CASA Tiering

Overview

CASA assurance tiers are a way of classifying the security of an application based on the level of assurance that the application is compliant with the CASA requirements. The higher the assurance tier, the higher the confidence that the application has implemented the required CASA controls.

All requirements must be satisfied for every tier, the only difference between each tier is the assessment method that applies. CASA assurance tiers provide a way of objectively assessing the security of an application. The higher the assurance tier, the higher the confidence that the application has implemented the CASA controls.

Tiers

Tier Name Estimated Lab Hours Description
3
Lab Tested - Lab Verified 60 During this assessment, the authorized lab will test and validate all CASA requirements. This is a comprehensive assessment that tests the application, the application deployment infrastructure and any user data storage location for compliance with all of CASA requirements (when applicable)
2
Lab Tested - Lab Verified 4 Tier 2 has a lab tested and validated assurance level where developers can opt-in to contact one of the authorized labs to complete a Tier 2 assessment. See assessment process below.
Developer Tested - Lab Verified 1 During this assessment the application developer scans their application utilizing CASA recommended scanning tools and provides the scan result to the ADA for validation.
1
Developer Tested - Developer Verified 0 The self assessment tier is not an assurance level, because it is not validated. This tier is used to allow the developer to understand their application readiness for CASA assessment

Assurance

Tier Application Deployment Infrastructure Data Storage Validation
Tier 2 (Developer Tested - Lab Verified) Developer Tested Developer Attestation Developer Attestation Authorized Lab Verified
Tier 2 (Lab Tested - Lab Verified) Authorized Lab Tested Developer Attestation Developer Attestation Authorized Lab Verified
Tier 3 (Lab Tested - Lab Verified) Authorized Lab Tested Authorized Lab Tested Authorized Lab Tested Authorized Lab Verified

Tiers Calculation

The framework users (Google..etc) and not the application developer calculate and determine tiers. CASA recommends the following parameters to calculate the application required assurance tier:

  1. The sensitivity of the data the application is accessing. Each data type might be given a risk weight to affect the tier calculation.

  2. The amount of users per type of data accessed.

  3. The company risk tolerance level.

  4. External and internal risk indicators.

Revalidation Requirements

All applications must be revalidated every year. The application tier can increase to a higher tier.

CASA Revalidation Flow