Commercial Product Assurance (CPA) assessment scheme

Commercial Product Assurance (CPA) provides assurance of security products developed by commercial companies. The products are assessed against the ‘Security Characteristics’ (SCs) for the product type, which includes:

Web application firewalls
Encryption
Smart Meters
Tokens and Readers (currently in draft)

CPA assessments

The CPA assessment is valid for two years and requires an initial assessment against all of the required security characteristics. The SCs have three requirements (also referred to as mitigations) which the product must satisfy:

Development
Verification
Deployment

Manufacturers must also pass a build standard evaluation which assesses the Software Development Life-Cycle (SDLC) of the product to ensure it will be secure throughout the life-cycle.

CPA assessment steps

The process flow below shows the steps you need to take to gain certification. It outlines how we work with NCSC as the scheme owners and you as the manufacturer during the initial assessments to achieve certification.

Asia Pacific

Europe

Americas

Middle East and Africa

Can't find a country or region?

Popular

Access and buy standards

About standards

Working with standards

Standards and information

Auditing, certification and training

Consulting practices

Industry reports, research and news

Blogs

Services

Our solutions

Our partners

Cloud services

Cybersecurity training courses

Training solutions

Commercial Product Assurance (CPA) assessment scheme

CPA assessments

CPA assessment steps