The National Cyber Security Centre (NCSC) is planning to introduce a service for the application of principals based assurance.
Named PBAS, it will apply a methodology building on the NCSC’s research and threat knowledge to support organisations in a risk based approach to cyber security.
The service is scheduled for launch in April 2023 for a small number of products and will be opened up more widely the following year.
The move derives from the centre’s work on the future of technology assurance – which led to the publication of white paper last year – and is based on a series of principles to be used by the manufactures of technology products and people responsible for cyber risk when deploying technology.
These include: assessing technology against principles and claims based on NCSC research; using proven claims, argument and evidence in an assurance case; providing a clear statement of risk rather than of compliance to support proportionate and informed risk management; providing for continuous assurance statement that can be integrated into ‘secure by design’ engineering processes.
More to come
NCSC said it plans to publish more detailed information about the operating model for PBAS soon, but that it will include a set of documents on assurance principles and claims, and assessment and governance processes.
Writing in a blogpost, principal technical director assurance Duncan A, said: We’re already working with our partners to define and develop the technical details needed for PBAS to operate. We’ll also be communicating about the changes, and supporting manufacturers, assurance labs and risk owners with these changes.”