A few days ago we ended 2022, starting a very exciting 2023 for the whole jtsec team, in which we have no doubt that there will be very interesting projects and challenges. Looking back at the year that has ended, we have seen the incredible evolution that the LINCE methodology has had and the more than significant number of solutions included in the CPSTIC / CCN-STIC 105 catalogue. Therefore, we would like to make a brief summary of our contribution at this point.
Number of products included in the catalogue in 2022 and evaluated by jtsec
A total of 22 products have been included in the catalogue and previously evaluated by jtsec , it is a great joy for us to be able to collaborate with companies such as Stormshield, Deciso V.B, Autek, Instituto CIES, Sidertia, Proofpoint, Check Point, Defense Balance, AWS, Dinosec or Huawei, among others, for the evaluation of their products.
There are different methods for a product to be included in the CSPTIC / CCN STIC-105 catalogue::
Common Criteria certification : This type of certification is the most internationally recognized. Products that have previously obtained this certification and comply with the security requirements of the taxonomy to which it applies are included in the catalogue.
LINCE certification : This is an option that adapts to the needs to meet the requirements of the national market. A large number of the products currently in the catalogue have obtained a LINCE certification. This is done on a specific version and the evaluation is done on premise.
STIC Evaluation: This applies to services developed natively in the cloud, which means that they do not have an on-premise version that can be certified. This type of solutions cannot obtain certification, but they can obtain qualification to be included in the catalogue. This year, 7 STIC cloud solutions have been qualified by jtsec. This is a great success considering that annex G, which applies to "Cloud Services", was published less than two years ago.
Supplementary STIC Assessment: This is based on certain additional tests that must be carried out on some products that have previously obtained Common Criteria certification in order to be included in the CPSTIC / CCN STIC-105 catalogue. In this way, a complete evaluation does not have to be carried out, only some tests required by the catalogue itself.
Penetration Test: For including a solution in the categories within the taxonomy "Compliance and security governance products and services", does not require a Security Target and carry out a LINCE evaluation, but it does require performing some penetration tests to verify that the tool complies with minimum security requirements.
CPSTIC / CCN STIC-105 catalogue, the family grows
The challenges faced by the catalogue have been several during this 2022, on the part of jtsec we have some remarkable milestones such as::
First solution included in the catalogue and evaluated by jtsec in the "Herramientas de videoidentificación” taxonomy, ElectronicID VideoID High Solution, developed by Electronic ID.
First product included in the taxonomy "Gobernanza y Planificación de la Seguridad", ANA, developed by Centro Criptológico Nacional.
First two solutions included in "Formación y Concienciación de Ciberseguridad": PSAT – Proofpoint Security Awareness Training (Proofpoint) and Smartfense (Defense Balance).
First product included in "Herramientas de videoconferencia”, PEXIP Infinity, developed by PEXIP.
In addition to these milestones, in 2022 we have qualified solutions in different categories such as::
Pasarela segura de intercambio de datos (Secure Data Exchange Gateway)
Dispositivos de Red Inalámbricos (Wireless Network Devices)
Dispositivos para gestión de claves criptográficas (Cryptographic key management device)
Gestión de identidades, IM (Identity Management)
Otras herramientas (Other tools)
EPP (Endpoint Protection and Platform)
EDR (Endpoint Detection and Response)
Cifrado y compartición segura de información (Encryption and secure sharing of information)
Sistemas de gestión de eventos de seguridad, SIEM (Security information and event management)
Redes Privadas Virtuales - IPSEC
At jtsec we collaborate with the conservation of the Iberian Lynx, therefore, for each new client that includes a product or service in the catalogue, we "adopt" an Iberian lynx in a symbolic way, contributing with the NGO WWF. This year we are very proud to have "adopted" 11 Iberian lynxes.
Conferences on LINCE methodology
During this year we have had the opportunity to participate in different events and expose our point of view on different topics related to the LINCE methodology and the CPSTIC / CCN STICC-105 catalogue, among which we would like to highlight:
XVI Jornadas CCNCERT, “España y CCN como referentes en la evaluación de ciberseguridad de soluciones en la nube”
XVI Jornadas CCNCERT, “Evolucionando la Evaluación Criptográfica”
16 ENISE, “¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Number of assessments initiated in 2022 and forecasts for 2023
We have initiated a total of 59 evaluation processes in 2022,
a quite remarkable number that highlights two important points of view: the first one is the concern of manufacturers to develop products and services that meet minimum cybersecurity standards and, on the other hand, the interest of the Public Administration in acquiring cybersecurity products included in the catalogue.
All of this offers us a horizon in which public and private companies and public administrations are committed to acquiring cybersecure products and services.