One small step for Cyber Resilience Test Facilities, one giant leap for technology assurance
Summary
The NCSC has announced that its new Cyber Resilience Test Facilities (CRTFs) — a national network of industry-run, NCSC-assured test facilities — have completed their first product assessments and had reports issued. CRTFs apply NCSC-approved Assurance Principles and Claims (APCs) to produce transparent, repeatable evaluation reports that focus on risk rather than a pass/fail compliance model. Reports highlight strengths and risks (eg. GREEN/AMBER ratings) and give customers the information they need to make informed, risk-based decisions about acquiring or using technology.
Key Points
- CRTFs are a national network of industry facilities authorised to carry out cyber resilience testing using NCSC-approved standards.
- The first products assessed by CRTFs have received formal reports, showing the approach is operational and scalable.
- Assessments use a principles-based approach (APCs) that emphasises risk management over binary pass/fail outcomes.
- Each product gets a transparent report detailing observed risks and rationale so customers can judge impact and make risk-based procurement choices.
- NCSC is transitioning its Assured Sanitisation Service (CAS-S) into a new NCSC Sanitisation Service delivered exclusively via CRTFs (CAS-S closed to new evaluations).
- Key challenges being tackled include scaling high-assurance, including specialised tech (TEMPEST/OT), tailoring assurances for niche equipment, and aligning with other standards and international markets.
Content summary
Introduced at CYBERUK 2025, CRTFs let vendors demonstrate the cyber resilience of products and some services through standardised, transparent assessments. The process issues detailed reports that assign ratings and explain causes, enabling customers to weigh trade-offs and manage residual risk themselves. There is deliberately no single pass/fail outcome — the emphasis is on equipping buyers and operators with actionable evidence to guide development, integration and procurement.
The NCSC is expanding CRTF engagement — more industry partners, more products, and wider APC coverage — and converting the longstanding CAS-S sanitisation assurance into a CRTF-delivered NCSC Sanitisation Service with a published APC. The blog also lists strategic questions the NCSC is addressing around scaling assurance, accommodating specialised technology requirements, tailoring assessments, and international alignment.
Context and relevance
This matters for security teams, procurement, vendors and regulators. CRTFs are part of a broader shift from opaque compliance checklists to evidence-based, risk-focused assurance. That makes procurement decisions more informed, speeds vendor transparency, and helps scale trust in technology across supply chains. For vendors, a CRTF report is a way to demonstrate posture to customers; for buyers, it’s a practical input to risk decisions. The move to embed sanitisation assurance within CRTFs also consolidates assurance services under a common, repeatable model.
Why should I read this?
Short version: if you buy, sell or manage technology, this changes how you judge security. CRTFs give proper, scoped evidence — not hand-wavy claims — so you can decide what risks you’ll accept. It’s a tidy, practical step towards making assurance quicker, cheaper and less guessy. Read the details if you want to skim the noise and get straight to the bits that affect procurement, development and risk decisions.
Source
Written by Sean D, NCSC CTO Cyber Growth — Published 29 January 2026