{{Short description|UK Government Standard for computer security}} The '''CESG Claims Tested Mark''' (abbreviated as '''CCT Mark''' or '''CCTM'''), formerly known as the '''CSIA Claims Tested Mark''',<ref>{{Cite web |url=http://www.cctmark.gov.uk/FAQs/tabid/56/Default.aspx |title=FAQs About CCTM<!-- Bot generated title --> |access-date=2008-05-14 |archive-url=https://web.archive.org/web/20080908012431/http://www.cctmark.gov.uk/FAQs/tabid/56/Default.aspx |archive-date=2008-09-08 |url-status=dead }}</ref> is a UK Government Standard for computer security.

The CCT Mark is based upon a framework in which vendors can make claims about the security attributes of their products and services, and independent testing laboratories can ''evaluate'' these products and services to determine whether they actually meet those claims. In other words, the CCT Mark provides a quality assurance approach to validate whether the implementation of a computer security product or service has been carried out in an appropriate manner.

== History ==

The CCT Mark was developed under the auspices of the UK Government's '''Central Sponsor for Information Assurance'''<ref>{{Cite web |url=http://www.csia.gov.uk/ |title=Central Sponsor for Information Assurance (CSIA)<!-- Bot generated title --> |access-date=2018-11-15 |archive-url=https://web.archive.org/web/20081119142533/http://www.csia.gov.uk/ |archive-date=2008-11-19 |url-status=dead }}</ref> (CSIA), which is part of the Cabinet Office's Intelligence, Security and Resilience (ISR) function. The role of providing specialist input to the CCT Mark fell to CESG as the UK National Technical Authority (NTA) for Information Security, who assumed responsibility for the scheme as a whole on 7 April 2008.

== Operation ==

All Testing Laboratories must comply with ISO 17025, with the United Kingdom Accreditation Service (UKAS) carrying out the accreditation.

== Comparisons == {{Unreferenced section|date=April 2023}}

The CCT Mark is often compared to the international Common Criteria (CC), which is simultaneously both correct and incorrect:

*Both provide methods for achieving a measure of assurance of computer security products and systems *Neither can provide a guarantee that approval means that no exploitable flaws exist, but rather reduce the likelihood of such flaw being present *The Common Criteria is constructed in a layered manner, with multiple Evaluation Assurance Level (EAL) specifications being available with increasing complexity, timescale and costs as the EAL number rises *Common Criteria is supported by a Mutual Recognition Agreement (MRA), which, at the lower EAL numbers at least, means that products tested in one country will normally be accepted in other markets *The CCT Mark is aimed at the same market as the lower CC EAL numbers (currently EAL1/2), and has been specifically designed for timescale and cost efficiency

== Future == {{Section update|date=September 2023}} As of September 2010, CESG have announced that the product assurance element of CCT Mark will be overtaken by the new Commercial Product Assurance (CPA) approach. It is unclear as yet whether CCT Mark will remain in existence for assurance of Information Security services.

== External links == * [https://web.archive.org/web/20080512035413/http://www.cctmark.gov.uk/ The official website of the CESG Claims Tested Mark]

== References == {{reflist}}

Category:Computer security procedures Category:GCHQ Category:Information assurance standards Category:Internet in the United Kingdom