The reference Catalog for Cybersecurity ICT Products in Spain (CPSTIC) has proven its great value and acceptance throughout its more than three years of existence. In an increasingly competitive and demanding market, the "Time to Market" is becoming shorter and shorter; therefore, new versions of products reach the market more and more frequently.
The CPSTIC catalog is not unaware of this fact proposing improvements in the processes and methods of inclusion in the catalog to meet the needs of both manufacturers of ICT solutions and potential buyers of the same.
Types of products included in the CPSTIC catalog and accepted evaluation methodologies
For a better understanding of the inclusion of a solution in the catalog, we must differentiate two types of products depending on the information they handle, based on this, they will be evaluated under different methodologies:
As we can see, both evaluations require a quite long time effort, which, in many occasions, is a problem for manufacturers in their continuous product improvement. In order to solve this problem, CCN has developed the so-called Continuous Qualification Strategy, aimed at always maintaining the latest version of the product in the CPSTIC Catalog.
What is the Continuous Qualification Strategy and how does it affect already certified products?
It is a strategy created by CCN to keep the CPSTIC catalog as up to date as possible. To this end, the most logical approach is to speed up the qualification and inclusion of products in the catalog through a Continuous Qualification Process. This process consists of evaluating software versions, firmware or hardware models not included in the initial certification without the need to carry out a complete evaluation process.
This is an open-ended process in which all minor versions or hardware models not included in the initial certification are qualified.
This would apply to a large number of manufacturers that create different versions of the same product whose differences are minimal with respect to the already certified product (e.g. number of ports, processor speed, etc.).
Due to the speed at which manufacturers develop their products, on many occasions when certification ends; the product, which continues to evolve and improve, is already in versions later than the certified one, thus creating a gap between versions that the manufacturer is developing and the version that appears in the catalog.
A clear example would be a manufacturer of a Firewall solution that creates a version 1.0 which is the one that begins to be evaluated under the LINCE methodology. During that time, the manufacturer has developed version 1.1 of the same product. At the time it certified version 1.0, however, version 1.1, although with minimal differences with respect to 1.0, is not in the catalog because it was not the version evaluated. However, version 1.1. is more up to date and more secure than the version in the catalog.
In order to solve this problem, the Continuous Qualification Strategy was created.
When does Continuous Qualification apply?
Currently, the CPSTIC catalog has almost 300 certified solutions since it was implemented in 2018. This assumes that, many of the products included, have undergone modifications from the initial version that was evaluated and potentially the latest version is not in the catalog.
The Continuous Qualification will apply in the following cases:
How can jtsec help you in the evaluation of your products according to the Continuous Qualification Strategy?
At jtsec we are experts in LINCE and Common Criteria evaluations, the two methodologies accepted by the CCN to be able to include products in the CPSTIC Catalog.
jtsec offers the following services:
The Continuous Qualification Strategy mainly concerns those manufacturers and/or developers who already have a product in the Catalog and whose version has become obsolete due to the development of later versions and wish to include them in the catalog. If this is your case and you have any questions, please do not hesitate to contact us, we will be happy to help you.