Commercial Product Assurance (CPA) is a CESG scheme which is used to certify products which are used to protect Government networks operating at the OFFICIAL tier.
Roke evaluates products under the CPA scheme, where successful evaluations lead to the product obtaining a formal CESG CPA certificate, enabling it to be used to protect classified networks. CPA provides product vendors with the following benefits:
- Recognised by UK Government
- International recognition through NATO and EU recognition
- A benchmark of good practise, increasing product credibility in the commercial market
Roke has a proven track record of delivering CPA evaluation services within significantly reduced timescales, enabling products to reach the market sooner. This efficiency is gained by working with the product's development team to achieve certification, leveraging our decades of software and hardware development expertise to provide constructive feedback to product developers without compromising the rigour of testing.
Evaluations performed under the CPA scheme are conducted against CESG published Security Characteristics, one per product type, which define the threats which apply to each product type and the mitigations a product must employ to defeat those threats. In order to qualify for CPA certification, a Security Characteristic must be available for the product type, where a full list of currently published Security Characteristics can be found on CESG's website.
Once you've identified one or more Security Characteristics which match your product, or would like more information about the scheme, please contact us.
In addition to formal evaluation services, Roke recognises that product vendors may require additional services before applying for formal certification. Thus we are able to provide a customised range of independent informal support services, including:
- Evaluation of the product design by an experienced evaluator prior to entering formal certification
- Delivery of test tools used during CPA such that product vendors have the confidence that no surprises are discovered during formal testing
- Conduct of an informal evaluation prior to an application for formal CPA evaluation.
Before a CPA evaluation can begin, the following scheme pre-requisites are required to be met:
- The product developer has a UK sales presence, and UK Government Customers will be able to purchase the product
- The product is covered by a current Security Characteristic published by the CPA authority
- The Product Developer must be able to show that:
- Extensive testing of the product is being performed
- A configuration management system is being used
- A software-based issue tracker is being used as part of a defined flaw remediation process
- A flaw-reporting process is being used that enables flaws that are discovered outside the Product Developer's organisation to be reported
Please contact us if you're unsure whether you meet any of these pre-requisites.
Commercial Product Assurance
Managed, trusted product assurance for government and enterprises
Please contact us for further details.