What physical security products can be assessed under the CAPSS scheme (and what cannot)?
Most security products that are vulnerable to some form of cyber attack can be assessed by the CAPSS scheme. Examples of such products are: Automated Access Control Systems (AACS), Perimeter Intrusion Detection Systems (PIDS), Intrusion Detection Systems (IDS), Security Management Systems (SMS), Video Management Systems (VMS). Specific manufacturer designed products such as network routers/firewalls cannot be evaluated, but their configuration maybe considered as peripherals of a larger security system.
If a site cannot utilise CAPSS assured products, what can they do?
If you are an organisation that is unable to utilise CAPSS assured products for any reason, CPNI have produced detailed guidance based heavily on the CAPSS Security Characteristicthat can be used in discussion with manufacturers, either existing or new, to assess the cyber protection their products will provide. Checklists and relevant questions to ask are provided along with guidance on how to best understand your risks and focus your resources from cyber attack threats.
CPNI strongly recommends that an organisation encourages manufacturers they utilise to undertake a CAPSS evaluation on their products.
CAPSS is a manufacturer funded evaluation scheme. Cost will be largely dependent on the complexity of the product(s) being evaluated.
Should a product undergo a CPNI functional evaluation before a CAPSS evaluation?
For a product that qualifies for a CPNI functional Standard evaluation as well as CAPSS, such as Automated Access Control or Perimeter Intrusion Detection Systems, it is recommended that the manufacturer self-assesses their product (early engagement with a test lab is also strongly recommended) against the CAPSS requirements at an early stage, but that functional standard testing is undertaken first. However, it is possible to undertake a CAPSS evaluation prior to undertaking the functional standard evaluation. In this scenario if changes are required to the product as a result of that functional evaluation, additional CAPSS testing maybe required to be undertaken by a certified test lab.
Products that do not have a chapter in the Catalogue of Security Equipment (CSE) e.g. Video Management Systems or Security Management Systems are only required to undergo CAPSS evaluations.
Which test labs can undertake CAPSS evaluations?
Currently the following test labs can undertake CAPSS evaluations on behalf of CPNI: BSI, Cytal and NCC.
Any new test lab wishing to undertake CAPSS evaluations should contact [email protected] in the first instance.
What changes can be made to a product after a successful CAPSS evaluation and will they need formal retesting?
For most changes, you can update and release new functionality to the product without affecting your CAPSS certification. However, any changes that increase the attack surface of the product (defined as a major change) should be notified to CPNI as early in the development stage as possible. More detailed guidance is available on what is classed as a “major” change and how CAPSS assurance maintenance is achieved.
Standards and testing
What are the major elements of CAPSS testing?
CAPSS is formed of 2 major elements:
1) The NCSC CPA Build Standardwhich provides a level of assurance of a manufacturer’s development principles, procedures and quality assurance processes and;
2) an in-depth technical verification of a products cyber attack defence capability and its development and deployment procedures and documentation.
Is a product expected to pass all the requirements in the CAPSS Security Characteristic?
CAPSS uses a Tailored Security Characteristic (TSC) methodology where only requirements that are relevant to the product or its deployment are evaluated. So, where a CAPSS requirement is not necessary for secure operation of the product then that requirement will not need to be assessed. For example, if the product does not utilise Cloud Services in any form then the relevant section in the security characteristic will not be included in the TSC and will therefore not be in scope for evaluation. However, a manufacturer cannot simply ‘choose’ to omit some requirements If the product implements a specific functionality then it is required to be assessed: the TSC scope will need to be confirmed with the test lab and accepted by CPNI in the pre-evaluation phase.
How long does CAPSS assurance last before it needs renewing?
CAPSS assurance is valid for 2 years. At the end of the 2 year period, the product will be subject to a formal review by a test lab at which a further 2-year period of assurance can be granted if no issues are found. This process is repeated after a further 2 year period. Once a product has been assured for a total of 6 years assured it will be subject to a full re-evaluation.
Does a manufacturer need to undertake a build standard for every product submitted to CAPSS?
No. If a manufacturer has successfully passed the build standard assessment for one product already, then they will not have to undergo a full build assessment again provided that the new product is subject to the same processes and procedures. However, if it is determined that new and additional processes are utilised for the development of the subsequent product, a smaller top up assessment would be required on those new processes.
(Note: if a new development site has been created using existing processes then this will also be subject to a smaller top up assessment)
Can other certification scheme evidence be used for a CAPSS evaluation?
Yes. Evidence submitted whilst gaining certification from other Cyber Assurance schemes can be used as evidence during a CAPSS evaluation. More detail can be found within the Security Characteristic and Application Notes or contact [email protected] for further information.
What is the difference between Cyber Essentials, Cyber Essentials Plus and CAPSS?
Cyber Essentials is a simple but effective, government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks. It is a requirement should a manufacturer wish to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services.
Cyber Essentials is a self certification scheme whilst Cyber Essential Plus is self certification with an additional technical assessment requirement.
CAPSS focusses on the security of an individual product that an organisation may choose to use. It builds on principles in the Cyber Essentials schemes and has additional build standard requirements that provide further assurance of the manufacturer’s development and quality assurance capability whilst also undertaking an in-depth technical assessment of the products cyber defence capability.