CPA: Commercial Product Assurance

Earlier this month, CESG presented their new assurance scheme for security products at the IA Practitioner’s Forum in York. Commercial Product Assurance (CPA) is the new assurance scheme designed for security products for protecting data in UK government at Impact Level (IL) 3 or below.

I was involved with the pilot of the (then CSIA) Claims Test Mark Scheme,  back in 2004: SecureWave was invited to participate in the pilot phase, (then run by Cabinet Office), to produce working Claims Documents that could be easily turned into test plans from their marketing collateral. We, together with our test lab IBM, achieved two of the first three certificates awarded for the scheme launch in September 2005. The scheme addressed a market need at that time: a UK government backed assurance scheme that was effectively a hallmark of security software: up to  Impact Level 2.

Six years later and the security landscape is greatly different to that of 2005. Threats emerge at a much faster rate, so any new scheme needs to be able be both flexible and adaptive in its approach. Long lead times to certify a solution will undermine the scheme itself, and the new scheme also needs to have a mechanism in place to deal with patching of solutions as new threats emerge and vulnerabilities are identified. From a vendor perspective too: the market has also changed. Security solutions have become commoditised: and the huge sums to spend on assurance schemes available in 2005 are now under close scrutiny for their long-term return as an investment in 2011.

Being involved with the CCTM pilot and launch, I’ve taken a keen interest in the development of this new scheme, and particularly welcome the responsiveness of CESG to the concerns expressed by vendors and consultants at the workshop at CIPCOG 2010 on their existing assurance schemes. What I believe this new scheme addresses:

  • To provide a scheme for product assurance for the “missing” part of product assurance – at Impact Level 3 (CCTM evaluated products were up to IL2 ). CAPS, suitable for higher impact levels was seen as too costly and time-consuming by vendors who had engineered a solution suitable for say local government, but had no desire to operate/ engineer for the higher impact levels. This prevented some vendors from entering the UK government market at all.
  • To recognise that vendors may have already submitted their products through other certification schemes, such as Common Criteria, and recognise the evidence in that submission, where appropriate
  • It recognises that not all data at Impact Level 3 should be treated in exactly the same way. Depending upon the threat level, either a Foundation or Augmented grade CPA evaluation will be required, reflecting the threat model and product usage.
  • It encourages competition in the industry by opening up the relatively closed space of IL3 to more players.
  • It addresses the need to select a product relevant to the risk profile associated with a particular organisation. Over-engineered solutions for a relatively lower risk profile will have a credible alternative solution.

In the new scheme there are, at the time of writing, 26 categories (“security characteristics”) of security products eligible for entry into the CPA scheme. These include: software full disk encryption and VPNs for remote working (the categories this time around for the pilot phase); data destruction and desktop email encryption (priority A) ; SSL VPN and desktop virtualisation (priority B); and client AV product and bootable media for remote working (priority C).

There are two levels of entry into the scheme: foundation and augmented. Foundation level involves predominantly “black-box” testing and examination of the product, whereas Augmented levels involves more specialised testing, and analysis of source code and other low-level artefacts. These take into account that not all data at Impact level 3 is subject to the same nature of threats (e.g. aggregation of citizen data in a local authority; a central government payment system; an intelligence agency’s RESTRICTED email system). It does raise the question whether Impact Levels have been a good way of reflecting the threat landscape and as a guidance means, if such a rider is needed to re-iterate that impact levels  represent the impact to the organisation of a breach; not necessarily the environment or nature of data to be protected.

Testing will be done by a CESG approved CPA Testing lab, where upon  the test lab will submit the results of a questionnaire concerning the product on behalf of the vendor to CESG. Provided CESG confirm the eligibility of the solution for foundation grade then the test lab will evaluate the solution against the security characteristic specified for that solution; and CESG will review the deliverables. It is a pre-requisite of the augmented level entry, to have passed foundation level evaluation. Due to the more detailed analysis required for augmented level, the contract for evaluation will be between CESG and the developer.

As far as the existing CCTM scheme is concerned, there will be a gradual phase out transition of the scheme. Products already in CCTM evaluation will continue. New submissions to CCTM have been/ will be rejected as follows:

  1. Products that could be tested against ‘Priority A’ CPA SCs will not be accepted into CCTM from 14th February 2011.
  2. Products that could be tested against ‘Priority B’ CPA SCs will not be accepted into CCTM from 31st March 2011.
  3. Products that could be tested against ‘Priority C’ CPA SCs will not be accepted into CCTM from 31st December 2011.

I am supportive of the new scheme but would stress the need to ensure that the new scheme delivers on the key concerns of reducing time to certify and the costs of the scheme (particularly for foundation level). Although CESG are not responsible for the costs of the new scheme, it is in the interests of all concerned to deliver in this regard. Towards the end of the CCTM scheme, the average cost to the vendor was £18k-£20k in submitting a product through CCTM. I’ve heard similar figures being mentioned for the new scheme. A streamlined process that takes into account existing schemes ought to reduce costs for foundation level (augmented level evaluations will obviously be at the higher end owing to the more vigorous evaluation required).

It is true that this new scheme also includes a higher level of assurance greater than did CCTM, but on the other hand it is the foundation level that is likely to be of most interest to vendors: reducing the time and costs to certify a solution over CCTM, as well as taking into account existing certification schemes, where appropriate. It is this also which will open up the large local government market to more competition, which hitherto has seen a near monopoly/ duopoly in certain key product areas. Lack of competition is at risk of creating a dangerous monoculture in government.  This assurance scheme will encourage innovation in the industry, as well as delivering value for money for the taxpayer.

CPA is the new product assurance scheme from CESG and launches Spring 2011. More information can be found at CESG’s website.

Phil Stewart is director of Excelgate Consulting and
Director, External Communications, of the UK Chapter of the ISSA

Comments are closed.

%d bloggers like this: