Verifying and validating that secure product development and maintenance processes have been implemented.

UL Cybersecurity Assurance Program (CAP) also verifies that the vendor of a certified product has a viable road map to maintain the security of a product through an assessment of organizational processes.

The UL 2900-3 Standard contains general requirements for product development and maintenance security processes that are verified during an organizational assessment.


UL performs an organizational assessment with focus on the following domains:

  • Patch management
  • Security Development Life cycle
  • Verification of industry-specific organizational processes, such as for the medical industry

Customers who choose CAP-certified products can expect that future patches, updates or new versions of the software used in a CAP-certified product will provide the same level of protection when compared with the product at the time of evaluation.