Brochures

Data Sheet: Independent Security Evaluation & Testing Services

Data Sheet: SiVenture, Your Trusted CCT Mark Partner

Library

Links to other websites

CESG Commercial Product Assurance Scheme

CPA Scheme Security Characteristics

UKAS

The CESG Commercial Product Assurance (CPA) scheme is a developing UK Government scheme designed to provide assured commercial security products for users who have a need for Information Assurance. The scheme is administered by CESG, the Government’s National Technical Authority for Information Assurance, and the scheme website is here.

The scheme aims to provide assurance for products intended for use generally in the IL3 and below space although usage may be allowed in some cases up to IL4 (depending on the threat level). The CPA scheme has been designed by CESG to ensure that products for use within the Public Sector provide the required risk mitigations to counter the threats which they are likely to face in this environment.

There are two grades to product assurance in CPA - Foundation Grade and Augmented Grade. Certification to Foundation Grade means that a product has been tested to show that it provides the required security functionality. The functionality required for a particular type of product will be defined in a set of CESG produced Security Characteristics, which will include definition of the additional functionality to be provided should a product aim for Augmented Grade certification.

Evaluation to the Foundation Grade is performed by SiVenture, with certification being performed by CESG in their role as scheme certification body. Evaluation of products for Augmented Grade is currently undertaken by CESG, but only once a product has successfully completed a Foundation Grade evaluation and certification.

These Security Characteristics are currently being developed, and further details of which Security Characteristics are being developed, and the likely timescales for their development, can be found on the CPA Security Characteristics web page here.

It is likely that some products may have to comply with more than one set of Security Characteristics and SiVenture is happy to provide advice and guidance around this issue.

Security Characteristics are divided into three main areas:

  • DEV, where it is likely that design information, or maybe even small amounts of source code, will be needed to provide an appropriate response to the requirements
  • VER, where SiVenture will perform testing to verify that the product meets the specified requirements and
  • DEP, which are requirements on the deployment of the product and SiVenture will produce Security Operating Procedures to be followed in deployment to ensure that the products operates in a way so as to meet the Security Characteristics.

Product developers also have to undergo a “Build Standard” evaluation - which is an audit by SiVenture of the manner in which the security of the product is built in throughout the development process. For example it is expected that a vendor would:

  • Employ a configuration management system
  • Use a software-based issue tracker as part of a defined flaw remediation process
  • Perform software testing
  • Have an external flaw-reporting process.

If multiple products are developed in the same build environment then the results of one “Build Standard” audit may be re-used to support other product CPA evaluations for a period of up to 2 years.

SiVenture and CPA

CPA is now live, with pilot evaluations completed in a number of areas, and several security characteristics have been published and are available for vendors to submit products for CPA evaluation.

SiVenture was the only lab to be involved in both pilot evaluations and, thus, is best placed to be able to match your requirements with those of the scheme and to identify a cost and time efficient route to certification.

SiVenture, as the only test lab accredited for both CPA and Common Criteria, is the only lab able to offer the opportunity of achieving both CPA and CC certification from a single evaluation project.

In general the testing process begins with a visit by SiVenture staff to the vendor. This initial meeting, which may last a number of days, allows us to seek the necessary design information to support our assessment of product compliance with the Security Characteristics; and also allows us to progress the Build Standard audit if one is required.

We then undertake testing on the product and may identify additional issues which need to be resolved, in conjunction with the vendor, before we can complete the required test report.

CPA only covers Product assurance and so services will continue to be assessed and certified using CCTM for the foreseeable future and thus SiVenture continues to offer our successful service assurance offering - designed to help you achieve service certification as efficiently as possible.