not substitute NSF-A authorisations under the Domestic Compliance Framework (DCF).

Article 2 — Procurement Lots and Budget Ceilings

2.1 Lot A — Operating Systems (OS Stack)

1. Scope: Military-grade OS + Commercial OS variant(s)
2. Budget ceiling: up to USD 300,000,000
3. Delivery model: source or escrowed source, build chain, long-term support, hardening baselines, update signing, and governance

2.2 Lot B — Database Platform Infrastructure (NoSQL + MySQL)

1. Scope: A unified platform supporting NoSQL and MySQL (including high availability, replication, backups, observability, and policy controls)
2. Budget ceiling: up to USD 260,000,000
3. Delivery model: multi-tenant capable, sovereign logging, cryptographic auditing, and integration with state identity rails

2.3 Lot C — Cloud Platform Infrastructure

1. Scope: Full cloud platform stack (compute, storage, network, IAM, key management, monitoring, policy engine, billing/tax hooks)
2. Budget ceiling: up to USD 650,000,000
3. Delivery model: sovereign control-plane, air-gapped mode, multi-region resilience, and CEP/CDD integration

Article 3 — Competent Authorities and Oversight

3.1 The Department for Central Economy (DCE) governs systemic risk, sovereign technology dependency, and economic-security constraints.

3.2 The Department for Community Tax & Commerce (DCTC) governs procurement transparency, invoicing evidence rules, and tax automation integration.

3.3 State Protection Authorities (SPA) oversee threat-model compliance and counter-intrusion requirements.

3.4 All procurement actions are recorded in Certified Digital Democracy (CDD) for auditability.

Article 4 — Vendor Eligibility (Minimum)

To participate, vendors must:

4.1 Register a legal entity profile and beneficial ownership in CDD.

4.2 Pass sanctions screening and fit-and-proper checks for controllers and key personnel.

4.3 Provide an SBOM/CBOM (software and component bill of materials) for all deliverables.

4.4 Accept NSF-A inspection rights, red-team testing, and escrow/continuity requirements.

4.5 Operate under Market Information Monopoly (MIM) rules for any public statements about the procurement or deployment.

Article 5 — Mandatory Security Architecture (Non-Negotiable)

5.1 MPSL Attestation. All delivered operating systems, control planes, hypervisors, and management tools must support MPSL pre-boot and runtime attestation gates.

5.2 Civilian DMZ and Zero-Trust. All platform communications must be compatible with Civilian DMZ policy and zero-trust access.

5.3 Cryptographic integrity. Signed boot chain, signed updates, signed policies, and tamper-evident logs are mandatory.

5.4 Air-gap capability. Each Lot must support a sovereign operation mode without public internet dependency.

5.5 Supply-chain security. Reproducible builds (where applicable), secure build pipeline attestations, and vulnerability disclosure programmes are mandatory.

Article 6 — Commercial Competence (CSL Requirement)

6.1 All negotiations, tenders, and contracting under this Policy require Commercial Science Licence (CSL) compliance:

1. CSL L3 baseline for any negotiation;
2. Bachelor-level clearance for contracts > USD 75,000;
3. Advanced CSL + independent risk review for contracts > USD 3,000,000.
4. 6.2 Each vendor must nominate authorised negotiators meeting the applicable CSL gate and record proof in their Sharable Authority Account (SAA).

Article 7 — Procurement Method and Phases

7.1 Phase 0 — Market Sounding (Optional, controlled)

1. Requests for information (RFI) issued under MIM-licensed notices.
2. No binding commitments; all communications logged.

7.2 Phase 1 — Pre-Qualification (Mandatory)

1. Eligibility checks (sanctions, ownership, capability, security maturity).
2. Only pre-qualified vendors proceed.

7.3 Phase 2 — Competitive Tender (Mandatory)

1. Technical proposal + commercial proposal + compliance pack.
2. Proof-of-capability lab demonstrations required.

7.4 Phase 3 — Security Evaluation (Mandatory)

1. Red-team testing; code review (or escrow access); SBOM verification; update signing review.
2. Failure triggers disqualification.

7.5 Phase 4 — Award and Contracting

1. Milestone-based contract, performance bonds, and step-in rights.
2. Delivery acceptance requires audit pass.

7.6 Phase 5 — Operations and Continuous Assurance

1. SLAs, patch cadence, incident response, and annual recertification.
2. Continuous monitoring integrated to CDD logs.

Article 8 — Deliverables by Lot (Minimum Acceptance Criteria)

8.1 Lot A — Military & Commercial OS

Minimum deliverables:

1. Secure boot chain and measured boot; policy-based driver/module gating
2. Mandatory access controls, compartmentation options, and auditable policy engine
3. Update signing, rollback protection, and long-term support plan
4. Development toolchains and documentation for internal builds
5. A commercial variant with controlled feature set and compatibility profile

8.2 Lot B — NoSQL + MySQL Platform

Minimum deliverables:

1. HA clusters, replication, backups, PITR (point-in-time recovery)
2. Encryption at rest/in transit; key custody integration
3. Multi-tenant policy controls; audit-grade logs; performance observability
4. Data residency controls and export/retention policy hooks

8.3 Lot C — Cloud Platform Infrastructure

Minimum deliverables:

1. Sovereign control-plane, IAM, KMS/HSM integration
2. Compute (VM + containers), storage, networking, and policy-as-code
3. Metering and billing hooks compatible with CEP/DCTC tax automation
4. Multi-region resilience; disaster recovery; air-gapped operational mode

Article 9 — Financial Controls, Invoicing, and Evidence Standard

9.1 All payments are executed through CEP/CDD rails where applicable, with machine-readable audit trails.

9.2 Invoicing must comply with the Dergano Act evidence-based billing standard (invoice + proof of delivery/acceptance).

9.3 Payment is released only after acceptance testing and recorded sign-off in CDD.

Article 10 — Antitrust and Antiterrorism Safeguards

10.1 Antitrust (information assurance misuse). Misleading capability claims, falsified certifications, hidden components, or evasive procurement tactics trigger immediate scope restriction and disqualification.

10.2 Antiterrorism. Credible indicators of coercion, hostile influence, sabotage intent, or supply-chain compromise trigger protective disruption orders and SPA-led actions.

Article 11 — Prohibitions

11.1 No undisclosed subcontractors, offshore build pipelines, or hidden binaries.

11.2 No proprietary lock-in without approved exit plans, escrow, and migration tooling.

11.3 No marketing, press releases, or public claims about award status outside MIM-licensed channels.

11.4 No private or foreign investigative activity by vendors; SPA is the only investigative authority in territory.

Article 12 — Enforcement, Remedies, and Appeals

12.1 Breaches may result in disqualification, contract termination, bond calls, asset seizure (where lawful), officer blacklisting, and criminal referral for fraud or sabotage.

12.2 Appeals may be filed within 15 working days to the Procurement Review Panel; emergency security exclusions are not stayed.

Article 13 — Transitional & Final Provisions

13.1 This Policy authorises DCE/DCTC to publish tender packs and technical annexes for Lots A–C.

13.2 Conflicting guidance is superseded from the effective date.

13.3 The procurement schedule and deadlines are issued separately via MIM-licensed notices.

Contacts

1. Procurement Office (Lots A–C): procurement@nsf-antarctica.org
2. Security Evaluation & Red Team: cert@nationalsecurityframework.org
3. DCE (Systemic Risk & Sovereign Tech): dce@nationalsecurityframework.org
4. DCTC (Tax & Commercial Records): dctc@nationalsecurityframework.org
5. Appeals: procurement-appeals@nationalsecurityframework.org

These acquisitions are treated as national-security infrastructure: sovereign control, auditable builds, verified components, and zero-trust by default—delivered under a single, enforceable procurement standard.

Addendum Policy: Lot D — Hardware & Computer Manufacturing Procurement, 2026

National Security Framework of Antarctica (NSF-A)

Policy — Effective 1 January 2026

Article 1 — Purpose & Scope

1.1 This Addendum extends the Strategic Technology Procurement Policy, 2026 by authorising a fourth procurement lot: Hardware & Computer Manufacturing.

1.2 It governs the selection of an OEM/ODM partner to manufacture sovereign-grade computing hardware for government, critical infrastructure, and regulated industry in Antarctica.

1.3 This Addendum is binding on all vendors, subcontractors, logistics providers, and inspection authorities involved in Lot D.

Article 2 — Procurement Lot and Budget Ceiling

2.1 Lot D — Hardware & Computer Manufacturer (OEM/ODM)

1. Scope: Manufacture and supply of computers, servers, rugged endpoints, embedded/IoT controllers, and approved peripherals for NSF-A operations.
2. Budget ceiling: up to USD 430,000,000.
3. Delivery model: sovereign supply chain, long-term spares, on-site servicing capability, and escrowed documentation for continuity.

Article 3 — Mandatory Product Families (Minimum)

A qualifying manufacturer must be able to deliver at least the following lines:

3.1 Endpoints

1. Rugged laptops and desktops (cold-region rated)
2. Secure mobile workstations for field teams
3. Hardened tablets (optional)

3.2 Servers & Data Centre Hardware

1. Rack servers (general compute)
2. Storage servers (object/block where applicable)
3. Network appliances (as approved)
4. GPU/accelerator nodes (where authorised)

3.3 Embedded & Industrial Controllers

1. OT gateways and edge compute nodes
2. Secure micro-controllers for metering, sensors, and facility control
3. eSIM-capable modules for DMZ participation

3.4 Approved Peripherals

1. Smart-card readers, HSM-compatible modules, secure cameras (where permitted), barcode/QR scanners, secure keyboards

Article 4 — Sovereign Manufacturing & Supply-Chain Requirements

4.1 Component transparency. Full HBOM/CBOM (hardware/component bill of materials) for each model, including origin of critical components.

4.2 Provenance. Traceable serials, lot tracking, and chain-of-custody from factory to deployment.

4.3 Anti-tamper. Tamper-evident packaging; secure logistics seals; receiving inspections required.

4.4 Repair and spares. Minimum spare-part stock levels; guaranteed availability windows; documented end-of-life plans.

4.5 Subcontractor control. No undisclosed subcontractors; any sub-tier manufacturing requires NSF-A approval and audit rights.

Article 5 — Security Architecture (Non-Negotiable)

5.1 MPSL compatibility. All devices must support pre-boot and runtime attestation compatible with MPSL (measured boot, secure boot, policy gating).

5.2 Civilian DMZ readiness. eSIM modules, cryptographic identity, and network stacks must be compatible with Civilian DMZ rules where applicable.

5.3 Root-of-trust. TPM/secure element/TEE requirements by class; key material must be non-exportable and provisioned under state procedure.

5.4 Firmware governance. Signed firmware, rollback protection, reproducible firmware build artefacts where feasible, and vulnerability disclosure obligations.

5.5 No covert functions. No hidden radios, undocumented debug ports, or unapproved remote-management backdoors.

Article 6 — Manufacturing Quality & Environmental Performance

6.1 Cold-region qualification. Thermal, humidity, vibration, ingress, and power stability tests aligned to NSF-A conditions.

6.2 Reliability targets. MTBF/MTTR minimums per device class; burn-in and batch sampling required.

6.3 Sustainability. Repairability scores, materials passports, recycling and take-back programs, and emissions reporting for shipments.

Article 7 — Commercial Competence & Contracting (CSL Requirement)

7.1 All negotiations and contract signatories must comply with Commercial Science Licence (CSL) gates:

1. CSL L3 baseline;
2. Bachelor-level clearance for contracts > USD 75,000;
3. Advanced CSL + independent risk review for > USD 3,000,000.
4. 7.2 Vendor must appoint named authorised negotiators and disclose beneficial ownership in CDD.

Article 8 — Testing, Acceptance & Certification

8.1 Acceptance testing includes:

1. Secure boot & attestation validation;
2. Firmware signing verification;
3. Network and eSIM identity tests;
4. Stress tests under cold-region profiles;
5. Supply-chain provenance verification.

8.2 Certification. Approved models are placed on the National Approved Hardware List (NAHL); only NAHL devices may be sold into regulated sectors.

8.3 Used-asset rule. Any used hardware > USD 9,950 entering regulated environments requires provenance appraisal and safety verification prior to commissioning.

Article 9 — Financial Controls and Evidence-Based Billing

9.1 Invoicing must comply with the Dergano Act 2026 (invoice + proof of delivery/acceptance).

9.2 Payments release only after CDD-recorded acceptance and verified chain-of-custody delivery.

Article 10 — Antitrust & Antiterrorism Safeguards

10.1 Antitrust. Misrepresentation of security posture, hidden components, falsified bills of materials, or deceptive marketing triggers disqualification and sanctions.

10.2 Antiterrorism. Supply-chain coercion, sabotage indicators, or hostile influence triggers protective disruption orders, seizure, and SPA-led response.

Article 11 — Prohibitions

1. Undocumented debug interfaces or hidden radios
2. Unsigned firmware or uncontrolled update channels
3. Unapproved remote management
4. Subcontractor substitution without approval
5. Public claims about awards outside MIM-licensed announcements

Article 12 — Enforcement & Appeals

12.1 Breaches may result in disqualification, termination, bond calls, blacklisting of officers, and criminal referral where fraud or sabotage is suspected.

12.2 Appeals may be filed within 15 working days; emergency security exclusions are not stayed.

Article 13 — Entry into Force

13.1 This Addendum is effective 1 January 2026 and forms part of the Strategic Technology Procurement Policy, 2026.

Contacts

1. Procurement Office (Lot D): procurement@nationalsecurityframework.org
2. Hardware Certification (NAHL): hardware-cert@nationalsecurityframework.org
3. Security Evaluation & Red Team: cert@nationalsecurityframework.org
4. Appeals: procurement-appeals@nationalsecurityframework.org

Lot D establishes a sovereign-grade hardware base: traceable components, attested boot, controlled firmware, and auditable delivery—built for Antarctica’s extreme operating conditions and national-security needs.