Commercial Product Assurance (CPA) provides assurance of security products developed by commercial companies. The products are assessed against the ‘Security Characteristics’ (SCs) for the product type, which includes:
The CPA assessment is valid for two years and requires an initial assessment against all of the required security characteristics. The SCs have three requirements (also referred to as mitigations) which the product must satisfy:
Manufacturers must also pass a build standard evaluation which assesses the Software Development Life-Cycle (SDLC) of the product to ensure it will be secure throughout the life-cycle.
The process flow below shows the steps you need to take to gain certification. It outlines how we work with NCSC as the scheme owners and you as the manufacturer during the initial assessments to achieve certification.
