CAPS helps private sector companies develop cryptographic products for use by HMG and other appropriate organisations. CAPS evaluations are an involved and technical process that is best defined as a partnership between the developer and CESG.
CAPS is a service providing assured products for use by UK HMG, its agencies, and commercial enterprises working on behalf of UK HMG, where there is a need to protect UK HMG Protectively Marked information.
CAPS provides verification of cryptographic products to Government standards and formally approves their use by Central Government and the wider public sector. Cryptographic products evaluated under CAPS are assigned a ‘grade’. Those grades are:
- RESTRICTED / BASELINE
- CONFIDENTIAL / ENHANCED
- SECRET & ABOVE / HIGH GRADE
CAPS approved products are issued with a Certificate and Approval Letter detailing the level of cryptographic protection that they offer. CAPS approved products are listed on the CESG website and in the Directory of Infosec Assured Products.
CAPS and the new Government Classification Policy
The anticipated new Government Classification Policy wil reduce the current 5-tier model to a 3-tier model (OFFICIAL, SECRET and TOP SECRET), under which CAPS High Grade will map directly to the TOP SECRET tier and CAPS Enhanced Grade to the SECRET tier.
Developers wishing to submit for evaluation products, systems or services that significantly rely on cryptography for their security.
- HMG Sponsor: The developer is required to provide written evidence from a sponsoring UK Government department to support their business case for CESG to evaluate the product.
- UK Presence: Any developer wishing to have a product evaluated under CAPS must have an operational UK business presence.
- Site Security: For evaluations of products at grades higher than BASELINE, the company must also have been accredited under the UK Government’s List X scheme.
- Personnel Security: At BASELINE, it is usual to have one or two members of the development team cleared to the UK ‘SC’ level. For grades above BASELINE, more stringent personnel security procedures come into force.
- Access to Source Code: A CAPS evaluation depends on full and unfettered access to design documentation, source code, schematics, physical layout and other information normally treated as ‘company confidential’. CESG requires access to this material on CESG premises, without any restrictions on which evaluators may view it or when it may be viewed. It should be noted in particular that this requirement may also apply to third party intellectual property (IP) used in the product.
Delivery Timescale & Lead Time