Certified product scheme

Commercial Product Assurance (CPA)

Commercial Products

About CPA certification

CPA evaluates commercial off-the-shelf products, and their developers, against published security and development standards.

A security product that passes assessment is awarded Foundation Grade certification. This means the product is proven to demonstrate good commercial security practice and is suitable for lower threat environments.

CPA certification is valid for two years and allows products to be updated during the lifetime of certification as vulnerabilities and updates are required. Products are tested against published CPA Security Characteristics, so:

  • vendors are aware of the assessment criteria to develop against
  • data owners can be confident that certified products have been tested against NCSC standards
  • the CPA scheme library contains the documents that relate to the scheme

Thinking of applying?

CPA is open to all vendors, developers and suppliers of security products with a UK sales base.

Foundation Grade assessment is carried out by independent NCSC-approved CPA Test Labs. As a vendor, you should first contact one of these labs to agree terms and initiate testing of your product. The lab will then liaise with us to confirm the suitability of your product for the assessment. A diagram showing an overview of the process can be found under the Downloads tab.

NATO and EU recognition

As a vendor of CPA certified products you can apply to get your product listed on the NATO or EU catalogues:

  • the NATO catalogue will accept a formal NCSC endorsement of the security product
  • the EU catalogue requires a further evaluation before the product can be listed

See the attached process flow chart document for more information (see the Downloads tab for this page).

There are no up-front costs, but you are likely to incur costs in the event that you need to modify your product to meet requirements.

Other related pages

CPA scheme library

How to become an approved test facility

Scheme fees

Common Criteria

NATO and EU process flow chart


This file may not be suitable for users of assistive technology.


PDF, 372.82KB

This file may not be suitable for users of assistive technology.

Certified products

Was this information helpful?

We need your feedback to improve this content.

Yes No