Is Your Data Sanitization Method Compliant as NCSC CPA Certification Changes? 

Jul 19, 2024 Blog Article

When the National Cyber Security Centre announced it was ending its Commercial Product Assurance Scheme for everything but smart meters, thousands of UK businesses were left in a state of confusion. The NCSC Certification was a critical marker for businesses that need to meet strict data sanitization regulations under the Data Protection Act and GDPR. However, the end of the certification does not mean that the software you use no longer compliantly erases data. It just means if you require third-party validation of a product’s data sanitization capabilities, especially for a government RFP, you will need to look to another certification for verification.  

Blancco Senior Content Writer Stephanie Larochelle

Stephanie Larochelle Stephanie Larochelle, a tech enthusiast and writer based in Florida, is dedicated to simplifying the intricacies of the digital world. As Blancco's senior content writer, her goal is to make data erasure easily understandable and approachable so everyone can navigate this crucial aspect of data security.

What did the NCSC CPA scheme certify?   

An NCSC Certification meant that a product’s security functions met standards (referred to as Security Characteristics) during rigorous internal testing. For data sanitization, the NCSC Certification verified that software securely and permanently erased data to meet specific data erasure standards, including:

These are generally accepted for erasing data in compliance with the Data Protection Act, GDPR, and other regulations. These acts mandate that all data on a subject will be permanently erased when required and the NCSC Certification showed the software was capable of doing so.  

Well, at least it used to. As of 2022, the NCSC discontinued the scheme for anything but smart meters. This does not mean that certified products no longer meet the standards they were tested against. It just means that the NCSC is no longer able to certify they do.  

Why is the UK NCSC certification being replaced? 

Certification is a necessary tool for enterprises, ITADs, and mobile processors. It helps them identify the software they need to meet compliance standards. However, it can be a double-edged sword. In the NCSC’s case, they identified three primary problems leading to the sunset of the current CPA scheme:  

In short, the certification scheme had the potential to impede innovation. Enterprises with limited resources might scale back on product development to avoid putting their certification at risk.  

Unfortunately, that issue isn’t isolated to the NCSC Certification alone. A lot of certifications adhere to a rigid set of standards; that’s what they are supposed to do. But with how quickly new solutions and software are designed today, there’s a need to be more agile.  

The NCSC is working to create a new scheme that addresses this, though there’s no ETA on completion. In the meantime, organizations needing third-party validation of a product’s data sanitization capabilities will have to look for alternative certifications. Blancco’s position on the end of the NCSC CPA Scheme for data erasure is best summarized by VP and General Manager International Fredrik Forslund:  

“The conclusion of the NCSC’s certification scheme for data erasure products presents a challenge that must be addressed from two angles. Firstly, government organizations should update their RFP criteria to ensure they are current and do not require ‘NCSC approved’ tools in the technology stacks of those responsible for erasing their data. This ensures that procurement processes remain relevant and compliant with the latest standards.   

Secondly, those tasked with data erasure must seek alternative certifications to maintain compliance with applicable laws. Common Criteria is the most recognized certification, although ADISA may gain more significance as organizations transition to data deletion standards established by IEEE 2883. It’s imperative for all stakeholders to adapt to these changes to uphold data security and regulatory compliance.” 

– Fredrik Forslund, Blancco VP and General Manager of International Sales

What is replacing the UK’s data erasure scheme?  

The NCSC directs organizations that can’t find the functionality they need in an NCSC certified product to look to Common Criteria (under “I can’t find the product I need.”). 

Internationally recognized by 31 governments across the world, Common Criteria is an independent security certification that is similar to the NCSC’s. To achieve this certification, a product is tested in an independently certified lab based on criteria and standards established for certifying specific technologies.  The results are then submitted to a certifying body for a final determination.  

ADISA Certification is another product assurance scheme that may become more prevalent now that NCSC has changed.  Like the NCSC Certification, it can verify sanitization software meets erasure standards under NIST 800.88—but it also goes a step further. ADISA is also capable of verifying secure data erasure in line with the 2022 IEEE 2883 Standard on Data Sanitization.  

Steve Mellings, Founder and CEO of ADISA Group, points out the opportunity in the end of the scheme, stating:

“CPA was limited to magnetic hard drives, and so its demise shouldn’t be viewed as a major problem. However, we can use this change as an opportunity for the industry itself to build assurance by independent certification to non-government published standards.”

– Steve Mellings, Founder and CEO of ADISA Group

ADISA is hoping to encourage the widespread adoption of IEEE standards. Mellings notes, “IEEE 2883 is the best logical sanitization standard available at present and should be considered as the benchmark to look for when selecting a sanitization product.”  

Detailing ADISA’s expertise with this certification, he goes through the organization’s extensive checks and balances. “Our testing process for this standard was designed by Technology Director, Dr. Phil Turner, who ran the test facility at QinetiQ which was responsible for the old CESG testing. We have based certification on the core principles from that time which is to build assurance by means of multiple different evaluation processes. The IEEE 2883 testing involves thirteen different tests, so products which pass this can be used with confidence that they meet the IEEE standard,” explains Mellings. 

Blancco’s SSD Erasure Method, along with Blancco Drive Eraser and Blancco Mobile Diagnostics & Erasure have all been verified under various ADISA Test schemes, passing rigorous evaluations to verify the complete and permanent erasure of data on a range of drives. 

Organizations erasing government data can also review the UK’s Government Security Classifications Policy to review the individual requirements regarding data erasure products.  

In addition to passing tests like those carried out by ADISA, Blancco consistently submits its products for review by government-sponsored certification and approval agencies worldwide. These agencies meticulously analyze the algorithms, methods, and effectiveness of Blancco software. 

Tested, certified, approved, and recommended by multiple governing bodies and leading organizations globally, no other data erasure software matches this compliance with the rigorous requirements set by government agencies, legal authorities, and independent testing laboratories. Even as the NCSC Product Assurance Scheme changes, organizations can rely on Blancco for unparalleled expertise in data erasure and global compliance. 

Do you need data erasure that’s compliant with the standards formally required by the NCSC CPA Scheme? Connect with us for a free trial.

Get your free trial

You may be interested in: