CASA Tiering

Stay organized with collections Save and categorize content based on your preferences.


CASA assurance tiers are solely focused on the method in which an application is assessed and the assurance that the application is compliant to the standard. The higher the assurance tier, the higher the confidence that the application has implemented the requirements. CASA recognizes 3 tiers as described below




Required Access



Lab Tested - Lab Verified

During this assessment, the authorized lab will test and validate all CASA requirements  

Access to the application code and deployment infrastructure required by the lab
Contact authorized labs for cost


Developer Tested - Lab Verified

During this assessment the application developer scans their application utilizing CASA recommended scanning tools and provide the scan result to the ADA for validation. The results are validated by an independent lab partner 

No access required No cost


Self Assessment - Not Verified

The self assessment tier is not an assurance level, because it is not validated. This tier is used to allow the developer to understand their application readiness for CASA assessment

No access required
No cost

Tiers Calculation

The framework users (Google..etc) and not the application developer calculate and determine tiers. CASA recommends the following parameters to calculate the application required assurance tier:

  1. The sensitivity of the data the application is accessing. Each data type might be given a risk weight to affect the tier calculation.

  2. The amount of users per type of data accessed.

  3. The company risk tolerance level.

  4. External and internal risk indicators.

Revalidation Requirements

All applications must be revalidated every year. The application tier can increase to a higher tier however, once an application has been validated at tier 3 it will continue to be validated at tier 3 level.

CASA Revalidation Flow