I welcome the impending Commercial Product Assurance (CPA) Foundation and Augmented certification scheme from the CESG – the Communications-Electronics Security Group – since it will give public sector organisations a wider and more competitive choice of security products.
In addition, it will assist private sector clients in making secure storage and allied security purchasing decisions.
The new scheme will allow a much greater number of vendors to pitch for public sector security product supply deals, since the smaller firms will be able to compete on a more level playing field.
This is really excellent news as it’s a win-win-win situation for taxpayers, private sector businesses and vendors, and the scheme has been a long time coming.
The Foundation grade certification is likely to become a must-have option for IT security products in the near future, whilst the Augmented certification – which indicates a wider set of security features and depth of testing – will also be popular.
Initially, the certifications will be available for software VPN and hard drive encryption offerings, with the longer term aim of covering any security-enforcing products, including virtualisation and firewall technologies.
These accreditations come at a time when zero-day, DDoS and multi-vector IT security threats from organised crime syndicates have become a reality for IT professionals, meaning that hard drive encryption has now become a baseline requirement in any office handling customer, contractor and/or employee information.
Whilst a number of major vendors have previously chosen to certify their security products with one or more independent test labs, the lack of common security certifications meant that selecting the best product has not been an easy task.
This is what makes the new CPA certification scheme so welcome in the IT security industry. Suppliers will welcome the changes as it allows to better define their products for customers, whilst customers, on both sides of the public/private sector divide, will be able to compare the offerings in the marketplace.
It will also allow organisations to prove that they have met the compliance requirements of relevant legislation and other best practices in an increasingly complex IT security world.
Over the past several decades – and most notably in the last ten years – the CESG division of GCHQ has allowed vendors and agencies working in and for the public sector, to better understand the technical requirements needed for secure and efficient IT systems operations.
Certification schemes such as CAPS, CLAS, and FIPS have allowed vendors such as ourselves to work with public sector professionals and develop secure storage and allied security solutions that can be proven to adhere to a given set of security requirements, he explained.
For the wider world, a growing number of organisations are now able to better define what security standards they need to meet with their secure storage systems, as well as other encryption-driven technologies.
This has proven invaluable in meeting the self-assessment schemes such as those operated by the PCI Security Standards Council (PCI DSS) and other regulatory compliance programmes.
Taxpayers should welcome the new accreditation, since it greatly expands the choice and competition that governments can now select in their contract arrangements with IT suppliers. This is something that I have been seeking for some time, and I am pleased with what will be a win-win-win situation for everyone.