Commercial Product Assurance Certification is a move from scheme to grade-based assurance. This streamlined approach makes it easier for data owners to assess what level of security is required and, by extension, which products are suitable for their requirements.
CPA takes multiple assurance schemes and consolidates them into a single certification level suitable for low threat environments.
CPA Augmented Grade will not now be formally launched and CESG will agree a way forward with vendors of products in evaluation or certified.
Common Criteria and FIPS
CPA assures commercially available security products with an emphasis on the lower threat environment.
Products which hold current and relevant FIPS-140 certification may help CPA assessors to determine how cryptographic controls are working at Foundation Grade, but additional assessment of the product will generally be required prior to certification. FIPS-140 certification is not always required, and can be discussed on a case-by-case basis.
Common Criteria (CC) is an internationally recognised IA certification scheme. CC Certification may contain useful evidence for CPA assessors, but may not be sufficient. It may, however, be possible to reuse evidence from earlier CC work.
Vendors who are interested in the international aspects of CPA are encouraged to download the following letter, which describes the relationship between CPA and CC.