The lists of ICT Products in Spain

Blog

29
- May
2020
Posted by: Javier Tallón
[jtsec statements]
The lists of ICT Products in Spain

The lists of ICT Products in Spain

One way to make an ICT product or system stand out from the competitors is to prove its ability to handle information in a cyber-secure manner, and for that, the most recommendable way is that a third party certifies the product according to a cybersecurity standard.

In Spain, the National Cryptographic Centre (CCN, for its acronym in Spanish) is the assigned body to issue the approval of cybersecurity in different standards. In the CCN we can find, among others, the following differentiated parts: the Certification Body (OC) and the CIS Products Catalogue (CPSTIC).

What is the Certification Body and what functions does it perform?

On the one hand, we have the Spanish Certification Body, which after the evaluation technical report of an accredited laboratory like jtsec, issues a certificate ensuring that a product meets the security requirements of a standard (LINCE, Common Criteria, ISO15408/ISO18045, etc...) according to a the specification. These the specification is detailed in the Security Target document. The Security Target document must be public to help the consumer to know exactly what has been tested and the methodology used

The Spanish Certification Body publishes certified products in a List of Certified Products, which is divided into 50 categories and emits Common Criteria certificates since 2007

It is important to note that there are Certification Bodies in many countries that perform this same task and there are mutual recognition agreements so that, if a product is certified in Spain, you can enforce its certificate in other countries and vice versa. For more information, you can check the list of all Common Criteria products.

The Security Target document is published in the List of Certified Products. The publication is mandatory unless it is a classified product, but if the product is certified outside Spain, we must check to the Common Criteria website.

CIS Products Catalogue (CPSTIC)

On the other hand, we have a most recent office of CCN, it is the CIS Products Catalogue (CPSTIC), which publishes a List of ICT Security Products since 2018. The CPSTIC ultimate object is that those responsible for procurement do not have to review the Security Target of each product to verify if it is suitable for their needs, so the CPSTIC team is involved in the approval of the Security Target document of the products. It should be noted that if a product is going to handle classified information or is going to be acquired and used by public bodies or private companies that are under theNational Security Scheme (ENS), it needs to be included in the CIS Products Catalogue (CPSTIC).

The CIS Products Catalogue (CPSTIC) also updates and monitors that the products included in the Lists maintain their security features despite the new threats that are emerging.

The CIS Products Catalogue (CPSTIC) handles two lists:

-The List of Qualified Products: Compiles the products that can be used for sensitive information under the National Security Scheme (ENS). Products on this list with a "HIGH" classification may be used in systems of any category, but products with a "MEDIUM" classification cannot be used in systems classified as ENS HIGH category, but it can be used in MEDIUM and BASIC.

In this list, products are divided into categories (note that the categories of the CPSTIC lists are not aligned with the categories of the certified product list) and families according to thereference taxonomiesthat can be found in theCCN-STIC 140 Guide.

For each category, the products shall fulfil a set of Fundamental Security Requirements (RFS) published as annexes. You can check the updated requirements for each category here.

Sometimes the certificate issued for a product may not cover all the RFS of the applicable annex, so the CCN may require deep justifications or complementary tests to be performed by an accredited laboratory.

You can find here the List of Qualified Products

- List of Approved Products: :if a product handles classified national information or information owned by other countries or international organizations (such as NATO or the European Union) this list is where it must be published. The Approved Products are classified into the categories of: Access Control, Exploitation Security, Communications Protection, Safety Monitoring, Information and Information Media Protection, Equipment and Services Protection, and Secure Tactical Communications

You can find here the List of Approved Products

The product or system must have a cybersecurity certification to enter in the List of Qualified Products or the List of Approved Products. CCN requires LINCE certification for medium or low category products and Common Criteria certification for the high category.

LINCEis a lightweight and practical certification, suitable for any company, also for small companies that want to promote their first products, or for Spanish subsidiaries of multinationals. jtsec is the first laboratory accredited by ENAC and CCN to evaluate the security of ICT products according to the LINCE methodology.

When a product is included in the CIS Products Catalogue (CPSTIC), it is required to submit within 6 months (in the case of Qualified Products) or immediately (in the case of Approved Products) a Safe Use and Secure Configuration Procedure, which will be published on the CPSTIC website.

jtsec clients that have their products included in the CIS Products Catalogue (CPSTIC)

Product Manufacturer Category
Intercept X Advanced with EDR 2.5.4 BETA/ 10.8.6/2.0.16 BETA. Sophos LTD. Exploitation security
MIL2004-2xHSR-L3. 19.12 SoCe System-on-Chip engineering – Novatronic Sistemas Communications Protection
ESET Endpoint Security 7.2.2055.3 ESET SPOL S.R.O Communications Protection
McAfee Data Loss Prevention (DLP) Endpoint with ePolicy Orchestrator 5.10 11.1 McAfee, LLCO Information and Information Media Protection
Stormshield Network Security UTM/NG-Firewall Stormshield SAS Communications Protection
Check Point Endpoint Security vE82.40 Check Point Software Technologies Ltd Exploitation security
McAfee, Inc. Network Security Platform (NS Sensor v 9.1.17.100 and NSM v9.1.21.20.x) McAfee, LLCO Safety Monitoring

tags
Javier Tallón/Technical Director

Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES