CAPS (CESG Assisted Products Scheme) is a certification scheme exclusive to the UK Government market. CAPS offers Government and MoD users the assurance their security products have been tested to the highest standards.
The MoD has an additional certification scheme operated by the Defence Infosec Product Co-operation Group (DIPCOG) which offers extra guidance and assurance for MoD staff on the suitability of CAPS products for particular applications. Further information on CESG can be found at http://www.cesg.gov.uk/ and on DIPCOG at http://www.dipcog.mod.uk/ .

During product development, Thales e-Security provides design information to CESG which describes how the product in question meets the security criteria for the target market. The formal explanation of compliance is published in a restricted document called the ‘security target’. At the end of a successful evaluation, CESG issue a CAPS certificate for the specific version of the product being assessed. Modifications to the product, whether to provide bug fixes or new functionality, require a reassessment by CESG before the revised product can be released. Depending on the complexity of the change, this can take several months to complete due to the amount of testing which needs to be completed to ensure the changes do not introduce any security vulnerabilities.

In all CAPS-approved products the cryptographic key material is generated by CESG and supplied in a secure manner to the end customer, sometimes through a trusted third party. All products under the CAPS scheme therefore employ key material controlled explicitly by CESG. This differs from the commercial market where in most cases the end-user community generate and manage its own key material using a management system supplied by the vendor.

Each product is classified by category and according to its cryptographic grade. Currently CESG recognise products in Baseline (securing up to restricted information), Enhanced (typically securing up to short term SECRET) and high grade SECRET categories. The amount of documentation required, strength of security design, algorithms and key lengths used varies for each category. Thales e-Security concentrates on the Enhanced grade standard but has a number of offerings in both the Baseline and SECRET market. The precise specifications on levels of classified data that a product can protect are summarised on the CAPS certificate. They are also confirmed during the ‘approval to purchase’ phase that the end-user undertakes before Thales e-Security is permitted to supply the product.