Tailored Assurance Service (CTAS) assessment

A CTAS assessment has two phases, preparation and evaluation that are detailed in the CTAS principles and methodology. There is also an optional maintenance phase.

CTAS preparation phase 

The preparation phase has two distinct stages:

• Definition: This is where we produce and agree Security Target (ST), an outline an Evaluation Work Programme (EWP) , including associated activity plans. We also  develop a test plan and the product of an Assurance Maintenance Plan (AMP)
• Planning: This is where we produce the detailed activity plans for document review, audit, analysis (e.g. code reviews and cryptographic analysis) and test activities. We must also agree the detail of your EWP

CTAS evaluation phase

The evaluation phase has two separate stages:

• Activity: This is where we conduct document review, audit, analysis and test activities as specified in the EWP. This includes evaluating TOE in accordance with the ST
• Reporting: This involves us producing the CTAS Evaluation Report and draft AMP. An Assessment Statement will also be produced here by NCSC. 

CTAS maintenance phase

The maintenance phase is recommended by NCSC, however this is an optional, iterative phase that implements the selected maintenance activities for low-risk TOE changes. A maintenance phase cycle includes:

• Activity: Maintenance review and maintenance audit activities, including review of Security Impact Analysis, as specified in the AMP
• Reporting: Production of Assurance Maintenance Reports and NCSC reviews as required by the AMP; review of AMP and re-evaluation triggers