The National Technical Authority
for Information Assurance

Commercial Product Assurance (CPA)

The Commercial Product Assurance (CPA) scheme evaluates commercial off the shelf (COTS) products and their developers against published security and development standards. These CPA certified products can be used by government, the wider public sector and industry.
CPA consolidates previous CESG schemes to provide simplified, certificate-based assurance of security products for use in lower threat environments.
    “Approaches like CPA are important to keep the UK safe and secure in cyber space”,
    Chloe Smith MP, Minister for Political and Constitutional Reform.
Link to CPA Certified Products Page
Link to CPA for Vendors

CPA and the new Government Classification Policy

The new Government Classification Policy has three assurance grades (OFFICIAL, SECRET and TOP SECRET).
The OFFICIAL Tier is expected to be used for the vast majority (approximately 80%) of information that is created or processed by Government and the Wider Public Sector.
CPA Foundation Grade aligns with the OFFICIAL Tier of the new Government Classification Policy and CPA products will be the default solution for this Tier.
​CPA helps data owners to deliver business whilst remaining safe against likely threats, confident that their security products meet the security standards of CESG - the National Technical Authority for Information Assurance.
By helping data owners, security officers and their suppliers to identify the appropriate level of assurance, CPA will drive up best-practice across the Government ICT estate.

Latest Updates

More certified security products for OFFICIAL information

The number of CPA certified security products has continued to climb, with products from Microsoft and Cisco achieving Foundation Grade status.

Published on Wednesday 17 Sep 2014

Protecting OFFICIAL data? See a new Virtual Private Network product

Cisco IPsec VPN gateway has recently been assessed under Commercial Product Assurance (CPA) and gained Foundation Grade certification.

Published on Friday 20 Jun 2014

CPA certification for Windows Server 2012

Microsoft Windows Server 2012 gains Foundation Grade certification

Published on Monday 09 Jun 2014

NATO listing for Cryptify Call

Cryptify Call Version 3 - a voice encryption solution for Smartphones - has been accepted into the NATO Information Assurance Product Catalogue.

Published on Tuesday 04 Mar 2014

Egress Switch - email encryption

The first email encryption product to be included in the burgeoning list of Commercial Product Assurance certified products is Switch, from Egress Software Technologies.

Published on Monday 17 Feb 2014