The National Cyber Security Centre (NCSC) has launched Cyber Resilience Testing (CRT), which uses Principles Based Assurance (PBA) to evaluate and describe the cybersecurity of software and technology products.
CRT has been designed to give technology users more confidence in choosing security products, be more responsive to the evolving threat landscape, and empower risk owners to make more informed decisions about the security of their data and networks.
The CRT scheme focuses on technology assurance principles, covering:
- Software security, including updates and ongoing support models.
- Secure connectivity to external public networks.
Principles Based Assurance (PBA) methodology
PBA is a process for evaluating and describing cybersecurity. One of PBA’s aims is to remove the inflexible, prescriptive requirements that create barriers for new technology and innovative solutions. To enable this, the NCSC has defined high-level principles that indicate positive security outcomes.
Underneath the principles, the NCSC defines ‘claims trees’ (see pages 15 through 19 here for examples), which describe controls underpinning a given principle. At the ‘root’ of the trees are the ‘bottom level claims’, which define the specific implementation details the system will be evaluated against. These are listed in the ‘Assurance Principles and Claims’ (APC) document.
Importantly, these claims trees and bottom level claims can be modified. This is important because it allows flexibility in the standard. So long as the changes don’t weaken the overall principle, modifications are a useful way to describe the system design to anyone purchasing and using it.
Risk management, not certification
CRT deviates significantly from the old assurance schemes in that there are no certificates. Historically, if a system or service met a baseline set of criteria, a certificate would be issued. CRT does not define a minimum level that must be met. This is done intentionally by the NCSC to ensure risk owners do not rely on a certificate that may not be suitable for their own local risks and requirements.
For example, transport providers may have a higher need for resilience, whereas educational institutions may need stronger data confidentiality. CRT is designed to allow more informed decisions when purchasing products and services based on the principles that are most important.
Next steps
There are currently no mandates that require CRT as part of the procurement process; however, the PBA methodology is designed to underpin assurance throughout the UK. Therefore, we expect that most systems which are sold to UK government and national infrastructure will need to undergo some form of PBA. For commercial-level software and products, this will likely be CRT.
System manufacturers should look at the technology assurance principles to understand whether their development practices, systems, and through-life support align to the principles. Purchasing teams that plan to use CRT should review the principles to understand which are the most important within their infrastructure.
Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a roundup of the latest thought leadership content: Digital trust, EHS, and supply chain
