This document outlines the recommended strategies for the design, development, and security evaluation of products and systems designed to withstand heightened threats. It presents a collection of fundamental principles that can be applied to establish high-level security targets, which can subsequently inform design choices and development workflows.
It is intended for organizations vulnerable to these intensified threats or those aiming to create products and systems capable of countering such risks, particularly:
- purchasers of these products (or external evaluators), to ensure they can trust a product’s ability to combat heightened threats
- creators of products and systems intended for protection against such intensifying threats
This guidance supports the existing technology principles established by the NCSC (including those for cloud security, cross-domain products, and secure communications), and can be employed alongside these to evaluate how well products deliver protection against both standard and heightened threats.
It is important to note that the capability to collect and validate evidence in line with these principles is crucial for their application. The generation and verification of evidence can be accomplished through various methods that yield different levels of assurance, including:
- self-declaration by product developers
- verification of submitted evidence by a purchasing organization for their internal use
- commissioning independent evaluation from a third-party organization.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/design-guidelines-for-high-assurance-products
