At CYBERUK 2025, we announced the NCSC’s new Cyber Resilience Test Facilities (CRTFs), a national network of assured facilities to help technology vendors demonstrate the cyber resilience of their products, and some services.
We’re pleased to announce that the first products to go through CRTFs have now had their reports issued. This demonstrates that we can successfully delegate scalable assurance activities to UK industry in a consistent and structured way, using NCSC-approved standards and techniques.
The use of transparent standards creates a much more predictable, repeatable and economically viable way to gain trust in products than previous assurance approaches. More importantly, this principles-based approach to assurance – which focuses on risk rather than compliance – provides useful advice both to vendors and customers to improve product development, integration, and risk management.
All products assessed via CRTFs are issued a report that provides information on their performance against relevant principles, detailing the risks and putting the management and ownership of these risks into the hands of those who will be best positioned to judge the impacts.
Crucially, using this process there is no ‘pass’ or ‘fail’. Rather, the report allows the customer to evaluate the individual areas assessed in order to make a more-informed, risk-based decision to guide development, usage, or acquisition of the product. For example, in the summary report of a sample Cyber Resilience Test assessment shown below, a number of risks (indicated by AMBER) have been identified. The full report explains the causes or reasons behind each issue in more detail, allowing the customer to evaluate the risks more fully.
This is just the start of our mission to enable cyber security assurance at scale across the UK. In addition to increasing the number of industry partners, the number of products engaged with CRTF for assessment, and the breadth of Assurance Principles and Claims (APCs), we have identified the following challenges which we are actively working through:
