CPA is changing
Armour Mobile was first certified for use at OFFICIAL and OFFICIAL-SENSITIVE in Feb 2016 under the UK government CPA scheme.
However, the NCSC no longer accepts products for evaluation under the CPA scheme unless they are Smart Meters or smart metering products.
Products will be removed from the list of approved CPA products when their existing CPA certificate expires.
NCSC are looking to replace and modernise CPA in the meantime. The replacement will most likely focus on corporate rather than product capability and information security
What is Armour doing?
- We’ve offered to be an earlier adopter of the NCSC’s CPA replacement scheme.
- We are already undertaking ISO27001 and expect to be awarded certification Q1 2021.
- Armour Mobile already follows NCSC’s secure communications principles for secure comms products.
What are the benefits?
- Continuing our very close relationship with NCSC to give continued assurance to those customers who require it.
- ISO27001 focuses heavily on people, process, security and good practice, which is fully audited and goes beyond CPA in covering the entire company and all products.
What are NCSC’s secure communication principles and how do we meet them?
1 – Protect data in transit
- All our products encrypt all over the air data both signalling and media.
2 – Protect network nodes with access to sensitive data.
- Armour Mobile provides network and security segregation of those services that handle sensitive data such as key material.
3 – Protect user access to the service.
- All our products require users to be centrally registered and securely provisioned in order to access their designated secure communications service.
4 – Ensure secure audit of communications is provided.
- An Armour Mobile system provides its owner with highly secure and complete auditing of all signalling and media traffic on the system (the system owner can opt to disable this capability if it is not required).
5 – Allow administrators to securely manage users and systems.
- All our products use a central management system to control which users can access the system and with which other users they are permitted to communicate.
6 – Use metadata only for its necessary purpose.
- Each Armour secure communications systems only stores the metadata required for the functioning of that system and it remains private, i.e. Armour cannot view any details of customer on-premises systems.
7 – Assess supply chain for trust and resilience.
- Armour manages and monitors both our suppliers and our development processes to ensure customers can trust the products we supply.
If you or your security accreditors still have any questions please get in touch.