How to enter ENS category high, stay in the catalog and add new versions of my product


- April
Posted by: Cristina Romero Rincón
How to enter ENS category high, stay in the catalog and add new versions of my product

What is CPSTIC and what certification categories can my product achieve?

The Catalog is designed as a tool that provides a list of ICT security products and services that have been evaluated and qualified according to the CCN Security Rules.

Both government agencies and private organizations consult this catalog to ensure that they select and acquire technology solutions that meet the security standards imposed by the CCN. This list includes products with certifications such as LINCE for ENS medium level or Common Criteria (CC) for ENS high level.

What is the difference between the medium and high ENS categories?

The ENS Media category includes those certified products intended for integration with systems that, while not critical, handle sensitive information or perform functions essential to the continuity of business operations and public services.

On the other hand, products certified to the ENS High category are those that provide a higher level of security, as they typically include advanced protection features such as robust cryptographic mechanisms. This classification is recommended for products that are intended to be integrated with critical systems to prevent serious consequences within the national security system, public health or the economic sector.

A High Category product can participate in Medium Category public tenders, but not vice versa. Therefore, it will be necessary to analyze the market and the bidding documents to decide which category the product should target.

It is possible to upgrade from Medium to High ENS category certification. This process is described below.

How can I get my Common Criteria certified product into the ENS High category?

If the product has a Common Criteria certification, the process for inclusion in the catalog as an ENS High Category product is required:

  • Differential Analysis: Analysis that compares the aspects evaluated under Common Criteria certification with the requirements specified in the CPSTIC ENS High category taxonomy (typically a Common Criteria protection profile and some additional requirements).
  • Supplemental STIC:In the event that the above analysis indicates the need for additional testing to meet CPSTIC standards, such testing should be conducted through a supplemental STIC. This procedure ensures that the product meets all criteria and requirements necessary for acceptance into CPSTIC.

Both procedures must be performed with an accredited laboratory and under CCN validation.

How can I get my product into ENS High without Common Criteria certification?

In general, products aiming for the ENS HIGH category require a Common Criteria certification + a complementary STIC, while for the MEDIUM category, a LINCE certification is usually required. However, a LINCE certified product may qualify for ENS Category HIGH if it meets certain requirements:

  1. It must have a current LINCE certification covering the requirements of the MEDIUM category.
  2. The implemented cryptography must meet the requirements of the HIGH category.
  3. A comparative analysis (DELTA) of the requirements evaluated in the ENS Medium category against those required in the ENS High category (usually a Common Criteria Protection Profile) must be performed, identifying the additional requirements to be tested by the laboratory.
  4. A signed commitment with an accredited laboratory is required to maintain the product in the High Category Catalog.

What is maintenance in the High Category Product Catalog?

A product that has entered the ENS High Category through the process described above must undergo annual maintenance of the product in the High Category. To do this, the vendor must perform a vulnerability analysis on the same version of the qualified product within a maximum of one year from the date of catalog entry and, if necessary, perform the associated testing with an accredited laboratory.

This is a mandatory process that must be repeated year after year to keep the product in the ENS High Category. CPSTIC requires manufacturers to sign a contract with an accredited laboratory to maintain the products in the catalog. The exact date that determines the next renewal period will be the date the analysis is completed, i.e. if a product is reviewed one month prior to its renewal date, the new renewal date will be set to the same month of the following year, not the month in which the first renewal was originally scheduled (an example is available in the diagram below).

It is recommended that these processes be scheduled 2 to 3 months prior to the renewal date. This allows sufficient time to perform additional testing or resolve any issues that may be identified, as any delay could result in the product being removed from the catalog.

What is the Continuous Qualification Strategy?

The Continuous Qualification Strategy described in the CCN-STIC-106, guide is presented as a solution to the challenges posed by the certification of ICT security products under traditional schemes. This strategy is proposed by CPSTIC to balance the need to maintain high security standards with the reality of the rapid life cycle of current technology development.

Continuous qualification consists of updating the catalog with a product version subsequent to the one evaluated. This involves 1) a difference analysis between the previously evaluated version and the current version + associated tests if necessary; and 2) a vulnerability analysis + associated tests if necessary.

Note that a Continuous Qualification process will remove the previously evaluated version from the catalog and replace it with the current version. If you want to keep the evaluated version and also add a more current version to the catalog, two separate processes must be performed: a catalog maintenance process for the version evaluated in the past, and a Continuous Qualification process for the current version.

The Continuous Qualification must also be renewed from year to year.

Until when can I maintain my product in the catalog or perform Continuous Qualification?

CPSTIC defines a period of 5 years from catalog entry for which an evaluation process should be performed from 0. If the product loses support or critical vulnerabilities are found, the period would be shorter.

What if my solution is in the cloud?

In this context, CPSTIC recognizes that these solutions undergo drastic changes and must undergo a recertification process from 0 every two years. Therefore, always under CPSTIC approval, certain cloud solutions will be able to enter directly into ENS High Category for two years, as long as they comply with the security requirements required for ENS High Category.

Can products with on-premises and cloud components take advantage of these strategies?

Components that are deployed locally (on-premises) can rely on Alta for ongoing qualification or maintenance, but those components of the solution that are in the cloud must start the certification process from the beginning as defined for cloud solutions.

For more information about these services and how they can benefit your organization, please contact us.

Cristina Romero Rincón/Junior consultant

Passionate about technology and continuous learning, I hold a degree in Criminology from the University of Sevilla and specialize in Cybersecurity. This combination of disciplines provides me with a unique and distinct perspective for addressing security issues, integrating technical knowledge for a more comprehensive understanding of the challenges at hand. In my current role as a consultant at jtsec Beyond IT Security, I apply the LINCE methodology to ensure that ICT security products meet the highest security standards, and I assist manufacturers in qualifying their products.


Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.