Differences between qualifying and certifying a product


- April
Posted by: Javier Tallón
Differences between qualifying and certifying a product

On several occasions we have commented in our blog on the process to be followed to include products or services in the CPSTIC catalogue. The CPSTIC catalogue is a guide to ICT security products recommended by the CCN. All the products and services included therein have passed an evaluation in accordance with the LINCE or Common Criteria methodology, so they offer security guarantees contrasted by the CCN.

What is a qualified product? Definition and cases.

These are ICT security products that have successfully passed a process that meets the requirements established by the CCN for the family or families of products to which they belong. Therefore, these products are suitable for use in systems under the scope of the ENS whose maximum category is the category for which they have been qualified (HIGH or MEDIUM/BASIC). All products that have completed the qualification process also have a Secure Use Procedure.

The qualification ensures that the security functionality included in the product is suitable for use in the administration. The list of qualified products and services can be found in the "Catalogue of ICT Security Products and Services (CPSTIC)" published by the CCN (CCN-STIC-105 or at https://oc.ccn.cni.es/en/cis-product-catalogue/what-is-the-catalogue).

To qualify a product, it must meet one of the following criteria:

  • Cloud services having to comply with the Fundamental Security Requirements (RFS) required for Cloud Security Services. *Note: It should be noted that cloud services cannot be certified at present.

  • All products that have obtained a LINCE certification.

  • Products that have obtained a Common Criteria certification and their RFSs match those set out in the CCN-STIC guidelines.

  • Products that have obtained a Common Criteria certification and their RFSs do NOT match those set out in the CCN-STIC guidelines. In this case, a complementary STIC evaluation is required.

    What is a certified product? Definition and cases.

    Certified products are those that have successfully passed an evaluation process carried out by an independent and accredited laboratory, such as jtsec. To do so, a Security Target must be made, which is the basic document that reflects the security functionality of the product to be evaluated and the description of the different relationships between the product and the environment in which it will be used.

    Obtaining certification implies recognition of the veracity of its Security Target. As we have already mentioned, two main certification methodologies are currently used: Common Criteria (internationally recognised) and LINCE (recognised only in Spain).

    Why are cloud services cannot be certified?

    When a product is certified, it is done on a specific version and the evaluation is done on premise, i.e. the security of the product is evaluated at a precise moment in time and the object of the evaluation can be identified exactly. It is as if we were taking a snapshot of the cybersecurity of the product at that moment, in that version.

    However, more and more products/services are being developed directly in the cloud (cloud-native). They are deployed in the cloud and are usually developments in constant evolution, making it impossible to identify the exact object of the evaluation.

    For this reason, it is currently not possible to certify a cloud service with the existing evaluation methodologies.

    Does my product have to be LINCE or Common Criteria certified to be included in the CPSTIC catalogue?

    The answer is NO, the product does not necessarily have to obtain a LINCE or Common Criteria certification. However, it is true that it must pass, as a minimum, an evaluation that complies with the Fundamental Security Requirements (FSR) corresponding to its family, as defined by the CCN. All products and services included in the CPSTIC catalogue are qualified, but not all of them are certified.

    We are experts in certifying and qualifying products for the CPSTIC catalogue.

    At jtsec we are the leading laboratory for the inclusion of solutions in the CPSTIC catalogue in the different possible ways.

    If you have any questions, we are happy to help you in your certification/qualification process, applying the approach that best suits your needs.

  • Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.