Do you want to keep your product version updated in the CPSTIC catalog?


- April
Posted by: jtsec Team
Do you want to keep your product version updated in the CPSTIC catalog?

The reference Catalog for Cybersecurity ICT Products in Spain (CPSTIC) has proven its great value and acceptance throughout its more than three years of existence. In an increasingly competitive and demanding market, the "Time to Market" is becoming shorter and shorter; therefore, new versions of products reach the market more and more frequently.

The CPSTIC catalog is not unaware of this fact proposing improvements in the processes and methods of inclusion in the catalog to meet the needs of both manufacturers of ICT solutions and potential buyers of the same.

Types of products included in the CPSTIC catalog and accepted evaluation methodologies

For a better understanding of the inclusion of a solution in the catalog, we must differentiate two types of products depending on the information they handle, based on this, they will be evaluated under different methodologies:

  • Approved products and services: They handle classified information, so the type of evaluation they are required to access the catalog is Common Criteria. The minimum estimated time to obtain certification is 6 months.

  • Qualified products and services: These are products whose security functionalities are certified and suitable for use in systems affected by the ENS, in any of its categories (High, Medium and Basic) and can be accessed by passing an evaluation with a lightweight methodology, such as LINCE, which normally requires between 4 and 6 months to obtain certification or Common Criteria.

    As we can see, both evaluations require a quite long time effort, which, in many occasions, is a problem for manufacturers in their continuous product improvement. In order to solve this problem, CCN has developed the so-called Continuous Qualification Strategy, aimed at always maintaining the latest version of the product in the CPSTIC Catalog.

    What is the Continuous Qualification Strategy and how does it affect already certified products?

    It is a strategy created by CCN to keep the CPSTIC catalog as up to date as possible. To this end, the most logical approach is to speed up the qualification and inclusion of products in the catalog through a Continuous Qualification Process. This process consists of evaluating software versions, firmware or hardware models not included in the initial certification without the need to carry out a complete evaluation process.

    This is an open-ended process in which all minor versions or hardware models not included in the initial certification are qualified.

    This would apply to a large number of manufacturers that create different versions of the same product whose differences are minimal with respect to the already certified product (e.g. number of ports, processor speed, etc.).

    Due to the speed at which manufacturers develop their products, on many occasions when certification ends; the product, which continues to evolve and improve, is already in versions later than the certified one, thus creating a gap between versions that the manufacturer is developing and the version that appears in the catalog.

    A clear example would be a manufacturer of a Firewall solution that creates a version 1.0 which is the one that begins to be evaluated under the LINCE methodology. During that time, the manufacturer has developed version 1.1 of the same product. At the time it certified version 1.0, however, version 1.1, although with minimal differences with respect to 1.0, is not in the catalog because it was not the version evaluated. However, version 1.1. is more up to date and more secure than the version in the catalog.

    In order to solve this problem, the Continuous Qualification Strategy was created.

    When does Continuous Qualification apply?

    Currently, the CPSTIC catalog has almost 300 certified solutions since it was implemented in 2018. This assumes that, many of the products included, have undergone modifications from the initial version that was evaluated and potentially the latest version is not in the catalog.

    The Continuous Qualification will apply in the following cases:

  • New versions of the product: This would be the case of new versions of the product including new functionality or resolving problems found in previous versions.

  • New hardware models: In this case the software/firmware does not change, but there are versions with different hardware of which only one has been certified, so you want to extend it to the rest of the to the rest of the models.

    How can jtsec help you in the evaluation of your products according to the Continuous Qualification Strategy?

    At jtsec we are experts in LINCE and Common Criteria evaluations, the two methodologies accepted by the CCN to be able to include products in the CPSTIC Catalog.

    jtsec offers the following services:

  • LINCE or Common Criteria Evaluation.

  • Complementary STIC assessment

  • Inclusion of product series

  • Differential analysis report writing

  • Drafting of safe use procedures

    The Continuous Qualification Strategy mainly concerns those manufacturers and/or developers who already have a product in the Catalog and whose version has become obsolete due to the development of later versions and wish to include them in the catalog. If this is your case and you have any questions, please do not hesitate to contact us, we will be happy to help you.

  • jtsec Team/Staff

    jtsec: Beyond IT Security Team


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.