Helping technology vendors drive trusted innovation with the cyber resilience test facility

As the cyber threat landscape continues to evolve, the UK’s National Cyber Security Centre (NCSC) has raised the bar, shifting from compliance-driven security models to outcome-focused resilience frameworks. Product vendors operating in critical infrastructure, government, and commercial sectors are now expected not just to protect, but to prove their products and services can withstand real-world threats. At the same time, it is expected that security should not hinder innovation through rigid security constraints, thereby delaying market rollout. That’s where the Cyber Resilience Test (CRT) scheme comes into play.

CGI in the UK is proud to be an NCSC-assured Cyber Resilience Test Facility (CRTF) service provider, helping clients embed resilience from the ground up and support the rapid development and deployment of secure, innovative products through the Principles-Based Assurance (PBA) approach. By integrating security assurance early in the development lifecycle, organisations can confidently demonstrate the robustness of their products while maintaining agility and speed to market.

Secure by Design and Secure Code of Practice: A proactive mandate

The UK Government and NCSC’s collaborative Secure by Design and Software Security Secure Code of Practice initiatives redefine how cyber security is embedded into technology lifecycles. Moving beyond reactive controls, they emphasise engineering-led resilience, ensuring security is built in.

At the heart of this shift in enterprise security assurance is the Cyber Assessment Framework (CAF). Originally created for Critical National Infrastructure under the NIS Regulations, now widely adopted across sectors to evaluate how well organisations manage cyber resilience. Secure by Design pushes this even further by applying assurance throughout the development lifecycle of digital services and connected technologies.

Similarly, for technology and product assurance, the NCSC’s PBA moves away from static checklists toward a flexible, evidence-driven approach. It focuses on three critical lifecycle stages:

• Development
• Design and functionality
• Through-life management

This is operationalised through Assurance Principles and Claims (APC) - using a structured Claims, Arguments, Evidence (CAE) model. Organisations are empowered to demonstrate security outcomes tailored to real-world threats, rather than being confined to prescriptive controls.

CRTF: Independent, risk-based product assurance

Launched at CYBERUK 2025, the CRTF scheme establishes a national network of NCSC-assured facilities, including CGI in the UK, where vendors can demonstrate product resilience through structured testing.

Key features of the CRTF model:

• Open to all connected technologies (not just traditional security tools)
• Enables risk-based, context-aware assurance
• Encourages innovation by breaking the all-or-nothing mindset of compliance

This initiative significantly expands the scope and accessibility of product assurance, bringing rigorous testing to a broader range of technologies with potential national impact, while following a risk-based approach that does not hinder innovation or time to market. 

Why CRT and PBA matter for technology vendors

• Faster time to market: CRT streamlines assurance processes, enabling faster deployment of trusted products.
• Independent verification by CGI: As an NCSC-assured CRTF provider, CGI conducts rigorous, impartial review of the claim evidence, giving you the confidence that product meets the required standard.
• Enhanced market confidence: Buyers increasingly demand validated assurance. CRTF-tested products will see higher adoption rates due to demonstrable security and transparency.
• Lower total cost of ownership: Proactive assurance reduces security incidents, improves remediation times, and drives operational efficiency.
• Regulatory advantage: CRTF-tested solutions often enjoy smoother interactions with regulators, thanks to alignment with NCSC-endorsed standards recognised across multiple frameworks.

To discover how we can help you integrate resilience, meet regulatory expectations, and drive secure growth:

Read the brochure