Europe has been leading the legislative field in the area of cybersecurity for several years, one of the main reasons for this prevailing position was the creation of the EU Cybersecurity Act (CSA). One of the main goals of the CSA is to provide a European cybersecurity certification framework for ICT products, services and processes in order to benefit companies that want to market their solutions in Europe by certifying their products just once and being recognized across the European Union. The CSA is quite an aspiring project, but it had the problem of a lack of evaluation methodologies, a challenge that is being solved with the efforts of the different stakeholders: ENISA, CEN/CENELEC, ETSI, ITSEFs, CABs, vendors, etc.
Why FITCEM was developed and what it is based on
Some of the European countries have developed its own Fixed-time cybersecurity assessment methodologies, albeit all on a similar basis. Fixed-time certifications arise to solve the issue related to duration and cost of the existing certifications, such as Common Criteria, that are not suitable for low assurance products.
Countries like France (CSPN), Germany (BSZ), the Netherlands (BSPA) or Spain (LINCE), have developer their own national schemes, you can check the comparative done by jtsec between these methodologies “Analysis and comparison of lightweight evaluation methodologies”.
The main problem was that a vendor that wanted to sell their products, for example, in France and Spain, had to pass two different certifications (CSPN and LINCE in this case), quite similar between them, which means a significant increase in costs and time spent by the vendor.
FITCEM, an open door to a promising future in cybersecurity in Europe
FITCEM is the first brick in a more united Europe in terms of horizontal cybersecurity schemes. FITCEM (EN 17640), opens the door for CSA schemes to use a European horizontal methodology that is flexible and can be customized to meet the needs of the different schemes. Moreover, FITCEM could potentially replace national methodologies, such as those referenced above.
Vendors are the main commercial beneficiaries of such initiatives developed at European level, as the entry of their products throughout Europe could be much quicker and more efficient.
Other European schemes such as EUCC (Common Criteria based European candidate cybersecurity certification) are about to be published, reinforcing the idea of strengthening horizontal and cross-sectoral schemes across Europe.
Our contribution in the development of FITCEM.
José Ruiz, CTO at jtsec Beyond IT Security, has been co-editor of the EN 17640 ‘Fixed-time cybersecurity evaluation methodology for ICT products’ (FITCEM).
This standard has been developed within CEN-CLC/JTC 13 ‘Cybersecurity and Data Protection’ WG3. This group is the CEN and CENELEC horizontal technical committee that addresses relevant international standards (especially from ISO/IEC JTC 1 SC 27) as European Standards (ENs) in the Information Technology (IT) domain.
If you are thinking of evaluating your ICT product under the FITCEM or any other scheme, do not hesitate to contact us so we can help you. We can assist you in getting your product certified in the shortest possible time, smoothing the process thanks to our technical expertise.