Blog post

Putting the NCSC's badge on it...

Created:  22 May 2017
Updated:  22 May 2017
Author:  Anne W
Part of:  Assurance
Generic 'Approved' stamp graphic

We're often asked questions that sound something like "can you recommend <a thing> to help me with <a cyber security challenge>?". Recent queries of this type include:

  • "Which antivirus products does the NCSC endorse?"
  • "Which cloud services does the NCSC think are safe to use?"
  • "Which password management software does the NCSC recommend I deploy for my users?"
  • "Who does the NCSC trust to help me with my cyber security design and implementation work?"
  • "Can the NCSC tell me if I've put my network together securely?"

This is where our assurance work comes in.

Confidence

Nothing is perfect. But we do want you to be able to satisfy yourself that you know what a given cyber security offering will and won't do for you.

It's about understanding the strengths and limitations and having enough confidence to choose the most appropriate offerings for your needs, and to proceed to make the best use of them.

You can feel more confident when you know that a cyber security-related offering — be it a product, system, service or person — has been independently evaluated and assured by the NCSC.

Independence

Of course manufacturers and service providers believe their cyber security products and services are brilliant. And cyber security professionals often have a raft of professional training and certifications. But we know from experience that it is wise to test the claims that are made — and this is what we do in our assurance work.

Our independence is really important in this area. It allows us to evaluate offerings and test claims from an impartial position, against clear and fair criteria. So you should be able to have more confidence in offerings assured by us.

Certification?

Assurance is often confused with certification, but they are not the same thing.

Yes, a lot of our assurance work does end with us certifying things. This happens when we've tested an offering against published standards, and we can say it is comparable to something else as a result.

But assurance doesn't need to result in certification. For example, when the NCSC publishes guidance we are implicitly assuring you that it's worthy guidance you might want to follow to achieve a cyber security goal.

Schemes

Various agencies combined to form the NCSC, and each ran a range of assurance schemes that you'll now find in our Marketplace.

These schemes grew organically over the years, as additions and changes were made in response to particular tactical needs. As a result:

  • all of the schemes operate slightly differently
  • there are some ambiguous and unhelpful overlaps
  • we haven't always been good at explaining what a particular scheme should and shouldn't be used for

We know this is confusing, and that it makes it difficult for you to find the assured stuff you need as a consumer. Similarly, for our industry partners who are undergoing assessment, we know their experiences are often not as good as we want them to be. So, we're going to sort this out.

Improvements to come

We're starting work to transform our assurance activities (excluding Sovereign*).

Note

*Sovereign schemes are the ways that we evaluate various products and services designed to protect the nation's most sensitive and classified material.

We are not changing Sovereign schemes as part of this work.

We are determined to:

  • make our assurance processes as slick and straightforward as we can — wherever we can we will make them digital, by default
  • simplify the assurance landscape and present clear roadmaps for all of our schemes, so that everyone can easily understand what to expect

It's a complex landscape, so we can't change everything overnight. But we do want to make improvements as quickly as we can.

We are grateful to our assurance partners — the industry partners that perform much of the independent testing on our behalf — for their continued support whilst we're making these changes, and for their constructive suggestions to date.

In the NCSC prospectus we said that we would:

  • "work with the cyber security industry to help ensure organisations of all kinds can find cyber security products and services that are high quality and meet their needs"

Our assurance work is central to this — and the changes that we're planning are vital to making this a reality.

Input from industry partners and end users is also vital, to help us prioritise and focus our work. So, we’ll be running consultation groups and surveys over the coming months. If you’re interested in helping us understand the challenges you face, let us know:

  1. Go to our Contact us page.
  2. Under Nature of enquiry, select General enquiry.
  3. Complete the web form. In the Subject field, please type 'Get involved with assurance' (this will help the enquiries team to forward your details to us quickly).

Or, use the comment section below to give us your initial thoughts.

Anne W and Jon L

Topics

1 comment

Phil Ashby - 16 Jun 2017
Hi folks, does this assurance / certification work relate to the Gov.UK Verify scheme in any way? Might be interesting for potential clients to see what NCSC think about Verify..

Phil (full disclosure: architect in GBG Plc, an IdP for two Verify brands).

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No