A few weeks ago, we bid farewell to 2023, making way for a 2024 that, truth be told, has started with quite some intensity, filling us with optimism and excitement for this year that has just begun. Reflecting on the year that has passed, we've witnessed the incredible growth of the LINCE methodology and the significant number of solutions included in the CPSTIC / CCN-STIC 105 catalog. Therefore, we'd like to provide a brief summary of our humble contribution in this regard.
A total of over 43 products have been included in the catalog and previously evaluated by jtsec.
Many of them were included with several versions of the solution or in different taxonomies, amounting to a total of 128 products included in the CPSTIC catalog. We have had the privilege of collaborating with companies such as Stormshield, Deciso V.B, Watchguard, Sidertia, Proofpoint, Check Point, AWS, Trend Micro, CyberArk, Forescout or Huawei, among others, for the evaluation of their products.
Different methods for a product to be included in the CPSTIC / CCN STIC-105 catalog:
- Common Criteria Certification : This type of certification is the most widely applied internationally concerning product cybersecurity, as it is recognized in more than 30 countries. Products that have previously obtained such certification and meet the security requirements of the applicable taxonomy are included in the catalog.
- LINCE Certification : This option adapts to the needs to meet the requirements of the national market. A large number of the products currently in the catalog have obtained LINCE certification. This certification is done on a specific version, and the evaluation is carried out on-premises.
- STIC Evaluation: This applies to services developed natively in the cloud, for those that do not have an on-premise version that can be certified. Such solutions receive a qualification to enter the catalog. This year, over 70% of the solutions evaluated by jtsec have been cloud-based STIC. Quite a success considering that Annex G, which applies to "Cloud Services," was published in 2020.
- Complementary STIC: Some products have Common Criteria certification, but the security level (EAL) or the Protection Profile they apply does not fit the catalog's requirements. For these, certain additional tests must be performed to be included in the CPSTIC / CCN STIC-105 catalog. This way, a complete evaluation does not have to be performed, only certain tests required by the catalog itself.
- Penetration Testing: This type of evaluation applies to solutions that want to be included in the "Conformity and Security Governance Products and Services" taxonomy. Access to it does not require a Security Declaration or any documentation, so a complete LINCE evaluation is not required, but penetration tests must be passed to verify that the tool meets minimum security requirements.
CPSTIC / CCN STIC-105, the family grows
The challenges faced by the catalog during 2023 have been varied. For our part, at jtsec, we have achieved some notable milestones, such as:
- The evaluation of the first product from a new taxonomy,SOAR “Security, Orchestration, Automation and Response Systems”, where jtsec has collaborated in creating the tests to be developed..
- The first Google service included in the catalog, External Key Management "EKM."”
- The first product included in the catalog with the cryptographic module that has been evaluated under the cryptographic mechanisms methodology created by the CCN-CERT National Cryptologic Center.
In addition to these milestones, in 2023, we have qualified solutions in different families, including:
- Video identification tools
- Wireless Network Devices
- EPP (Endpoint Protection and Platform)
- EDR (Endpoint Detection and Response)
- Privileged Access Management (PAM)
- Security Information and Event Management (SIEM)
At jtsec, we collaborate with the conservation of the Iberian Lynx. Therefore, for every new client that includes a product or service in the catalog, we symbolically adopt an Iberian Lynx, contributing to the WWF NGO. This year, we are extremely proud to have adopted 15 Iberian Lynxes..
Conferences in 2023 on the LINCE methodology
During this year, we had the opportunity to participate in different events and present our point of view on various topics related to the LINCE methodology and the CPSTIC / CCN STIC-105 catalog, among which we would like to highlight:
- XVII Jornadas CCNCERT, “Cómo evaluar soluciones biométricas para incluir productos de videoidentificación en el catálogo CPSTIC CCN-STIC 105”
- XVII Jornadas CCNCERT, “Evolucionando la Evaluación Criptográfica – Episodio II”
- 17 ENISE, “To be or not to be, la importancia de incluir tu producto o servicio en el catálogo CPSTIC (CCN-STIC 105)”
Number of evaluations started in 2023 and forecasts for 2024
A total of 95 evaluation processes were initiated in 2023, an outstanding figure that highlights the concern of both manufacturers and the Public Administration to have secure products and services that meet minimum cybersecurity standards. All this offers us a horizon in which the use of cybersecurity products is a key element for public and private companies and the Public Administration.