What is CAPSS Assurance?

What is CAPSS Assurance?

White Papers
21.04.26

The Cyber Assurance of Physical Security Systems (CAPSS) programme is a formal evaluation scheme designed to assess both hardware and software‑based physical security products against a defined cyber security standard. These standards are established by the National Protective Security Authority (NPSA), part of the UK’s national security framework, MI5.

Organisations procuring physical security systems can select products from the Catalogue of Security Equipment (CSE) with confidence, knowing each listed solution has undergone independent laboratory testing and demonstrated an appropriate level of cyber‑mitigation assurance.

Genesys is fully CAPSS‑assured and is included within the NPSA Catalogue of Security Equipment.

CAPSS Evaluations

CAPSS evaluations operate on a simple pass/fail basis, with no additional grading applied.

A CAPSS assessment examines both the technical security controls and the development and build standards of a product. This ensures that the manufacturer’s development practices—such as configuration management, change control, and flaw remediation—meet the required level of cyber assurance.

Technical Requirements

The technical evaluation covers five core areas:

  • Physical Security
  • Secure Configuration
  • Network Security
  • Authentication Management
  • Monitoring

Evidence Requirements

Within each technical area, manufacturers must provide evidence across three key categories to demonstrate that appropriate cyber mitigations are in place:

Development Documentation

Demonstrates that the product has been designed and developed with cyber security principles embedded from the outset.

Technical Verification

An independent test laboratory validates that the claimed cyber mitigations function correctly and effectively.

Deployment Documentation

Confirms that the manufacturer provides clear, comprehensive hardening and deployment guidance to ensure the product can be installed and configured securely.

CAPSS CSE entries

A CAPSS Catalogue of Security Equipment (CSE) entry provides a detailed description of the following:

The core product that has been assured
Peripheral products, devices, or protocols that can be used alongside the core product while maintaining its assurance
The version of the CAPSS standard against which the product was evaluated
The product version that was originally assured
Any deployment considerations or limitations that end users should be aware of.

Core and Peripheral Components
CAPSS defines product components in two categories: core and peripheral.

Core components are the elements that constitute the primary product and are produced by the submitting manufacturer. These typically include application software, dedicated hardware, and—in some cases—the configuration of supporting systems such as Windows Active Directory or third‑party databases.
Peripheral components are additional devices that interface with the core product and exchange data with it. Depending on the system, these may include cameras, keypads, readers, PIDS, IDS, and similar devices. These peripherals are not NPSA‑assured unless explicitly stated.

Why the CSE Entry Matters
The distinction between core and peripheral components is critical. Manufacturers may choose to assure only specific elements of their solution. For example, a Security Management System might assure only its Access Control or Video Management functionality.

In contrast, Genesys has undergone a comprehensive evaluation, covering integrations across multiple vendors and spanning all major areas of physical security—including network switches, Active Directory, and Building Management System interfaces. This provides end users with confidence that the entire solution meets CAPSS cyber assurance requirements, which is particularly important for Security Management platforms.

Peripheral devices may be produced either by the manufacturer or by third‑party vendors. CAPSS assurance focuses on the cyber mitigations of the core product, as well as the secure connection and data exchange between the core and its peripherals.

Product Updates and Lifecycle
Because CAPSS evaluates both the build quality and development processes of a product, manufacturers are permitted to update their products beyond the originally tested version. This includes:

  • Applying security patches
  • Remediating vulnerabilities
  • Introducing new functionality

Such updates naturally result in version changes. All modifications are reviewed in accordance with the CAPSS lifecycle process, ensuring that the product continues to meet the required assurance level.