Foundation Grade explained

Created:  26 Oct 2015
Updated:  27 Sep 2017
Foundation Grade is a way of describing security products that demonstrate good commercial security practice.

Which certification scheme?

Commercial security-enforcing products can gain Foundation Grade assurance through our Commercial Product Assurance scheme (CPA) and in some cases through Common Criteria (CC) certification (an international scheme).

To decide which route to choose, ask yourself:

  • Is there an assurance standard for your product to be assessed against? Check Security Characteristics (for CPA) and Protection Profiles (for CC).

  • What is your sales base? CPA requires that you have a UK sales base.

  • What is your market? CPA serves the UK government and, in some cases, NATO and EU markets. CC is internationally recognised.

  • What is your product maintenance strategy? CPA typically allows products to be updated during the lifetime of their certificate. CC only applies to a specific version of the product — though this can be extended with maintenance options.

Also note that testing is carried out by approved test labs, and you must agree to the cost and terms and conditions of your contract with whichever lab you choose.

What is Foundation Grade?

Foundation Grade is a way of describing security products that demonstrate good commercial security practice. You can have confidence that the product will perform its stated security functions in lower threat environments. Foundation Grade directly maps to the threat model for OFFICIAL.

Foundation Grade assessments are performed by NCSC-approved CPA Test Labs.

Foundation Grade assurance can be gained through our Commercial Product Assurance (CPA) scheme and, in some cases, Common Criteria certification may also be used.

Applying for Foundation Grade assurance

If your customers rely on a product to perform a security function in the lower threat environment, Foundation Grade certification gives confidence in the security behaviours of the product, in line with commercial good practice. You should contact a CPA Test Lab to agree requirements and costs.

First steps

What you need to know before approaching a lab to discuss requirements:

  • only products which perform a security enforcing function, such as firewalls, virtualisation products and cryptography, are eligible to be certified

  • only products covered by one (or more) of the published Security Characteristics — which define the properties of a good product — can be certified

  • the engineering principles expected during the development of security products are outlined in the Foundation Grade Build Standard (PDF) (also available from the CPA Scheme Library)

  • vendors are expected to provide technical assistance to labs during evaluation to ensure a good understanding of the product undergoing assessment

  • evaluation involves mostly ‘black box’ testing so doesn’t require access to vendors’ commercially sensitive information, although this type of information may speed up the assessment

Applying for Foundation Grade assurance

  1. Select a Foundation Grade Security Characteristic suitable for the assessment of your product.

  2. Contact a CPA Test Lab to confirm they are able to test your product against the selected Security Characteristic.

  3. The lab will submit a recommendation report to us.

  4. Based on the report, we confirm the suitability of your product for assessment against the chosen Security Characteristic.

  5. The lab can now conduct the evaluation testing. This culminates in the production of an evaluation summary report, which is sent to us.

  6. We review the report and, if the assessment is successful, award the Foundation Grade Certificate.

  7. The product is added to the CPA Certified Products page.

Maintaining Foundation Grade assurance

CPA allows products to be updated during the lifetime of certification as vulnerabilities are identified and functional updates are required. We will seek evidence at Foundation Grade that the vendor’s approach will maintain the quality of the certified product.

CPA certification is valid for two years. A maintenance plan is required for each product which ensures the correct management of changes. This requirement means most of the changes made to a product will be covered by the initial certification.

How CPA works

CPA evaluates commercial off-the-shelf products and their developers against published security and development standards

How Common Criteria works

Common Criteria (CC) is a widely recognised international scheme used to assure security-enforcing products. It provides formal recognition that a developer's claims about the security features of their product are valid and have been independently tested against recognised criteria to a formalised methodology.

Was this information helpful?

We need your feedback to improve this content.

Yes No