Legal framework in which the CPSTIC CCN - STIC 105 catalogue is included in the sphere of Public Administration
It is no surprise that the number of products and services included in the reference catalogue of cybersecurity products for the Administration CPSTIC / CCN - STIC 105 is continuously growing, with the certifications / qualifications obtained in the previous year being surpassed every year.
There are several reasons for this remarkable growth, among which we can highlight:
The commitment of manufacturers to improve cybersecurity in their products.
The good work and desire to improve the field of cybersecurity by all the actors involved in the process: manufacturers, accredited assessment laboratories, Certification Bodies and public administrations in general.
Legal compliance for working with the Public Administration.
We will focus particularly on this last point, which we will develop below.
Legal compliance for working with the Public Administration
More than a year ago, Royal Decree 311/2022 of 3rd of May, which regulates the National Security Scheme (ENS, by its acronym in Spanish), introduced the reference to the CCN’ s Catalogue of Information and Communication Technology Security Products and Services (CPSTIC), together with the collection of requirements and reinforcements relating to certified/qualified products and services depending on their taxonomy.
One of the achievements of the new version of the ENS has been to unite the security requirements established in the ENS with the efforts that the CCN has been making for several years with the creation of the CPSTIC product catalogue.
Is it mandatory for my product or service to be part of the CPSTIC catalogue in order to work with the Public Administration?
According to the ENS, and we quote an extract from point 4.1.5 concerning Certified Components:
❝
The CCN Catalogue of Information and Communication Technology Security Products and Services (CPSTIC) will be used to select the products or services supplied by a third party that form part of the security architecture of the system and those that are expressly referenced in the measures of this royal decree.
From this extract it can be deduced that, indeed having a cybersecurity certification or qualification applied to the ICT product that guarantees the correct implementation of the product’s security functionality is mandatory, according to what is set out in the ENS.
What is the Dynamic Public Administration Procurement System?
It is a fully electronic method of ongoing procurement and is available to any interested company that meets the selection criteria for the entire duration of the procurement process. This technique allows a large number of offers to be made available, thus increasing competition. It is based on two stages:
In the initial stage, companies that meet the necessary selection criteria are included in the dynamic procurement system, while, in the second stage, companies admitted in the previous round submit their bid.
In these dynamic procurement systems, the general conditions for requiring security certifications/qualifications have been included, as well as the admissible means of accrediting security, with links to the ENS, the CPSTIC and also to the certifications that may come with Regulation (UE) 2019/881.
¿How to include my product in the CPSTIC CCN - STIC 105 catalogue? We can help you.
LINCE evaluation: Original assessment for on premise products, the scope of this certification is at national level (Spain).
STIC evaluation: Similar to the LINCE assessment, but focused on to products developed in the cloud. It also requires the evaluation of the cloud part according to annex G "Cloud services".
Complementary STIC: For those products that have a Common Criteria certification and aim to enter the catalogue. It basically consists of complementing the original certification with functional and penetration tests.
You can find more information in the following links:
Our website.
Our Youtube channel.
Cloud native solutions, welcome to the CPSTIC / CCN-STIC 105 Catalogue
The SaaS market is growing every year, and administrations are increasingly opting to use this type of solutions in their daily management and operations. Therefore, evaluating solutions developed in the cloud has been an urgent need to be solved. In 2020, CCN published "Annex G", which applies to the "Cloud Services" taxonomy, thus creating the first evaluation framework for qualifying cloud products in Spain and Europe.
This initiative, presented at the last CCN conference, has made it possible to modernise the catalogue and bring it into line with the reality in administrations. Cloud service providers such as AWS, Google and Microsoft already have cloud services included in the catalogue.
Success stories of qualified products and services.
The catalogue grows and adapts to the needs of the market. The qualification of certain products has been a real milestone beyond our borders. Here are some of them:
Electric vehicle chargers: Several studies reflect the potential impact of a cyber-attack on the electric vehicle charger network. The requirement to comply with LINCE certification by one of Spain largest electricity utilities has improved the sector’s cybersecurity at the national level.
Video identification tools: This is the first time that national legislation - ministerial order (Order ETD/465/2021, 6 May) - has been created requiring cybersecurity certification/qualification for an IT product. As such a pioneering product, it has required the creation of an evaluation methodology by CCN that is a world first.
OT Security - Port management software: Strengthening the cybersecurity of critical infrastructures is one of the objectives of the Administration. It is a pioneering project at national level in which software of these characteristics is evaluated. This evaluation resulted in the creation of the OT Security category within the CPSTIC catalogue.
Conclusions
The Spanish administration is implementing mechanisms for the use of ICT products that have passed a security assessment and have a secure use procedure. This work provides administrations with a very beneficial tool for the procurement of cybersecurity products.
Additionally, both through the dynamic procurement system and in the drafting of tender documents by the various administrations, we see the necessary impetus to encourage manufacturers to continue to invest in the certification/qualification processes for their products.
Nothing is perfect and we still see calls for tender requesting the ENS for a product instead of its inclusion in the CPSTIC catalogue but looking back, we are creating an ever-stronger path to do our bit in preventing cyber-attacks.