diff --git a/README.md b/README.md
index 1970535..9143a34 100644
--- a/README.md
+++ b/README.md
@@ -40,8 +40,13 @@ Check out more:
 * [CenturionMeet](https://talk.e2ee.li/) 
 * [Contact the author](https://coresecret.eu/contact/)
 
-> Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped.
-> The next step is to move to a room-gapped environment.
+## 1.1. Notes
+
+### 1.1.1 HSM
+Please note that all my signing keys are stored in an HSM and that the signing environment is air-gapped. The next step is to 
+move to a room-gapped environment. ^^
+
+### 1.1.2 HSTS and DNSSEC
 
 Please note that `coresecret.dev` is included in the [(HSTS Preload List)](https://hstspreload.org/) and always serves the headers:
 ````nginx configuration pro
@@ -50,7 +55,7 @@ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; prelo
 ````
 Additionally, the entire zone is dual-signed with DNSSEC. See the current DNSSEC status at [DNSSEC Audit Report](https://git.coresecret.dev/msw/CISS.debian.live.builder/src/branch/master/docs/AUDIT_DNSSEC.md)
 
-## 1.1. Immutable Source-of-Truth System
+## 1.2. Immutable Source-of-Truth System
 
 This live ISO establishes a secure, fully deterministic, integrity self-verifying boot environment based entirely on static
 source-code definitions. All configurations, system components, and installation routines are embedded during build time and