The spanish National Cryptological Centre (CCN, Centro Criptológico Nacional) has published in its website, on 10/25/2017, the CCN-STIC 102 and 106 Guides, where the they have included the process to be followed for Approval of ICT security products for handling classified national information and for the inclussion of ITC security products in the spanish Catalog of ITC Security Products (CPSTIC).
These guides are part of the CCN-STIC document series, in which the CCN has been developing and disseminating information and communication technology (ICT) security guides. The objective of these guides is to facilitate compliance with the security requirements of the spanish Administration's ICT systems, in the context of the National Security Scheme (ENS, Esquema Nacional de Seguridad. With this series of guides CCN-STIC, the aim is to establish a reference framework that will serve as a support for the spanish Administration's personnel in providing security to the ICT systems under their responsibility.
Security products that are intended to deal with national classified information must comply with a set of information security guarantees, which must be accredited through a product assessment and certification process. In Spain, the National Cryptological Centre (CCN) is responsible for evaluating and certifying this type of products. To successfully pass the certification process, it is advisable to have expert advice on the matter. This is one of the specialized services we offer at jtsec, and it can save a lot of time and money due to evaluations not overcome by deficiencies in product security or documentation.
In the first of the two published guides, CCN-STIC 102, it is described the procedure to be followed for the Approval of ITC security products for management of classified national information and for the inclussion of ITC security products in the spanish Catalog of ITC Security Products (CPSTIC). This guide applies to products intended to be purchased for their usage in systems processing national classified information. Some highlights in this guide are the following:
- The evaluation and certification of an ICT security product will cover aspects related to the implementation of functional security requirements for that product, as well as other aspects of the product that increase its security and maintain it throughout its useful life.
- Products that use cryptography to protect the confidentiality, integrity, authenticity and/or non-repudiation of classified national information must address the cryptological security of the algorithms used, their implementation in the system where they are included, and the effectiveness of their self-protection mechanisms.
- ICT security products that exceed the minimum required security requirements should also verify their security against unwanted emanations (TEMPEST).
- For ICT security products that require other security products for operation, the latter must be included in the approval process or already approved for the same or higher classification level.
The first of the two published guides, the CCN-STIC 102 Guide, describes the procedure to be followed for the Approval of ICT Security products for handling classified national information and their inclusion in the ICT Security Products Catalogue (CPSTIC). This guide applies to products to be purchased for use in systems processing classified national information. Some highlights of the contents of this guide are as follows:
- The evaluation and certification of an ITC security product will cover aspects related to the implementation of functional security requirements for that product, as well as other aspects of the product that increase its security and maintain it throughout its useful life.
- Products using cryptography to protect the confidentiality, integrity, authenticity and/or non-repudiation of classified national information must address the cryptological security of the algorithms used, their implementation in the system where they are included, and the effectiveness of their self-protection mechanisms.
- ITC security products that exceed the minimum required security requirements should also verify their security against unwanted emanations (TEMPEST).
- For ITC security products that require other security products for operation, the latter must be included in the approval process or already approved for the same or higher classification level.
The aspects relating to product security in the information processing, considered during product evaluation and certification, should be reviewed and analysed by experts in the field of security. Otherwise, the odds of not passing the assessment process are high. In jtsec we have extensive experience in this field, as we have carried out consulting work to help overcome security certification processes to a large number of products.
The second of the published guides, CCN-STIC 106, includes the procedure to be followed and the required evaluations for an ITC security product to be included in the Qualified Products section, whithin the Catalog of ITC Security Products (CPSTIC). This catalog, which will be published shortly under the title CCN-STIC 105, is a reference list of ITC security products supervised by the CCN that provides a minimum level of confidence to the end user in the acquired products, with the security improvements derived from the evaluation and certification process, and in their secure use in the Administration's networks guaranteed by an Employment Procedure
According to the CCN-STIC 106 Guide, for the inclusion of a product in the catalog, the CCN will take into account a series of criteria, such as
- Classification of the information to be handled (Limited Dissemination, Confidential, Reserved, Secret)
- Product security features
- The category of the information system in which it can be used (high, medium, basic)
- The certificates issued
- The environment in which it will be used
Based on this information, the tests or evaluations that the corresponding ITC security product must pass will be determined.
Several of the products included in the ITC Security Products Catalog (CPSTIC) have been supported by jtsec to pass the evaluations required for their inclusion, through a professional consulting work, fundamental to the success in the evaluation.
Both guides can be consulted on the CCN-CERT web portal.