This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
1. What is the CCT Mark scheme?
The CCT Mark scheme provides a government quality mark for the private and public sectors based on accredited independent testing, designed to prove the validity of security functionality claims made by vendors.
Additionally, the CCT Mark scheme provides compliance testing against technical standards (lower level) for degaussing (data erasure) set by CESG as the UK National Technical Authority for IA.
The CCT Mark is broadly equivalent to Common Criteria (CC) EAL2. As such it is aimed primarily at products and services to meet Information assurance requirements at Government Impact Levels 1 and 2, for purchase by central government and the wider public sector, particularly the NHS, education, local authorities, police and criminal justice.
The CCT Mark satisfies the minimum assurance requirements for use in systems supporting the Transformational Government agenda.
2. Who runs the CCT Mark scheme?
The CCT Mark scheme is managed by the Central Sponsor for Information Assurance (CSIA), which is a unit of the Cabinet Office and provides a central focus for Information Assurance activity across the UK. For further information about CSIA, visit www.cabinetoffice.gov.uk/csia/.
3. Who carries out the CCT Mark claims testing?
The CCT Mark appointed Test Laboratories [are all approved to validate the security functionality claims of information security products and services according to the procedures set out in the Test Laboratory Guide. They are accredited against ISO/IEC17025 and for the CCT Mark claims method by the UK Accreditation Service. All appointed Test Labs are generalist, but some can undertake specialist testing including anti virus, hardware, smartcards and data erasure.
4. How do I know what products or services have been awarded the CCT Mark?
Full details of products and services awarded the CCT Mark are published on the CCT Mark website at CCT Mark awards.
5. Where can I find out what specific claims of an information security product or service, have been tested under the CCT Mark scheme?
Full details of the claims that have tested for a product or service are published in the Information Assurance Claims Document (ICD). A summary of the test results is published in the Test Report Summary. Both these documents can be found on the individual awards page for each product or service, which can be accessed from the CCT Mark awards page.
6. What the advantages of using a product or service that has been awarded the CCT Mark?
The CCT Mark provides a government quality mark for the public and private sectors based upon accredited independent testing, designed to prove the security functionality claims made by vendors. The CCT Mark will provide assurance that the product or service ‘will do what it says on the box’ in terms of its security functionality.
7. I am not a member of a Government Department; can I still buy CCT Mark certified products or services for my organisation?
Yes. The CCT Mark scheme was setup to assure commercial off the shelf products and services for use in the public sector and Government. These products and services are therefore freely available to anyone in the public or private sector. Purchasing CCT Mark assured products and services may even help an organisation meet their corporate governance obligations. For example, the public Company Accounting Reform and Investor Protections Act the international Capital Framework (Basel II) and compliance with the Information Security Management standard (ISO/IEC 27001).
1. What are the benefits of applying to the CCT Mark scheme?
The CCT Mark scheme is a quick and cost effective way of testing the security functionality of an information security product or service. The indicative cost to a Vendor of applying to the Scheme (including registration costs, producing the ICD and the claims testing process) should range between £10,000 and £20,000 per application.
The CCT Mark will give confidence to customers that the security functionality of a Vendor–s product or service has been independently validated through a government approved process. The CCT Mark scheme is aimed at customers in central government and the wider public sector, (particular the NHS, Education, Criminal Justice and Local Authorities to help them meet their Information Assurance requirements, which will help to give customers a wider choice of assured products and services.
Full details of products or services which have been awarded the CCT Mark are published on the CCT Mark Awards section of the website.
2. How long does it take to get the CCT Mark?
The whole process from registration through to award takes between 10–12 weeks. The claims testing process usually takes around 20 working days to complete, depending on the complexity of the claims. See How to avoid delays in getting your CCT Mark [PDF 28KB].
3. How long does the CCT Mark certification last for?
The CCT Mark certification for a product is valid for a maximum of two years from the date of the award. The CCT Mark is not valid for any other version or platforms other than those for which the CCT Mark Award was granted, or for any other product.
To allow for changes, the vendor can register to maintain the CCT Mark for an updated version of their product. This includes validating claims for additional or updated functionality, patches, new releases or versions, additional platforms.
The CCT Mark certification for a service is valid for a maximum of one year from the date of CCT Mark award. The vendor can register to maintain the CCT Mark for a second year.
Further details about the CCT Mark Maintenance can be found in the Vendor Guide [PDF, 559KB].
4. How do I register a product or service with the CCT Mark scheme?
To register an application for an information security product or service to be claims tested under the Scheme, the Vendor must first prepare an Information Assurance Claims Document (ICD). This document should provide clear and accurate statements about the security functionality of the product or service that they wish to be tested under the Scheme.
To complete the registration of the application, the Secretariat will issue two bound copies of the Vendor Agreement to the Vendor, of which they should sign and return one copy.
For further information, see the Vendor Guide [PDF, 559KB].
5. Which Test Laboratories have been approved to carry out claims testing for the Scheme?
The details of approved CCT Mark Test Laboratories can be found under CCT Mark Test Laboratories, including the type of testing they are approved to undertake. All are generalist but some can undertake specialist testing including anti virus, hardware, smartcards and data erasure.
6. Where can I get assistance in writing an Information Assurance Claims Document (ICD)?
The Vendor is responsible for producing the ICD but it is recommended that they should involve one of the CCT Mark Test Laboratories to provide advice and assistance in preparing the ICD. In particular, they should be able to advise that the claims as worded are actually testable and how to define the test approach.
The structure of a sample ICD can be found in Appendix A of the Vendor Guide [PDF, 559KB], whilst the ICDs of Vendors who have successfully been awarded the Mark can be found on the CCT Mark Awards section of this website.
7. How much does it cost to put my product or service through the CCT Mark scheme?
The cost of putting an information security product or service through the CCT Mark scheme should be between £10,000 and £20,000. This includes the cost of producing the ICD and the claims testing process. These costs are negotiable between the Test Laboratory and the Vendor and may vary according to the complexity of the claims for the product or service.
In addition, to register with the CCT Mark scheme, the vendor will need to pay a registration fee of £1000, (inc VAT) from 1st October 2007 the registration fee will be £1000 (plus VAT).
For details of how to pay, see Payment Information for Vendors [PDF 8KB].
8. Why does a Vendor need to sign a contract?
All Vendors must sign the Vendor Agreement with the Cabinet Office to complete the registration of each application submitted to the Scheme. The CCT Mark Vendor Agreement is a standard non–negotiable agreement which relates to the registration and approval of applications from Vendors under the CCT Mark scheme, including the licence to use the CCT Mark should the application be successful. To obtain a copy of the Vendor Agreement, please contact the CCT Mark Scheme Secretariat.
The Vendor will also need to agree a separate contract with one of the approved CCT Mark Test Laboratory’s to undertake claims testing against the ICD accepted under the Scheme, in accordance with the Test Laboratory Guide [PDF 585KB].
9. What does my registration fee cover?
10. What does the ‘Period of Assessment’ in the Vendor application form (service) mean?
This is a 12 month period during which the service has already been delivered to customers. The start of this 12 month period is 12 months prior to the start of claims testing. Customers will be asked by the Test Laboratory to comment on the quality of the service received from the vendor during this 12 month period in order to validate the claims in the Information Assurance Claims Document.
1. What are the requirements for becoming a CCT Mark approved Test Laboratory?
Test Laboratories are appointed by CSIA to operate under the Scheme. The approval of a Full Appointment will depend on the Test Laboratory being accredited as an ISO/IEC17025 testing laboratory for claims testing by the United Kingdom Accreditation Service (UKAS). Test Laboratories which are already accredited against ISO/IEC17025 will need to apply to UKAS in advance of their next visit for an Extension of Scope of their Schedule of Accreditation to cover claims testing under the Scheme.
Full Appointments are awarded to interested parties which have been successfully accredited by UKAS for claims testing and accepted into the Scheme by CSIA.
Test Laboratories that are not already accredited against ISO/IEC17025 for claims testing should make a formal application to UKAS for accreditation as a testing laboratory for claims testing. The Test Laboratory should complete the UKAS application form concerning the company and scope of accreditation sought (available from their website www.ukas.com ) and forward this, together with a copy of the Quality Manual and the application fee, to UKAS.
For further information, see the Test Laboratory Guide [PDF 585KB].
2. Why must I be ISO/IEC 17025 accredited?
It is a requirement of the CCT Mark scheme that claims testing must be performed by Test Laboratories accredited by UKAS against the international standard ISO/IEC17025.
Accreditation against ISO/IEC 17025 demonstrates the competence, impartiality and performance capability of evaluators.
3. How long will it take to become accredited to ISO/IEC17025?
Details of applying to the UK Accreditation Service for accreditation against ISO/IEC 17025 can be found at www.ukas.com
4. What do I need to do to become a specialist CCT Mark Test Laboratory?
Several technologies require specialised testing methods and equipment. The specialist testing categories identified for the CCT Mark Scheme are listed in Appendix E of the Test Laboratory Guide. The Test Methods for the specialist testing categories will be approved by CESG during the ISO/IEC 17025 accreditation process. Enquiries about specialist test methods should be directed to cctm@cesg.gsi.gov.uk.
5. How do I apply to become a CCT Mark Test Laboratory?
If you are already accredited by UKAS to the standard ISO/IEC17025 you can apply now. To do so, you should submit the following to the Scheme Secretariat:
The Scheme Secretariat will prepare the Test Laboratory Agreement based on the information provided in the application form, and will arrange for two copies of this to be signed by CSIA on behalf of the Minister for the Cabinet Office and sent to the Test Laboratory. The Test Laboratory should sign both copies and return one of these to the Scheme Secretariat within 10 business days of the date the signed Test Laboratory Agreements were received from the Scheme Secretariat.
The Test Laboratory’s appointment will be confirmed by the Scheme Secretariat when the Test Laboratory Agreement has been signed by both parties.
Details of Test Laboratories appointed under the Scheme can be found at CCT Mark Test Laboratories
6. Why does a Test Laboratory need to sign a contract?
All Test Laboratories are required to sign the Test Laboratory Agreement with the Cabinet Office, which confirms their appointment to the Scheme as an approved Test Laboratory.
The Test Laboratory Agreement is a standard non-negotiable agreement which relates to the testing of claims of products and services under the CCT Mark scheme. To obtain a copy of the Test Laboratory Agreement, please contact the CCT Mark Scheme Secretariat.
7. How much does it cost to be appointed as a CCT Mark Test Laboratory?
The current registration fee is £1000 (inc VAT) form 1st October 2007 the registration fee will be £1000 (plus VAT).
For details of how to pay, see Payment Information for Test Laboratories.
8. How long does the registration last?
Registration is valid for one year. Test Laboratories will need to re–register before their annual registration expires.