We help you being compliant to CCN-STIC 102 and 106 guides of spanish National Cryptological Centre (CCN)

Blog

25
- Oct
2017
We help you being compliant to CCN-STIC 102 and 106 guides of spanish National Cryptological Centre (CCN)

The spanish National Cryptological Centre (CCN, Centro Criptológico Nacional) has published in its website, on 10/25/2017, the CCN-STIC 102 and 106 Guides, where the they have included the process to be followed for Approval of ICT security products for handling classified national information and for the inclussion of ITC security products in the spanish Catalog of ITC Security Products (CPSTIC).

These guides are part of the CCN-STIC document series, in which the CCN has been developing and disseminating information and communication technology (ICT) security guides. The objective of these guides is to facilitate compliance with the security requirements of the spanish Administration's ICT systems, in the context of the National Security Scheme (ENS, Esquema Nacional de Seguridad. With this series of guides CCN-STIC, the aim is to establish a reference framework that will serve as a support for the spanish Administration's personnel in providing security to the ICT systems under their responsibility.

Security products that are intended to deal with national classified information must comply with a set of information security guarantees, which must be accredited through a product assessment and certification process. In Spain, the National Cryptological Centre (CCN) is responsible for evaluating and certifying this type of products. To successfully pass the certification process, it is advisable to have expert advice on the matter. This is one of the specialized services we offer at jtsec, and it can save a lot of time and money due to evaluations not overcome by deficiencies in product security or documentation.

In the first of the two published guides, CCN-STIC 102, it is described the procedure to be followed for the Approval of ITC security products for management of classified national information and for the inclussion of ITC security products in the spanish Catalog of ITC Security Products (CPSTIC). This guide applies to products intended to be purchased for their usage in systems processing national classified information. Some highlights in this guide are the following:

  • The evaluation and certification of an ICT security product will cover aspects related to the implementation of functional security requirements for that product, as well as other aspects of the product that increase its security and maintain it throughout its useful life.
  • Products that use cryptography to protect the confidentiality, integrity, authenticity and/or non-repudiation of classified national information must address the cryptological security of the algorithms used, their implementation in the system where they are included, and the effectiveness of their self-protection mechanisms.
  • ICT security products that exceed the minimum required security requirements should also verify their security against unwanted emanations (TEMPEST).
  • For ICT security products that require other security products for operation, the latter must be included in the approval process or already approved for the same or higher classification level.

The first of the two published guides, the CCN-STIC 102 Guide, describes the procedure to be followed for the Approval of ICT Security products for handling classified national information and their inclusion in the ICT Security Products Catalogue (CPSTIC). This guide applies to products to be purchased for use in systems processing classified national information. Some highlights of the contents of this guide are as follows:

  • The evaluation and certification of an ITC security product will cover aspects related to the implementation of functional security requirements for that product, as well as other aspects of the product that increase its security and maintain it throughout its useful life.
  • Products using cryptography to protect the confidentiality, integrity, authenticity and/or non-repudiation of classified national information must address the cryptological security of the algorithms used, their implementation in the system where they are included, and the effectiveness of their self-protection mechanisms.
  • ITC security products that exceed the minimum required security requirements should also verify their security against unwanted emanations (TEMPEST).
  • For ITC security products that require other security products for operation, the latter must be included in the approval process or already approved for the same or higher classification level.

The aspects relating to product security in the information processing, considered during product evaluation and certification, should be reviewed and analysed by experts in the field of security. Otherwise, the odds of not passing the assessment process are high. In jtsec we have extensive experience in this field, as we have carried out consulting work to help overcome security certification processes to a large number of products.

The second of the published guides, CCN-STIC 106, includes the procedure to be followed and the required evaluations for an ITC security product to be included in the Qualified Products section, whithin the Catalog of ITC Security Products (CPSTIC). This catalog, which will be published shortly under the title CCN-STIC 105, is a reference list of ITC security products supervised by the CCN that provides a minimum level of confidence to the end user in the acquired products, with the security improvements derived from the evaluation and certification process, and in their secure use in the Administration's networks guaranteed by an Employment Procedure

According to the CCN-STIC 106 Guide, for the inclusion of a product in the catalog, the CCN will take into account a series of criteria, such as

  • Classification of the information to be handled (Limited Dissemination, Confidential, Reserved, Secret)
  • Product security features
  • The category of the information system in which it can be used (high, medium, basic)
  • The certificates issued
  • The environment in which it will be used

Based on this information, the tests or evaluations that the corresponding ITC security product must pass will be determined.

Several of the products included in the ITC Security Products Catalog (CPSTIC) have been supported by jtsec to pass the evaluations required for their inclusion, through a professional consulting work, fundamental to the success in the evaluation.

Both guides can be consulted on the CCN-CERT web portal.

José Pulido/Consulting Leader

Senior consultant of the Common Criteria, ISO 27001, SOC2 and ENS standards and expert security software developer. Systems administrator and technology consultant with more than 6 years of experience in the field of computer security. Jose is responsible for the development of the CCGen tool to help generating Common Criteria documentation.

He has participated in security assessment projects of technological products of multinational firms, being part of both the assessment and consulting teams, providing his expert point of view in strategic decision making for cybersecurity. As a developer, he has taken part in the development of integral security projects, carrying out works oriented from the most internal parts of the systems to the security in the user interaction.

Currently he is the consulting leader of jtsec's team of cybersecurity experts, focusing his work in the field of cybersecurity consulting, but continuing with the management of security-oriented software project development teams. His main motivation to work in cybersecurity is helping to protect users from cyberthreats and information theft.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.