A few weeks ago, we said goodbye to 2024 and welcomed 2025, which has kicked off with remarkable energy, inspiring us with optimism and enthusiasm for the journey ahead. Looking back on the past year, we’ve seen remarkable progress with LINCE methodology and a substantial increase in the solutions featured in the CPSTIC / CCN-STIC 105 catalog. With that in mind, we’d like to share a brief overview of our modest contributions to these achievements.
Our Numbers
2024 was a year of records. We reached our maximum number of evaluations started and the maximum numbers of products included in the CSPTIC catalogue with our support.
A total of 109 evaluation processes were launched in 2024, a remarkable number that highlights the commitment of both manufacturers and the Public Administration with the catalogue.
A total of over 48 products have been included in the catalog and previously evaluated by jtsec in 2024.
Many of them were included with several versions of the solution or in different taxonomies, amounting to a total of 281 products included in the CPSTIC catalog. We have had the privilege of collaborating with companies such as Stormshield, Deciso V.B, Watchguard, Crowdstrike, Proofpoint, Check Point, AWS, Trend Micro, CyberArk, Cisco or Huawei, among others, for the evaluation of their products and services.
Adopted Lynxes
At jtsec, we collaborate with the conservation of the Iberian Lynx. Therefore, for every new client that includes a product or service in the catalog, we symbolically adopt an Iberian Lynx, contributing to the WWF NGO. This year, we are extremely proud to have adopted 18 Iberian Lynxes.
Conferences in 2024 related to LINCE methodology
During this year, we had the opportunity to participate in different events and present our point of view on various topics related to the LINCE methodology and the CPSTIC / CCN STIC-105 catalog, among which we would like to highlight:
- XVIII Jornadas CCNCERT, “Certificando Criptografía para la Era Cuántica”
- 18 ENISE, “¿Puedes usted incluir mi producto en catálogo CPSTIC”
- Cátedra Ciber-UGR, “How to use the CCN product catalog to improve your company's security”
CPSTIC / CCN STIC-105, the family grows
The catalog faced a variety of challenges throughout 2024. At jtsec, we successfully reached several significant milestones, including:
- We are developing, together with CCN, the new evaluation methodology for cloud services.
- jtsec has been the first lab accredited from ENAC to evaluate cryptologic products under the Methodology for the Evaluation of Cryptographic Mechanisms (MEMeC) methodology.
In addition to these milestones, in 2024, we have qualified solutions in different families, including:
- Video identification tools
- Wireless Network Devices
- EPP (Endpoint Protection and Platform)
- EDR (Endpoint Detection and Response)
- Privileged Access Management (PAM)
- Security Information and Event Management (SIEM)
- Firewalls
- Routers
- Switches
- OT Security
How to enter in the CPSTIC catalogue?
Different methods for a product to be included in the CPSTIC / CCN STIC-105 catalog:
- Common Criteria Certification: This type of certification is the most widely applied internationally concerning product cybersecurity, as it is recognized in more than 30 countries. Products that have previously obtained such certification and meet the security requirements of the applicable taxonomy are included in the catalog.
- LINCE Certification: This option adapts to the needs to meet the requirements of the national market. A large number of the products currently in the catalog have obtained LINCE certification. This certification is done on a specific version, and the evaluation is carried out on-premises.
- STIC Evaluation: This applies to services developed natively in the cloud, for those that do not have an on-premise version that can be certified. Such solutions receive a qualification to enter the catalog. This year, over 70% of the solutions evaluated by jtsec have been cloud-based STIC. Quite a success considering that Annex G, which applies to Cloud Services, was published in 2020.
- Complementary STIC: Some products have Common Criteria certification, but the security level (EAL) or the Protection Profile they apply does not fit the catalog's requirements. For these, certain additional tests must be performed to be included in the CPSTIC / CCN STIC-105 catalog. This way, a complete evaluation does not have to be performed, only certain tests required by the catalog itself.
- Penetration Testing: This type of evaluation applies to solutions that want to be included in the Conformity and Security Governance Products and Services taxonomy. Access to it does not require a Security Declaration or any documentation, so a complete LINCE evaluation is not required, but penetration tests must be passed to verify that the tool meets minimum security requirements.
Looking forward to 2025
2024 was a great year for the CPSTIC catalogue. We are proud of our support to improve the cyber resilience in the Spanish administration. We are sure that 2025 will be another year of expansion for the CPSTIC catalogue where the adoption of cybersecurity products will become more and more a cornerstone for public and private organizations, as well as the Public Administration. At jtsec, we will be there fostering this mission.
