About CPA certification
CPA evaluates commercial off-the-shelf products, and their developers, against published security and development standards.
A security product that passes assessment is awarded Foundation Grade certification. This means the product is proven to demonstrate good commercial security practice and is suitable for lower threat environments.
CPA certification is valid for two years and allows products to be updated during the lifetime of certification as vulnerabilities and updates are required. Products are tested against published CPA Security Characteristics, so:
- vendors are aware of the assessment criteria to develop against
- data owners can be confident that certified products have been tested against NCSC standards
- the CPA scheme library contains the documents that relate to the scheme
Thinking of applying?
CPA is open to all vendors, developers and suppliers of security products with a UK sales base.
Foundation Grade assessment is carried out by independent NCSC-approved CPA Test Labs. As a vendor, you should first contact one of these labs to agree terms and initiate testing of your product. The lab will then liaise with us to confirm the suitability of your product for the assessment. A diagram showing an overview of the process can be found under the Downloads tab.
NATO and EU recognition
As a vendor of CPA certified products you can apply to get your product listed on the NATO or EU catalogues:
- the NATO catalogue will accept a formal NCSC endorsement of the security product
- the EU catalogue requires a further evaluation before the product can be listed
See the attached process flow chart document for more information (see the Downloads tab for this page).
There are no up-front costs, but you are likely to incur costs in the event that you need to modify your product to meet requirements.
Other related pages
CPA scheme library
How to become an approved test facility