Introduction
NPSA runs various functional evaluation schemes for automated access control products. This page describes the schemes and the process that manufacturers should follow for product submission. On successfully passing the evaluation, products will be awarded a specific grade (known as a CLASS rating) and listed in the NPSA Catalogue of Security Equipment (CSE).
All evaluations are funded by the manufacturer and specific costs will be determined by the test lab performing the evaluation, based on the scope and complexity of the product being evaluated.
In any given evaluation against the standards above, it is unlikely that products can be tested in complete isolation. As such products supplied for an evaluation will fall under two categories, “core” and “peripheral”.
Components that when connected together provide the functionality required by that specific standard and are therefore examined in detail during the evaluation and form the “assured product”.
Components that the core product will be connected to in a deployment and that generate data and/or take actions as determined by the core product.
Typically, there will be a choice of peripheral components available (from either the manufacturer submitting or other manufacturers) and one of these choices will be used to demonstrate and test the functionality of the core product during the evaluation. The manufacturer is expected to provide peripheral devices that demonstrate the functionality and security of the core product and that meet any requirements and dependencies identified in the standard.
Evaluation Schemes Status
NPSA currently have functional standards for the following product areas:
Product |
Scheme Status |
Current Standard |
---|---|---|
Automated Access Control Systems (AACS) |
Open to Submission | Automated Access Control Systems v1.2 (June 2022) |
Tokens |
Open to Submission | Tokens v1.0 (March 2021) |
Keypads |
Open to Submission | Keypads v1.0 (March 2021) |
Readers |
Open to Submission | Readers v1.0 (March 2021) |
Biometric Authentication for AACS |
Open to Submission | Biometric Authentication for Automatic Access Control Systems v3.0 (October 2023) |
The above Access Control Standards can be requested by completing the Product Submission process.
Evaluation Schemes Detail
The major components that form an Automated Access Control solution are shown in figure 1. The differing core components assured under each evaluation scheme are also shown within this diagram.
Whilst the core AACS, Tokens, Keypads, Readers and Biometrics components shown in Figure 1 will be discussed in more detail in the sections below, some of the peripheral components shown that connect to the core AACS component (e.g., Intrusion detection protective switches and locking hardware, including mechanical and electrical locks) are covered by separate evaluation programmes. NPSA will be publishing more information on these programmes in due course.
AACS
An AACS evaluation is designed to assure the functionality of the “brains” of an Access Control System.
Typical core components evaluated under this evaluation scheme are:
- The main door controller hardware and enclosure
- The server/workstation hardware and software that enable the operation of the AACS. This is typically the data centre based server hardware running the main AACS application and the workstation software used to configure and maintain the AACS application in day-to-day use.
To achieve a CLASS 2 or 3 grade (see below for further guidance on grades), products must also undertake a CAPSS evaluation.
Tokens, Reader and Keypads
Tokens, Keypads & Readers are separate components that form part of the wider control of access solution to identify the user to the AACS.
A Token is used in a control of access solution to store encrypted “user data”. This data is passed to the Reader which, in turn, passes it onto the automated access control system. A token submitted for NPSA evaluation must use a common criteria certified chip.
A Reader is a component used in a control of access solution to retrieve a secured secret / encrypted user data from a token.
A Keypad is used as part of physical access control to allow a user to enter a PIN in addition to presenting a Token to a Reader. It is implemented as part of an access control system to provide a second factor for authorising physical access and is not intended to provide access control in isolation.
Separate evaluation standards exist for Tokens, Readers, and Keypads. Products that consist of a combined Keypad and Reader should be evaluated using both Reader and Keypad standards.
As part of undertaking one, or a combination of these standards, the product manufacturer is also required to undergo an NCSC CPA Build Standard evaluation. This standard describes the engineering principles and practices that are expected from a product developer creating a good quality, life-cycle secure product.
Biometrics for Automated Access Control Systems
A Biometrics evaluation is designed to evaluate the performance and accuracy of biometric systems used as the main or secondary factor of authentication used in an AACS. Sensors capable of processing modalities such as (but not limited to) fingerprint, face, iris and palm biometrics, are evaluated under this standard.
For products implementing biometric systems that incorporate an integrated reader or keypad, these will be required to undertake evaluation against both biometric AND reader or keypad standards.
In addition to presentation attack detection evaluation, additional requirements will be assessed in terms of data security.
The main areas that will be considered:
- Basic tamper resistance
- Basic cyber security requirements
- Build product design and build processes
To achieve a CLASS 3 grade (see below for further guidance on grades), products must also undertake a CAPSS evaluation.
Evaluation Schemes Scope
For NPSA Access control evaluation schemes, examples of core and peripheral equipment are shown in the table below.
Evaluation Scheme |
Core (The assured product) |
Peripheral (Components that facilitate an evaluation) |
---|---|---|
AACS |
Door controller including enclosure Server hosting the main AACS application Workstation hosting the administrative/end user software User Enrolment Workstation |
Token Keypad Reader Door Protective Switch |
Tokens |
Token |
Reader Keypad (optional) AACS (optional) |
Keypads |
Keypad |
Token AACS Reader (optional) |
Readers |
Reader |
AACS (optional) Keypad (optional) |
Biometrics |
Biometric Sensor Server hosting the Biometric database User Enrolment Workstation |
AACS |
Only core components that form a product will be classed as assured by NPSA. Peripheral components are not assured for independent use, unless they have been evaluated separately as core components under another relevant scheme (e.g., tokens, reader and keypads).
Evaluation Schemes Grading
Based on the results of an evaluation the product will be awarded a CLASS level.
CLASS levels are not publicly advertised, but are available to Government and CNI sites.
There are three NPSA-defined classes: CLASS 1, 2 and 3. In its simplest form, the CLASS grading is awarded based on its resistance to attackers of different abilities as below.
An attacker with basic knowledge. They are looking to undertake their attack without any real concern for avoiding detection using rudimentary methods to defeat the product.
An attacker with technical product knowledge. They are motivated to defeat the product and to avoid detection. They will also use more sophisticated equipment to undertake their attack.
A highly skilled attacker specifically trained to undertake the attack. They have access to specialist tools, training facilities and knowledge; they are very well resourced.
For each of the evaluation schemes the following gradings apply.
Standard/Grading | Class 1 | Class 2 | Class 3 |
---|---|---|---|
AACS Standard Only |
Successful completion of the AACS Standard |
Not available |
Not available |
AACS Standards + CAPSS |
All classes available – result dependent on evaluation performance | ||
Tokens |
All classes available – result dependent on evaluation performance | ||
Readers |
All classes available – result dependent on evaluation performance | ||
Keypads |
All classes available – result dependent on evaluation performance | ||
Biometrics |
Successful completion of BAACS Standard |
Successful completion of BAACS Standard |
Not available |
Biometrics + CAPSS |
All classes available – result dependent on evaluation performance |
Evaluation Schemes Process
If a manufacturer wishes to submit a product for an assurance evaluation the following steps should be followed
The manufacturer reads the requirements of the appropriate standard (using relevant technical personnel) to ensure its relevance to the product. Standards can be requested using the CSE submission process form using the relevant category. | |
The manufacturer contacts an authorised NPSA test lab (listed below). The test lab and manufacturer discuss the evaluation process and the standard's requirement. | |
The manufacturer completes an NPSA Self-Funded Manufacturer Agreement. This can be requested from NPSA via the test lab. This form needs to be completed and signed by the manufacturer and returned to the test lab who will forward to NPSA. | |
Once necessary financial and legal agreements are in place between the manufacturer and the test lab, the formal evaluation will proceed. | |
The manufacturer installs and configures the core product and any associated peripheral components at the test lab's location of choice where it is commissioned appropriately. Training of test lab staff to a suitable level is required. | |
The product is evaluated by the test lab. The test lab may ask specific questions to the manufacturer about the product during the evaluation period. The test lab issues a detailed report to NPSA for review and a panel comprising of test lab and NPSA personnel is convened to discuss the findings and issue the evaluation result. | |
Should a product pass the evaluation, the manufacturer will be notified of the result by letter and advised on future use of the NPSA trademark. The product will then be published in the CSE. | |
Should a product fail to achieve a CLASS rating, the manufacturer will be notified of the result by letter and a summary report will be issued by the test lab containing findings and recommendations on required areas of improvement. | |
NPSA's decision is final and non-contestable. Manufacturers will be encouraged to fix any necessary adverse findings and to resubmit the product for partial or full evaluation. |
Post Evaluation Requirements
Following a successful evaluation, the product will be assured for an initial period of two years, after which the manufacturer will be expected to undergo a lightweight renewal process performed by a Test Lab of the manufacturer's choice. This will be repeated after a further two years (i.e. four years after initial evaluation). A full evaluation will be required six years after the initial evaluation.
The following steps are required at two and four years from the initial pass being awarded.
Approximately four to six months prior to expiry, the manufacturer will engage with any of the NPSA approved test labs. This process will be funded by the manufacturer. | |
The manufacturer provides a change log of the product since the initial evaluation to the test lab. | |
A two day (indicative) impact assessment is carried out by the test lab comparing changes submitted by the manufacturer to the current published standard. | |
A gap analysis to identify any fundamental changes to the product and/or development processes compared to the initial evaluation is performed by the test lab. | |
A recommendation of what type of intervention (e.g. minor document review, partial re-evaluation or full re-evaluation) is provided by the test lab to NPSA. | |
NPSA panel will review the test lab report and findings and will be reported back to the manufacturer by the test lab. | |
If no significant issues are reported, NPSA will write to the manufacturer confirming the trademark will be awarded for a further two years. If significant issues of concern are reported, a partial (or full) re-assessment may be required. At six years from the initial pass the product is required to undergo full reassessment. |
NPSA Authorised Test Labs
Evaluation Scheme |
Test Lab |
Test Lab Contact |
---|---|---|
AACS |
BSI CyTAL NCC |
|
Tokens |
BSI CyTAL NCC |
|
Readers |
BSI CyTAL NCC |
|
Keypads |
BSI CyTAL NCC |
|
Readers |
BSI CyTAL NCC |
|
Biometrics | Ingenium Biometrics | [email protected] |