How to include your product or service in ENS ALTA.
The Catalog of Information and Communication Technology Security Products and Services (CPSTIC) / CCN - STIC 105 is growing rapidly, with an increasing number of manufacturers interested in including their products and services in this catalog. Furthermore, the trend of including solutions in the ENS ALTA category is on the rise.
Assurance level categories as considered in CCN-STIC 140 "Taxonomía de referencia para productos de seguridad TIC"
The structure of the Security Products and Services STIC Catalog (CPSTIC by its acronym in Spanish) is defined in the guía CCN-STIC 140 “Taxonomía de referencia para productos de seguridad TIC".
There are two categories in which a solution can be included in the catalog: MEDIA and ALTA, depending on the type of evaluation performed (LINCE or Common Criteria) and the comprehensiveness of the tests. To qualify a product or service, it must comply with the Fundamental Security Requirements (RFS) defined for each family, included in the corresponding annexes of the CCN-STIC 140.
Category MEDIA: By default, this category includes all products and services that have been qualified or certified using the LINCE methodology. It is accepted by most taxonomies, although it is important to note that some taxonomies only allow the ALTA category, as is the case with Device Management Tools (UEM) or Electronic Signature Tools, to name a few.
Category ALTA: More and more manufacturers are evaluating their products with the intention of including them in this category. Nevertheless, there are taxonomies, such as IP Cameras or Video Management Tools, that do not yet have annexes that include the Fundamental Security Requirements (RFS) to evaluate products in the category ALTA
Benefits of including your product or service in ENS ALTA
Stand out from the competitors If there are competitors in the same taxonomy but in the category MEDIA, being in ALTA represents an advantage to potential buyers.
Enhanced security for your solution: Being in ENS ALTA means passing more laboratory tests and trials, providing greater assurances to users.
Boost your sales and marketing strategy: Having a distinction granted by an institution like CCN/CPSTIC is a recognition for the product and an exploitable commercial advantage.
Different ways to include a product or service in ENS ALTA
There are several ways to include a product in ENS ALTA, which are explained below:
Products not in the catalog and without Common Criteria certification: LINCE/STIC + Complementary STIC + Continuous Qualification
Products not in the catalog but with Common Criteria certification: In this case, the security target should be reviewed, verifying the Protection Profile or EAL (assurance level) with which the product has been Common Criteria certified and comparing it with the requirements of the catalog´s taxonomy where the product is desired to be included. If the initial evaluation meets the catalog´s requirements, the product is included without additional tests.
If it does not meet them, certain tests will be required, in which case the path to follow would be: Complementary STIC + Continuous Qualification.
If it meets the taxonomy´s requirements, it is directly included in the ALTA category.
Products in the catalog in the category MEDIA without Common Criteria certification: Complementary STIC + Continuous Qualification
But, what do each of the processes outlined above mean?
Common Criteria Certification: It is an international standard (ISO/IEC 15408) and the most recognized certification used to assess the security of ICT products. The product is evaluated based on security levels (EALs) or Protection Profiles (PP) that indicate the requirements the product must meet. You can find more information on our dedicated Common Criteria page.
LINCE certification: A national scope certification (Spain) for BASIC or MEDIA security products. The LINCE evaluation is carried out within a defined time and effort. It is the most commonly used methodology for including products in the CPSTIC / CCN - STIC 105 catalog. Obtaining only this certification is NOT valid for inclusion in ENS ALTA. You can find more information on our dedicated LINCE page.
STIC Evaluation: Created for products developed directly in the cloud, in addition to meeting the requirements specified for their taxonomy with the LINCE methodology, the product/service must also meet the requirements specified in Annex G "Cloud Services." You can find more information on our dedicated STIC evaluation page.
Complementary STIC Evaluation: This type of evaluation is based on certain additional tests that the product or service must pass to be included in the catalog in the ENS ALTA category. There are two scenarios that may require this type of evaluation: having Common Criteria certification and needing to test specific requirements to access the catalog, or having a LINCE qualified/certified product in MEDIA and wanting to qualify for ALTA.
Continuous Qualification: Once the product or service has been included in the ALTA category, it is necessary to continuously evaluate the different versions of the product that are implemented if the product does not have Common Criteria certification. Therefore, continuous qualification is required, which means having a cybersecurity laboratory accredited by CCN to conduct tests on the different versions. You can find more information on our dedicated CrowdStrike Continuous Qualification success case page..
I want to include my product or service in the ENS ALTA category, what steps should I follow?
As we have seen, accessing the ENS ALTA category is often a significant effort, and there are different paths to follow depending on each specific case. Therefore, at jtsec, we always recommend contacting professionals who can guide you on the most suitable path to make the process as viable as possible.
We have extensive experience in including products and services in the ENS ALTA category, so if you have any questions, we would be happy to assist you.