Commercial Product Assurance (CPA) assessment scheme

Commercial Product Assurance (CPA) provides assurance of security products developed by commercial companies. The products are assessed against the ‘Security Characteristics’ (SCs) for the product type, which includes:

  • Web application firewalls
  • Encryption
  • Smart Meters
  • Tokens and Readers (currently in draft)

CPA assessments

The CPA assessment is valid for two years and requires an initial assessment against all of the required security characteristics. The SCs have three requirements (also referred to as mitigations) which the product must satisfy:

  1. Development
  2. Verification 
  3. Deployment 

Manufacturers must also pass a build standard evaluation which assesses the Software Development Life-Cycle (SDLC) of the product to ensure it will be secure throughout the life-cycle.


CPA assessment steps

The process flow below shows the steps you need to take to gain certification. It outlines  how we work with NCSC as the scheme owners and you as the manufacturer during the initial assessments to achieve certification.