STIC Evaluation

  • Leading laboratory in STIC evaluations
  • First LINCE laboratory accredited by CCN (Spanish Certification Body)
  • Editors of LINCE as a UNE standard
  • Market Leaders - More than 150 STIC evaluation projects
  • A team of more than 50 people committed with our customers

Click here to find our talks related to STIC and other standards offered in the most relevant cybersecurity events
By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.


CPSTIC is the CCN-STIC-105 reference catalogue for cybersecure ICT products in the Spanish Public Administration. It offers a list of products with security guarantees contrasted by the CCN (the Spanish Certification Body). It has a taxonomy divided into different categories and families, which is continuously growing.

Including your product in the catalogue has multiple advantages:

  • It improves the cybersecurity of your product by being assessed by a reliable third party
  • Powerful marketing tool
  • It offers greater visibility of your product in the Spanish Public Administration
  • Comply with the CPSTIC Catalogue, since May 2022, is mandatory in order to be able to work for the Public Administration
  • The tenders specifications in the Spanish Public Sector shall include all necessary requirements to ensure compliance with the CPSTIC according to the new ENS.


When a product is certified under LINCE, it is done on a specific version and the evaluation is done on premise. However, more and more products/services are being developed directly in the cloud (cloud-native). They are deployed in the cloud and are usually developments in constant evolution, making it impossible to identify the exact target of the evaluation. Due to this, the product/service cannot be certified, but it can be qualified and still be part of the catalogue of cyber secure products. For this reason, in addition to complying with the requirements specified for their taxonomy with the LINCE methodology, the product/service must also pass the requirements specified in Annex G “Servicios en la nube” dedicated to those cloud-native products. Flowchart of the process of the STIC Evaluation of a service


To obtain a STIC Qualification, the product must be evaluated by a laboratory that acts as a reliable and technically trained third party. The laboratory will review the manufacturer's documentation and perform tests to verify that the product conforms to its specification.

The manufacturer of the product delivers to the laboratory the Security Target (ST), which defines the scope of certification, guidelines for use and safe configuration of the product. In addition, it will use information from public sources, such as technical specifications or product data sheets. We help you with our consulting team in the writing of all the paperwork parts.

With this documentation, the laboratory will obtain the information necessary to perform a series of tests to try to identify and exploit product failures and vulnerabilities. In addition, the product/service must also pass the requirements specified in Annex G “Servicios en la nube” dedicated to those cloud-native products.

On the other hand, the evaluation may also include testing of the cryptographic components if that category requires it.

The results of the laboratory evaluation are reflected in an Evaluation Technical Report (ETR), which the CCN will review, verifies that the solution has been satisfactorily evaluated and whether or not it complies satisfactorily with the requirements of its taxonomy


If you want to know more about the qualification process of cloud-native solutions, please check this video where Javier Tallón, our Lab Manager, explains the whole process in detail España y CCN como referentes en la evaluación de ciberseguridad de soluciones en la nube - YouTube


  1. Requirements analysis: It consists of defining to which taxonomy the services to be qualified belong, and it must also be adapted to the requirements of Annex G. Then, an RFS Rationale is carried out in which all the RFs listed in the taxonomy are listed and the following labels are applied: applicable, not applicable, covered and cannot be tested.
  2. Security Target (ST): Document that explains the scope of the project and collects all RFS related to the taxonomy of the product.
  3. ETR (Evaluation Test Report): It defines all the tests carried out and their results, and this document is sent to CPSTIC for the validation process of the solution.
  4. Security architecture: In this document the manufacturer defines the cloud part of the service and where it is hosted.
  5. Responsible declaration where the manufacturer assumes that everything declared herein is true.

They already trusted us. Let's talk!

What We Offer?

At jtsec we are experts in STIC security evaluations and we know the process perfectly. In order to avoid unnecessary costs, contact us as soon as possible.

  1. Evaluation

    As accredited laboratory, we carry out the STIC security evaluation of your product, checking the documentation, the security functionality and performing the necessary tests so that you can successfully obtain the STIC certification.

  2. Tools

    At jtsec we have developed LinceToolBox, an innovative and unique tool to smooth STIC certification, saving time & money.

  3. Trust and professionality

    We have years of experience in security certifications and we have a team of professionals with great knowledge and expertise that will take care of the entire process, saving you unnecessary time and money.

  4. Technical qualification

    We have arrived to take up the torch of technical excellence. Only from the highest qualification will we be able to verify the security of your products. We are 100% committed to a refined process of ongoing formation.

  5. Time To Market

    Only by doing our job on time can we give our customers a competitive advantage. If time is limited, you can trust us. We put all our resources at your disposal to be, not only the best, but also the first.