Since 2018, when the Catalogue of Information and Communication Technology Security Products (CPSTIC for its acronym in Spanish) was created and, taking into account the great evolution since the beginning, there have been many doubts that different manufacturers, consultants or laboratories have asked us.
Always highlighting our purpose of contributing to a more cybersecure world, both in companies and in Public Administrations, answering the questions that arise in everything related to the catalogue, is a way to contribute.
Therefore, we have compiled the most common FAQs related to the CPSTIC catalogue that can serve as a guide or resolve doubts related to the CSPTIC catalogue.
What cybersecurity certifications allow access to the CPSTIC catalogue?
There are only two certifications that allow a product to be included in the catalogue LINCE and Common Criteria. We have to take into account that a product that obtains a Common Criteria certification may be required to undergo a series of complementary tests by the catalog to allow access to it, the so-called STIC complementary evaluations.
What is a STIC complementary evaluation?
It is a type of evaluation that is required for some products that have a Common Criteria certification and intend to enter the catalogue. It basically consists of complementing the original certification with functional tests and penetration tests.
The complementary STIC is required in case the scope of the original evaluation (declared in the Security Target) does not meet the RFS (Fundamental Security Requirements for its acronym in Spanish) determined for a certain taxonomy family.
What kind of products are included in the CPSTIC catalog depending on the security level chosen?
The CPSTIC catalogue includes two types of products depending on the security level (high, medium or low) that the manufacturer wishes to achieve for its product:
If my product does not fit within the taxonomy offered by the CPSTIC catalogue, may I include it?
The catalogue is constantly evolving, so it gradually incorporates new families and categories if deemed appropriate. In this case, the fundamental security requirements of the product must be agreed with the catalogue and the Security Target must be created for approval.
In these cases, the catalogue can make two choices: create a taxonomy if it considers that there may be a significant number of similar products to be certified, or simply recommend their inclusion in the "Others" category.
At jtsec we have collaborated in the inclusion of several products that, due to their nature, could not be included in any of the existing categories.
What process do I have to follow to include my product in the catalog?
The first step is to analyze your product and the internal resources of your company, as obtaining a certification requires considerable effort. The second step is to analyze what level of security you want to achieve and what market you want to cover. If your desire is to reach the high ENS security level and an international market, you have to pass a Common Criteria evaluation to access the catalog, otherwise it may be a better idea to pass a LINCE evaluation, which is more affordable in terms of cost and time, although its scope is limited to the Spanish market.
Once the decision has been made, the consulting part begins with the drafting of the Security Target and, in the case of Common Criteria, the rest of the required documentation. When the Security Target has been approved by the CPSTIC catalogue, the evaluation phase (laboratory) begins, where the product will be evaluated, including functional tests, vulnerability analysis and penetration tests.
At the end of the evaluation, the validation phase is initiated by the Certification Body. If the validation is satisfactory, the certificate is issued and the product is included in the CPSTIC catalogue.
The following graphic can visually help you to understand the scheme:
How to keep the version of my product updated in the CPSTIC catalogue?
One of the main objectives of CCN is to keep the CPSTIC catalogue as up to date as possible for this, the most logical way is to speed up the qualification and inclusion of products in the catalog through the Continuous Qualification Process. To have a more accurate idea about this process, we recommend you to read the post we created specifically for this topic. This dynamic process of updating versions allows manufacturers great flexibility so that their certified product does not become obsolete in the catalogue.
Does my product must be in the catalogue to be able to work with the Public Administration?
Actually it is NOT an essential requirement, although it is highly recommended. Everything points to the fact that, in the near future, taking into account the presence and importance that the catalog is taking and the number of cyber-attacks suffered by the Public Administration , the most logical thing is to prioritize the use of products that have passed a cybersecurity evaluation.
In addition, there has been an increase in the number of specifications, both from private companies and the public administration, which require applicants to offer products that are included in the catalog. This will be a great competitive advantage for those manufacturers who already have products in the catalogue.
Which cybersecurity laboratories can perform the evaluation tests?
CCN recognizes a number of accredited laboratories for both LINCE and Common Criteria evaluations. Only accredited laboratories have the competence to perform the relevant tests for either methodologies. jtsec is accredited for both LINCE and Common Criteria by ENAC.
Is it mandatory to perform the Preliminary Report of Conformity of the Fundamental Security Requirements (RFS)?
It is not mandatory, but it is highly recommended to perform this report, as it saves time and avoids possible future problems once the process has started. It allows to know in which stage the product is according to the catalogue regarding in terms of security. Suitable compliance with the Fundamental Security Requirements of the catalogue is important, but it is not absolutely essential to comply with all of them.
What happens if my product does not comply with a Fundamental Security Requirement of the taxonomy?
It is recommended to comply with all the Fundamental Security Requirements, however, several times, taxonomies do not perfectly match with all products.
In these cases. it is necessary to justify to CPSTIC that there are other measures that make that the non-compliance of this requirement does not affect the security of the product.
Is it possible to evaluate a cloud service?
Yes, as mentioned above, CCN is working hard to update and expand the CPSTIC catalog, that’s why it has added a new category to the taxonomy relating to cloud services. . In fact, the first pilot projects are already ongoing.
Any questions about a particular issue that we have not covered in the blog?
At jtsec we are experts in LINCE and Common Criteria evaluations, with extensive experience in the inclusion of products in the CPSTIC catalogue. So, if you have any question about how to include your product in the CPSTIC catalogue, we will be happy to answer them, please send us your questions to hello@jtsec.es
