The primary difference between this and existing schemes is that for about $35,000 and within 20 days, it will be cheaper and faster for security vendors to win accreditation status for their products. There are alternative certification options such as Common Criteria EAL1 evaluation, but this always takes at least a year.
The Cabinet Office’s Central Sponsor for Information Assurance unit is pressing that the new Claims Tested Mark is adopted as a security standard, particularly in pubic sector circles.
The CCT Mark should provide procurement officers with a basic level of assurance, said to be equivalent to EAL1 on the Evaluation Assurance Level scale, that the vendor’s security claims have been validated in independent tests.
It will operate by using accredited test laboratories to test the information assurance functionality claims of products. So far, BT, EDS, IBM, and LogicaCMG have received the necessary approvals to test for CCT Mark certification.
The CCT Mark scheme will only carry out some very basic functional tests regarding the function of any cryptographic component of a product, but will not test its implementation or effectiveness.
IT security vendors SecureWave SA and BeCrypt Ltd are among the first to receive certification under the new scheme.
