On several occasions we have commented in our blog on the process to be followed to include products or services in the CPSTIC catalogue. The CPSTIC catalogue is a guide to ICT security products recommended by the CCN. All the products and services included therein have passed an evaluation in accordance with the LINCE or Common Criteria methodology, so they offer security guarantees contrasted by the CCN.
What is a qualified product? Definition and cases.
These are ICT security products that have successfully passed a process that meets the requirements established by the CCN for the family or families of products to which they belong. Therefore, these products are suitable for use in systems under the scope of the ENS whose maximum category is the category for which they have been qualified (HIGH or MEDIUM/BASIC). All products that have completed the qualification process also have a Secure Use Procedure.
The qualification ensures that the security functionality included in the product is suitable for use in the administration. The list of qualified products and services can be found in the "Catalogue of ICT Security Products and Services (CPSTIC)" published by the CCN (CCN-STIC-105 or at https://oc.ccn.cni.es/en/cis-product-catalogue/what-is-the-catalogue).
To qualify a product, it must meet one of the following criteria:
What is a certified product? Definition and cases.
Certified products are those that have successfully passed an evaluation process carried out by an independent and accredited laboratory, such as jtsec. To do so, a Security Target must be made, which is the basic document that reflects the security functionality of the product to be evaluated and the description of the different relationships between the product and the environment in which it will be used.
Obtaining certification implies recognition of the veracity of its Security Target. As we have already mentioned, two main certification methodologies are currently used: Common Criteria (internationally recognised) and LINCE (recognised only in Spain).
Why are cloud services cannot be certified?
When a product is certified, it is done on a specific version and the evaluation is done on premise, i.e. the security of the product is evaluated at a precise moment in time and the object of the evaluation can be identified exactly. It is as if we were taking a snapshot of the cybersecurity of the product at that moment, in that version.
However, more and more products/services are being developed directly in the cloud (cloud-native). They are deployed in the cloud and are usually developments in constant evolution, making it impossible to identify the exact object of the evaluation.
For this reason, it is currently not possible to certify a cloud service with the existing evaluation methodologies.
Does my product have to be LINCE or Common Criteria certified to be included in the CPSTIC catalogue?
The answer is NO, the product does not necessarily have to obtain a LINCE or Common Criteria certification. However, it is true that it must pass, as a minimum, an evaluation that complies with the Fundamental Security Requirements (FSR) corresponding to its family, as defined by the CCN. All products and services included in the CPSTIC catalogue are qualified, but not all of them are certified.
We are experts in certifying and qualifying products for the CPSTIC catalogue.
At jtsec we are the leading laboratory for the inclusion of solutions in the CPSTIC catalogue in the different possible ways.
If you have any questions, we are happy to help you in your certification/qualification process, applying the approach that best suits your needs.