Two year ago, just before FEINDEF 2023, we published an article about the analysis of Spain's cybersecurity from the IT product security perspective. Two years later, as Spain prepares to host FEINDEF 2025, the International Defence and Security Exhibition, the nation's cybersecurity landscape has undergone significant transformations. Central to this evolution is the CPSTIC (Catalogue of ICT Security Products and Services), which has matured into a cornerstone of Spain's national security strategy.
Geopolitical Dynamics: Catalysts for Cybersecurity Emphasis
The ongoing conflict in Ukraine and shifting global alliances have underscored the importance of robust cybersecurity measures. In response, Spain has accelerated its defense spending, committing to allocate 2% of its GDP to defense by 2025—ahead of its initial 2029 target. This €10.47 billion investment plan earmarks 31% for cybersecurity initiatives, highlighting the sector's strategic importance.
This investment surge aligns with broader European efforts to enhance defense capabilities and reduce reliance on external entities. The European Commission's proposal to allow member states to increase defense spending without penalising budget deficits further supports this trend.
From Framework to Foundation: MEMeC Methodology
In our previous analysis, two years ago, we highlighted the importance of the CPSTIC, which provided a foundational framework for ICT security products by listing them as "Productos Aprobados" (Approved products) to manage classified information. Since then, it has evolved into a comprehensive system, formalising processes and expanding its scope. A notable advancement is the introduction of the MEMeC (Methodology for the Evaluation of Cryptographic Mechanisms), developed by the National Cryptologic Center (CCN) with the support of jtsec.
The CCN-STIC-2100 guide (MEMeC) is becoming a standard requirement for products seeking approval, particularly those incorporating encryption mechanisms. The MEMeC provides a unified framework for evaluating cryptographic implementations in products undergoing Common Criteria (CC), LINCE, or STIC certifications.
The MEMeC outlines evaluation tasks across three ascending levels: CL1 (basic), CL2 (intermediate), and CL3 (advanced). It aims to standardise the evaluation process for both laboratories and manufacturers by providing clear guidelines tailored to each certification level. This includes specific tasks for evaluators and defined requirements for manufacturers to meet.
The methodology is structured into four main chapters:
- Cryptographic Requirements: PSteps to verify that the cryptographic mechanisms implemented in the Target of Evaluation (TOE) and their parameterisation comply with CCN-defined requirements.
- Approved Cryptographic Mechanisms: A list of cryptographic mechanisms authorised by the CCN, as specified in the CCN-STIC-221 guide.
- Conformity Testing: Procedures using test vectors to verify the correct operation of each mechanism.
- Common Implementation Pitfalls: Guidance on avoiding common implementation errors that could compromise user data or Sensitive Security Parameters (SSPs).
Additionally, the MEMeC is supported by supplementary documentation, including the Vendor Questionnaire, Vendor Questionnaire Lite, and Vendor Questionnaire RNG, detailed in annexes CCN-STIC 2100A, 2100B, and 2100C, respectively.
By adopting the MEMeC, the CCN aims to streamline and harmonise the evaluation process for cryptographic mechanisms, ensuring that products meet national security standards and facilitating their inclusion in the CPSTIC catalogue.
Diversification and Growth: An Expanding Catalogue
The CPSTIC has witnessed a significant increase in both the number and variety of products. This growth reflects the dynamic nature of cybersecurity threats and the need for diverse solutions. A notable development is the expansion of its taxonomies to include new product families, reflecting the dynamic nature of the cybersecurity landscape. The new taxonomies now encompass categories such as:
- Security Orchestration, Automation, and Response (SOAR) Systems
- Zero Trust Network Access (ZTNA)
- Metadata Management
- Cloud Services
- IP Cameras
- Video Management Tools
- Operational Technology (OT) Security
This expansion demonstrates CPSTIC's commitment to staying at the forefront of cybersecurity by adapting to emerging technologies and threats. By incorporating these new categories, CPSTIC ensures that the catalogue remains relevant and comprehensive, providing organisations with the necessary tools to protect against constantly evolving cyber threats.
Navigating the Approval Process: Pathways to Certification
Inclusion in the CPSTIC requires a rigorous evaluation process, tailored to the product's intended use and sensitivity level. Products are categorised as either "qualified" or "approved":
- Qualified Products: hese have certified security features suitable for systems under the National Security Framework (ENS) across all categories (High, Medium…).
- Approved Products: Designed to handle classified information, these products undergo additional scrutiny to ensure information security and user qualification.
To be considered for the "Approved Products" list, a product must first achieve qualification under the High category of the National Security Framework (ENS). This can be accomplished through various certification pathways, including:
- Common Criteria (CC) Certification
- EUCC (European Union Common Criteria) Certification
- LINCE (Lightweight Evaluation of ICT Security) Certification
It's important to note that obtaining a CC or EUCC certification does not automatically grant ENS High qualification. In such cases, a complementary STIC evaluation is required to assess compliance with the specific security requirements outlined by the CCN.
Once a product is qualified as ENS High, the manufacturer must secure sponsorship from a public administration entity to initiate the approval process. The CCN will then conduct a case-by-case assessment, which may include:
- Additional Penetration Testing
- Application of the MEMeC (Cryptographic Mechanisms Evaluation Methodology)
- Other Ad-hoc Evaluations
These evaluations are tailored based on the product's intended deployment environment and its specific functionalities. The goal is to ensure that the product meets the highest security standards required for handling classified information.
Achieving "Approved" status is not a linear process, but a circular one. The CCN requires periodic re-evaluations to ensure continued compliance with evolving security threats and standards. This may involve annual testing or assessments in response to newly identified vulnerabilities or advancements in attack methodologies.
jtsec: Your Partner in Navigating the CPSTIC Approval Process
At jtsec, an Applus+ company, we specialise in guiding manufacturers through every phase of the CPSTIC approval process. Our expertise encompasses:
- LINCE, Common Criteria, and EUCC Certifications
- Complementary STIC Evaluations
- Application of the MEMeC Methodology
- Tailored Penetration Testing for Approved Status
Our extensive experience has positioned us as a leading laboratory in Spain for assisting products in gaining inclusion in the CPSTIC catalogue. We understand the complexities of the approval process and are committed to providing comprehensive support to ensure your product meets all necessary requirements.
Furthermore, achieving certifications such as Common Criteria or EUCC not only facilitates inclusion in the CPSTIC but also enhances your product's credibility in international markets, opening doors to broader opportunities.
For more information on how jtsec can assist you in navigating the CPSTIC approval process, please contact us.
