CTAS pre-application checklist

Created:  26 Oct 2015
Updated:  01 Aug 2016

Getting evaluated

  • The selected CTAS company liaises with the sponsor, customer, accreditor and the NCSC to agree the scope of the work
  • Based on the Security Target - which describes the scope of the system, product or service - and the requirements of the customer and their accreditor, an Evaluation Work Programme is produced by the CTAS company. This details the appropriate evaluation activities and associated activity plans that will meet the requirements of the accreditor.
  • At the end of evaluation, we will issue a CTAS Assessment Statement to the accreditor, making recommendations on the significance of any issues discovered.

Before submitting a request for Tailored Assurance Service (CTAS) you should consider the following:

  • CTAS offers a Tailored Assurance which is bespoke to the particular environment in which the solution will be deployed;
    • the aim of a CTAS evaluation is to answer the specific questions and concerns which the Accreditor may have.
    • the output from a CTAS evaluation is not a certificate, but an Assessment Statement which can be used to inform the Accreditor’s decision.
  • your application must have a clear requirement from government, and have a government Sponsor.
  • you must identify the Accreditor, and they should have requested the CTAS evaluation. The Accreditor should be committed to being involved in the whole CTAS process.
  • a CTAS evaluation is intended to be used where a solution has been developed and is ready for deployment; it is not suitable for solutions still in the design or development stages without prior agreement with the NCSC.
  • the design of the solution should be well documented, and a high level System Architecture should be available to us at application stage (in the case of products this may take the form of a ‘deployment architecture’ or may not be relevant).
  • before you submit a CTAS application, a Risk Analysis should have been completed in accordance with the Accreditor's requirements, and this should be available to the NCSC on request during the CTAS evaluation (this may, for example, be in the form of an RMADS).
  • before submission to ourselves, a project plan should be produced which indicates key milestones against dates, all stakeholders (including contact details) and any dependencies on our resources.
  • a list of all sub-systems and products (COTS and bespoke) that are relevant to the solution should be provided to the NCSC at formal application stage, including details of any relevant certifications.
  • it may be useful, and may help to improve the efficiency of the evaluation, if draft versions of the Security Target (ST) and Evaluation Work Programme (EWP) are created before formal application to the NCSC; however, it should be noted that these will be considered Draft versions and the evaluation will not progress to the next stages until full versions of each document have been created and signed off by ALL stakeholders.
  • before formal submission, any CTAS queries can be discussed with the NCSC. Once a decision has been made by the integrator/supplier and Accreditor to proceed with an application for CTAS then this should be discussed with one of the approved CTAS Companies. Applications should be submitted via the CTAS Company to the NCSC. The contractual relationship for a CTAS is between the integrator/supplier and the CTAS Company; we do not contract directly with the integrator/supplier/developer.

Further reading

Was this information helpful?

We need your feedback to improve this content.

Yes No