CPSTIC - CCN - STIC 105 CATALOG
CPSTIC is the CCN-STIC-105 reference catalogue for cybersecure ICT products in the Spanish Public Administration. It offers a list of products with security guarantees contrasted by the CCN (the Spanish Certification Body). It has a taxonomy divided into different categories and families, which is continuously growing.
Including your product in the catalogue has multiple advantages:
- It improves the cybersecurity of your product by being assessed by a reliable third party
- Powerful marketing tool
- It offers greater visibility of your product in the Spanish Public Administration
- Comply with the CPSTIC Catalogue, since May 2022, is mandatory in order to be able to work for the Public Administration
- The tenders specifications in the Spanish Public Sector shall include all necessary requirements to ensure compliance with the CPSTIC according to the new ENS.
STIC EVALUATION FOR CLOUD-NATIVE PRODUCTS/SERVICES
HOW TO OBTAIN A STIC QUALIFICATION?
To obtain a STIC Qualification, the product must be evaluated by a laboratory that acts as a reliable and technically trained third party. The laboratory will review the manufacturer's documentation and perform tests to verify that the product conforms to its specification.
The manufacturer of the product delivers to the laboratory the Security Target (ST), which defines the scope of certification, guidelines for use and safe configuration of the product. In addition, it will use information from public sources, such as technical specifications or product data sheets. We help you with our consulting team in the writing of all the paperwork parts.
With this documentation, the laboratory will obtain the information necessary to perform a series of tests to try to identify and exploit product failures and vulnerabilities. In addition, the product/service must also pass the requirements specified in Annex G “Servicios en la nube” dedicated to those cloud-native products.
On the other hand, the evaluation may also include testing of the cryptographic components if that category requires it.
The results of the laboratory evaluation are reflected in an Evaluation Technical Report (ETR), which the CCN will review, verifies that the solution has been satisfactorily evaluated and whether or not it complies satisfactorily with the requirements of its taxonomy
If you want to know more about the qualification process of cloud-native solutions, please check this video where Javier Tallón, our Lab Manager, explains the whole process in detail España y CCN como referentes en la evaluación de ciberseguridad de soluciones en la nube - YouTube
DOCUMENTATION REQUIRED IN THE STIC EVALUATION PROCESS
- Requirements analysis: It consists of defining to which taxonomy the services to be qualified belong, and it must also be adapted to the requirements of Annex G. Then, an RFS Rationale is carried out in which all the RFs listed in the taxonomy are listed and the following labels are applied: applicable, not applicable, covered and cannot be tested.
- Security Target (ST): Document that explains the scope of the project and collects all RFS related to the taxonomy of the product.
- ETR (Evaluation Test Report): It defines all the tests carried out and their results, and this document is sent to CPSTIC for the validation process of the solution.
- Security architecture: In this document the manufacturer defines the cloud part of the service and where it is hosted.
- Responsible declaration where the manufacturer assumes that everything declared herein is true.
They already trusted us. Let's talk!
What We Offer?
At jtsec we are experts in STIC security evaluations and we know the process perfectly. In order to avoid unnecessary costs, contact us as soon as possible.
As accredited laboratory, we carry out the STIC security evaluation of your product, checking the documentation, the security functionality and performing the necessary tests so that you can successfully obtain the STIC certification.
At jtsec we have developed LinceToolBox, an innovative and unique tool to smooth STIC certification, saving time & money.
Trust and professionality
We have years of experience in security certifications and we have a team of professionals with great knowledge and expertise that will take care of the entire process, saving you unnecessary time and money.
We have arrived to take up the torch of technical excellence. Only from the highest qualification will we be able to verify the security of your products. We are 100% committed to a refined process of ongoing formation.
Time To Market
Only by doing our job on time can we give our customers a competitive advantage. If time is limited, you can trust us. We put all our resources at your disposal to be, not only the best, but also the first.