Draft Response — RFI-15434

This folder holds the markdown draft of every document we lodge against AusTender RFI-15434. The native templates (DOCX / XLSX in ../attachments/) are filled by transcribing from these drafts; markdown is the source of truth for content review.

Files

Lodged form	Draft	Status
Part 3 — Response Form (General)	`part3-general.md`	draft v1 — needs ABN, executive bio, ownership block, signed declaration
Part 3a — Response Form (Technical Compliance Matrix)	`part3a-technical-compliance-matrix.md`	draft v1 — content complete; transcribe into XLSX before lodgement
Part 4 — Response Form (Financial)	`part4-financial.md`	draft v1 — needs FY24 / FY25 financial summary attached
Part 4a — Pricing Tables	`part4a-pricing.md`	draft v1 — pricing model proposed; refine Year 1 / Year 2 / Year 3 numbers with co-signatory
Attachment A — FOCI	`attachment-a-foci.md`	draft v1 — needs UBO % confirmation
Cover letter	`cover-letter.md`	draft v1
Compliance matrix summary	`compliance-summary.md`	auto-generated from sable-fit

Workflow to lodgement

Internal review of all drafts in this folder
Transcribe to native templates in ../attachments-filled/ (new folder, copied from ../attachments/ then edited)
Sign declarations (Hugo O’Connor as authorised representative)
Upload via AusTender Lodgement Page (https://www.tenders.gov.au/Atm/ResponseLodgeForm/cea1b989-ceb0-4b36-8b48-ac1330062362)
Confirmation email retained as evidence of lodgement

Hard deadline: 4-Jun-2026 14:00 ACT (Canberra). Plan to lodge by 09:00 ACT for buffer.

Authority & sign-off

Authorised representative: Hugo O’Connor, founder, Anuna Research Cooperative
Co-signatory required: none for the RFI (no binding offer; no contract terms agreed)
Internal review: all drafts read end-to-end before transcription

Linked Pages

sable-fit

SABLE Fit — Per-Requirement Position

Maps every M / D requirement in evaluation-criteria to SABLE’s current capability and the gap (if any). Source: ../sable/README.md, ../sable/IMPLEMENTATION_STATUS.md, ../sable/docs/. Compliance values use Part 3a’s drop-down options: Compliant / Partially Compliant / Non-Compliant.

Biometric Capture & Liveness Detection (LV)

ID	SABLE Position	Compliance	Commentary
LV-1	✅ SABLE captures face embeddings via standard smartphone camera; image-quality controls operate at capture time	Compliant	We extract 1024-dim face embeddings; image-quality scoring against ISO/IEC 29794-5 profile is integrated in the capture pipeline (sable-core `biometric` module). Quality profile output is exposed via the FFI.
LV-2	✅ Automated quality controls + UI guidance for re-capture	Compliant	The capture SDK rejects out-of-spec frames and returns user-facing guidance codes (face-too-close, low-light, off-axis, motion-blur). UI guidance text is configurable per ATO branding.
LV-3	✅ Spatial-flash PAD based on Tang et al., NDSS 2018	Compliant	Active liveness via screen-flash challenge-response. The screen flashes split-screen colours over 3 rounds; the camera captures how light reflects off the face. A real 3D face reflects differently in upper vs lower regions; a flat photo/screen reflects identically.
LV-4	✅ Capture + PAD in a single continuous workflow	Compliant	The Halo2 ZK proof binds capture and PAD into a single composite proof (~250 ms generation). The PAD fingerprints feed directly into the same circuit as the face-match check — they cannot be decoupled or replayed.
LV-5	⚠️ Defensible against current photo/screen replay attacks, but not yet ISO/IEC 30107-3 EAL-2 (Level B) tested	Partially Compliant	The technique (controlled-illumination reflectance analysis) is published peer-reviewed methodology; engagement of an ILAC-accredited testing laboratory for formal EAL-2 (Level B) certification is planned and can be completed inside a typical procurement timeline (3-4 months). No lab arrangement in place at the RFI stage.
LV-6	⚠️ Pending third-party PAD test report (see LV-5)	Partially Compliant	We will provide vendor self-assessment evidence now (NDSS 2018 paper, internal red-team testing against printed photos / phone-screen replays / video replays) and commit to producing an ISO/IEC 30107-3 third-party test report by end of any procurement evaluation phase.

Technical Verification & Biometric Binding (TV)

ID	SABLE Position	Compliance	Commentary
TV-1	⚠️ ICAO Doc 9303 ePassport NFC reading is not yet in SABLE core	Partially Compliant	The SABLE architecture has an `attestation` module designed for X.509-style chain validation; ICAO 9303 PKI verification including CSCA/Master List handling and CRL checking is a planned addition (estimated 8-12 weeks). Existing open-source libraries (e.g. jMRTD, BSI) can be wrapped.
TV-2	✅ Single-continuous-workflow capture + PAD + binding is the SABLE flagship feature	Compliant	The Halo2 composite proof binds biometric capture, PAD, and credential binding in one atomic operation. PAD operates at point of capture; the entire pipeline runs before any proof is submitted for verification. Data-capture-subsystem signals and system-level monitoring (frame timing, sensor metadata, challenge nonce binding) all feed the circuit per ISO/IEC 30107-1.
TV-3	⚠️ Quantitative FMR/FNMR benchmarking against ISO/IEC TS 19795-9:2019 protocol is planned	Partially Compliant	SABLE’s matching uses Pedersen-committed Poseidon-hashed embeddings with a configurable Hamming-distance threshold inside the Halo2 circuit. The underlying face embeddings are based on a 1024-dim feature extractor; matching accuracy depends on the embedding model. We commit to running an ISO/IEC TS 19795-9 evaluation against a standard test corpus and reporting FMR/FNMR at the 90 % confidence interval within the procurement evaluation window.

Scalability, Performance, Availability

ID	SABLE Position	Compliance	Commentary
S-1	✅ Architecturally horizontally scalable — verification is stateless	Compliant	Halo2 verification is ~1.8 ms per proof. The SaaS verification endpoint is stateless (no session affinity, no shared memory) and trivially horizontal — capacity scales linearly with EC2/EKS instances.
S-2	✅ A SaaS verification endpoint is the deployment target	Compliant	The proposed deployment wraps the open-source SABLE library in a hosted SaaS verification service on AWS Sydney. The library itself remains client-side (in the user’s myID app instance) — only the proof reaches the SaaS.
P-1	✅ 10 000 verifications/hour at p95 ≤ 1000 ms is comfortable	Compliant	10 000/hour = ~2.8/sec average; SABLE verification at 1.8 ms means a single t3.medium handles this with >99 % headroom. Proof generation (~250 ms, on-device) is amortised across millions of devices, not on the server. Full performance numbers in P-2 narrative.
P-2	✅ Documented benchmark methodology in `sable/bench/`	Compliant	We provide a Software Capacity Plan with: (i) measured verification latency distributions on Apple Silicon + AWS Graviton3 reference instances; (ii) AWS infrastructure design with EKS auto-scaling group + ALB; (iii) capacity-curve projection at 10×, 100×, 1000× peak.
A-1	✅ 99.95 % uptime achievable on AWS Sydney with multi-AZ design	Compliant	Multi-AZ EKS deployment behind ALB; data plane is stateless (no DB writes per verification); RTO < 5 min, RPO = 0. Bonus: SABLE’s on-device proof generation means the user-facing capture/liveness flow is 100 % available even if the SaaS endpoint is degraded — only final verification needs the SaaS.

Hosting, Integration

ID	SABLE Position	Compliance	Commentary
H-1	✅ SaaS wrapper on AWS Sydney	Compliant	Vendor-managed, secure, scalable. Library is open-source (Apache 2.0); SaaS shell + integration + ops is the commercial scope.
H-2	✅ AWS PrivateLink-ready	Compliant	We propose a VPC Endpoint Service in `ap-southeast-2` so the ATO’s AWS account connects to SABLE Verification API via PrivateLink — no internet egress, no public endpoint. Resources required from ATO: VPC Endpoint creation in their account, IAM cross-account role for telemetry export, DNS resolver entry.
IN-1	⚠️ MAUI bindings not yet shipped; Android JNI + iOS Swift are in core today	Partially Compliant	SABLE has FFI for Android (JNI) and iOS (Swift). Generating .NET/MAUI bindings on top of the C ABI (sable-core exposes via cbindgen) is mechanical and estimated at 4-6 weeks including sample MAUI integration project. We commit to delivering MAUI bindings inside a procurement evaluation phase.
IN-2	✅ Browser support via WASM Halo2	Compliant	The demo web frontend (`demo/web/`) already runs Halo2 proof generation in-browser via WASM, with camera capture via getUserMedia and spatial-flash liveness via the browser canvas. Verified working in Chrome, Safari, Edge, Firefox on desktop and mobile.
IN-3	✅ No server affinity required	Compliant	Stateless verification; any request can hit any pod. No sticky sessions.
IN-4	✅ IaC-driven deployment	Compliant	Deployment is fully IaC (Terraform modules provided); ATO can run `terraform apply` against their AWS account for fully silent deployment. CI pipelines provided (GitHub Actions templates).
IN-5	⚠️ SABLE specifically is pre-production; Anuna Research Cooperative is currently delivering directly-relevant government eGov work	Partially Compliant	SABLE itself is pre-production (519 tests passing; demo deployed; no live government deployments). Anuna is currently delivering eGov services for the Bangsamoro Autonomous Region in Muslim Mindanao (BARMM) — digital identity, citizen-facing services, advisory — production go-live July 2026 (so live well before any plausible ATO post-RFI procurement stage). BARMM does not currently deploy SABLE; future SABLE deployment at BARMM is a candidate natural extension of the existing engagement. Early international dialogue on the SABLE approach is under way with Germany’s Bundesamt für Sicherheit in der Informationstechnik (BSI). Adjacent government-context engagements: UK Government Digital Service (GovUK); CSIRO Data61. Adjacent large-scale enterprise: Microsoft, Autodesk, Suncorp, IAG, Telus, Telefónica, Kellogg, University of Wollongong. PoC against ATO’s myID cohort offered as the most direct evidence for SABLE in the ATO-specific context.

Security & Confidentiality

ID	SABLE Position	Compliance	Commentary
SC-1	⚠️ ISM / Essential 8 alignment work to be done	Partially Compliant	The SaaS shell will be designed against ISM and Essential 8 from day one (multi-factor admin auth, application allow-listing, patch-management cadence, daily backups, etc.). Full IRAP assessment is a procurement-stage activity.
SC-2	✅ Privacy by construction	Compliant	SABLE’s defining property is that biometric data never leaves the user’s device. APP 1 (open and transparent management): open-source codebase. APP 3 (collection of solicited PI): we collect only the ZK proof + minimal metadata, never the biometric. APP 11 (security): biometric data is committed-and-hidden in Pedersen commitments; even an SaaS breach exposes no biometric data.
SC-3	⚠️ Uses NIST-aligned primitives, ASD HACE catalogue review pending	Partially Compliant	SABLE uses BLS12-381 (128-bit security), Poseidon (peer-reviewed ZK-friendly hash), ChaCha20-Poly1305 (NIST/ISM-listed). BLS12-381 itself is not yet on the ASD HACE list but is widely deployed and aligned with NIST proposals. We commit to replacing any primitive that fails ASD/IRAP review with an ASD-approved equivalent (e.g. P-256 with SHA-256 in pure-classical mode, alongside the BLS12-381 ZK path).
SC-4	✅ Halo2 proof IS the integrity control	Compliant	The Halo2 ZK proof cryptographically binds (a) the captured biometric, (b) the PAD liveness fingerprints, (c) the session-binding nonce, and (d) any selectively-disclosed credential attributes — a single ~2 KB proof. Tampering with any component invalidates the proof.
SC-5	✅ Personal Information never crosses the boundary at all	Compliant	Biometric PI never leaves the user’s device. Only the ZK proof, the session nonce, and (optionally) selectively-disclosed predicates traverse the network. ATO’s SaaS endpoint receives no PI.
SC-6	⚠️ PROTECTED certification not yet held	Partially Compliant	We commit to engaging an IRAP assessor for PROTECTED-level certification of the SaaS shell + integration within the procurement evaluation phase. Open-source codebase + minimised attack surface (no PI server-side) materially simplifies the IRAP path.
SC-7	✅ AWS ap-southeast-2 (Sydney) hosting	Compliant	All operational data (verification logs, audit trail, configuration) hosted in `ap-southeast-2`. Data Hosting Certification Framework: AWS Sydney holds the Certified Strategic Hosting Provider classification.
SC-8	✅ Full SBOM provided	Compliant	Open-source SBOM produced via `cargo cyclonedx`; every dependency, license, and access scope documented. Third-party components: Halo2 (PSE/zcash), Poseidon (academic), ChaCha20-Poly1305 (RustCrypto).

Operations, Vendor Implementation Support & Maintenance, Maintainability

ID	SABLE Position	Compliance	Commentary
OP-1	✅ Standard SaaS architecture	Compliant	dev / staging / prod environments, all monitored 24×7 via CloudWatch + PagerDuty integration.
OP-2	✅ CI/CD with ephemeral test environments	Compliant	GitHub Actions pipelines spin up per-PR test environments via Terraform; integration tests run automatically.
OP-3	✅ AWS Sydney + CloudWatch Service Health	Compliant	Data sovereignty enforced via IAM SCPs preventing replication outside `ap-southeast-2`; real-time status via internal CloudWatch + public status page.
OP-4	✅ CloudTrail + GuardDuty	Compliant	All access to ATO data and all privileged operations logged via CloudTrail; GuardDuty monitors for anomalous patterns.
OP-5	✅ ATO IP allow-list at VPC PrivateLink	Compliant	Access enforced at the VPC endpoint level + at the API authentication layer (mTLS); IP ranges configurable per environment.
OP-6	⚠️ Personnel coercion-detection is a specialist domain	Partially Compliant	We do not currently operate behavioural-analytics tooling for personnel monitoring. We will partner with an Australian managed-SOC provider for managed insider-risk detection if required (no such arrangement in place at the RFI stage), or accept this as a desirable-not-met.
OP-7	✅ Real-time alerting on biometric failure patterns	Compliant	EventBridge → SNS → PagerDuty for high-risk patterns (PAD failure clusters, brute-force enrolment attempts, geographic anomalies).
OP-8	✅ Tiered alerting via severity tags	Compliant	Critical / High / Medium / Low alert tiers route to different channels with different SLAs; data-loss-prevention covered by abnormal-access detection on the verification API.
OP-9	⚠️ NV1-cleared staff and iRAP-certified portal not yet held	Partially Compliant	Anuna Research Cooperative will engage an Australian Security Vetting Agency–cleared support subcontractor for NV1-cleared L2 support, and sponsor founder NV1 clearance in parallel, inside a procurement evaluation phase. Incident management via an IRAP-assessed Australian incident management portal. No subcontractor or portal arrangement is in place at the RFI stage.
OP-10	⚠️ No prior government identity-system deliveries (see IN-5)	Partially Compliant	We offer: (a) dedicated helpdesk with named L2/L3 engineers; (b) public fraud-prevention roadmap; (c) knowledge-transfer commitment via documentation, on-site workshops, and pair-programming during transition. We acknowledge limited prior government identity-system delivery history (see IN-5).
VISM-1	✅ Helpdesk via dedicated email + status page	Compliant	Tiered support (P1/P2/P3/P4) with SLA-bound response times; AusGov.au-hosted ticketing portal.
VISM-2	✅ Open-source documentation + ops runbooks	Compliant	All `docs/` is public; ops runbooks for the SaaS shell will be ATO-private and version-controlled.
VISM-3	✅ Monthly security patch cadence, weekly minor updates	Compliant	Documented patching schedule; CVE response SLA: 4 hours triage / 24 hours patch for Critical, 7 days for High.
VISM-4	✅ Ongoing maintenance is the commercial subscription scope	Compliant	Subscription tier includes platform maintenance, dependency patching, ZK circuit revisions as cryptographic best practice evolves.
VISM-5	✅ Public roadmap	Compliant	Codeberg-hosted public roadmap; quarterly stakeholder review cycles. Items already on roadmap: BBS+ selective disclosure rollout, post-quantum migration (CRYSTALS-Dilithium signature path), multi-spectral liveness (IR), continuous authentication.
VISM-6	⚠️ Limited government track record (see IN-5, OP-10)	Partially Compliant	Honest disclosure. We propose a paid PoC against ATO’s myID test cohort as the most decisive evidence.
VISM-7	✅ Active research programme	Compliant	Anuna Research Cooperative publishes on identity, biometrics, and digital trust. Recommendations include: BBS+ for selective disclosure; post-quantum identity (NIST PQC integration); zero-knowledge KYC; offline-first identity proofs.
M-1	✅ Patching is a published SLA commitment	Compliant	See VISM-3. Third-party components are tracked via `cargo audit` in CI; out-of-date dependencies block merges.

Reporting & Monitoring, User Experience & Accessibility

ID	SABLE Position	Compliance	Commentary
RM-1	✅ CloudWatch Logs with optional log-shipping to ATO’s SIEM	Compliant	All API activity, configuration changes, and security-relevant events logged; Kinesis Firehose for ATO log-shipping.
RM-2	✅ CloudWatch / Grafana dashboards	Compliant	Out-of-the-box dashboards for: capture-time distribution, PAD pass/fail rates, FMR/FNMR over time, regional latency, error rates. ATO can customise via Grafana.
RM-3	✅ ATO read access via IAM cross-account roles	Compliant	Cross-account read role for ATO to query CloudWatch Logs Insights directly; sample CloudWatch Logs Insights queries provided in the runbook.
RM-4	✅ Monitoring integration options documented	Compliant	Native integration with: CloudWatch (default), Datadog (via Lambda), Splunk (via HEC), ATO’s existing SIEM (via log-shipping).
UX-1	✅ Mobile-first capture flow + responsive web fallback	Compliant	Native iOS / Android first-class; responsive web demo verified on phones, tablets, desktops.
UX-2	✅ UI standards + Figma + user-flow docs	Compliant	Brand-customisable UI; Figma library; user-flow maps for enrolment, authentication, account recovery, error states.
UX-3	⚠️ WCAG 2.1 AA audit not yet completed	Partially Compliant	Capture flow uses standard form patterns + ARIA labels + sufficient contrast ratios. Formal WCAG 2.1 AA audit by an accredited Australian accessibility audit firm is planned and can be completed in 4-6 weeks (no audit firm arrangement in place at the RFI stage). Accessibility-mode liveness alternative (audio prompts, larger UI elements) on roadmap.
UX-4	✅ Customisable UI via configuration	Compliant	Branding (colours, fonts, logos), copy (multi-language), capture flow steps, and even challenge parameters are configuration-driven, not code changes.

Cross-cutting business-requirement narrative

Secure — Halo2 ZK proof gives cryptographic guarantees stronger than any statistical match-rate threshold. Spatial-flash PAD defeats current photo/screen/replay attacks; ongoing R&D into deepfake / 3D-mask defences. FMR/FNMR benchmarking against ISO/IEC TS 19795-9 commitment per TV-3.
User-friendly — Capture flow is ~10 seconds (face capture + 3 spatial-flash rounds); no special device required; no internet required for capture; biometric data never leaves device.
Device compatibility — Any smartphone with a front-facing camera and modern browser; specifically tested on iOS 14+, Android 9+, Chrome / Safari / Edge / Firefox.
Accessible — WCAG 2.1 AA commitment (UX-3); accessibility-mode liveness alternative on roadmap; multi-language support.
Scalable — Stateless verification at ~1.8 ms; capacity scales linearly with EKS pods.
Cost-effective — Open-source library means no per-seat ZK proof licence; commercial scope is SaaS shell + integration + ops. Pricing model in Part 4a covers both perpetual and subscription tiers.
Compliant — Aligned with Digital ID Act 2024 data-minimisation principles by construction; ISM / Essential 8 / Australian Privacy Principles addressed in SC-* responses.
Integratable & maintainable — MAUI bindings (IN-1, 4-6 weeks); IaC deployment (IN-4); public SBOM (SC-8).
Value for money — The privacy-by-construction architecture removes the need for expensive ongoing breach-mitigation, data-sovereignty audits, and consent-management infrastructure that traditional biometric solutions accrue over their lifecycle.