jtsec | Blog | LINCE as UNE standard

- Jan

2021

Posted by: José Ruiz

LINCE as UNE standard

After almost three years since its creation, the evaluation methodology LINCE, related to cybersecurity of ICT products with medium or low criticality, becomes a UNE standard.

At jtsec we are very proud of this event, since we have participated in the creation of LINCE from the beginning; both in the definition of the LINCE methodology and its adoption as a UNE standard.

First steps for the approval of LINCE as UNE standard

The process to create a UNE standard is subjected to a series of phases to ensure that the document that is finally elaborated is the result of industry consensus. It is an open and transparent process, in which any person or company who wants to do so can make their comments during the IP (Public Information) process which concluded last January 9th in the case of LINCE.

The steps to follow in order to make the LINCE methodology (or any other project) part of UNE are the following ones:

Propose the creation of the project to the Technical Committee for Standardization. In this case, jtsec proposed to the CTN320 the creation of the project.

After the approval of the project by the CTN320, a working group is created. In this case the CTN 320/SC 03/GT LINCE led by jtsec and where all the members of the CTN320 SC3 were included.

The working group was in charge of writing a first version of the text that was revised by a high number of SC3 members. After resolving the comments by consensus, the text was approved by the CTN320.

After approval, the text is sent to the BOE for the Public Information process where any citizen/company can make comments.

Once the observations have been resolved, the standard is published.

Once the whole process has been completed, the standard is awaiting to be published.

What does it mean from the field of cybersecurity that LINCE becomes a UNE standard?

LINCE is a lightweight methodology created by CCN to match leading European countries in cybersecurity such as France or Germany, which already had a similar assessment methodology created by their own national Certification Bodies. The success of the LINCE methodology since its creation is a fact, so, the next logical step is that it becomes part of a standardized norm at national level.

This has three main objectives:

To raise awareness and support the use of cybersecurity certificates in ICT products at national level.

To allow the extension of the scope of LINCE methodology to be used in other areas/sectors.

To give visibility to LINCE as a lightweight certification methodology at European level represented by UNE in the European area.

It should be reminded that all UNE standards are, in principle, voluntary compliance although there is the possibility that the competent Administration may require compliance by a law, decree or regulation for a given scope, as well as use them in the technical specifications for public contracts.

Why use the LINCE methodology?

jtsec was the first laboratory certified by CCN to evaluate products under the LINCE methodology, that is why we want to support its admission as a UNE standard. We recommend manufacturers and developers to submit their solution to a LINCE evaluation for several reasons:

Improving the cybersecurity of your product.

Obtaining a valid certification at Spanish level with good international reputation.

To increase the possibilities of working with the Administrations and Public Organisms, recognizing your solution with a minimum level of security.

Any doubt you may have related to LINCE certification, do not hesitate to ask us, we are at your disposal.

tags

José Ruiz/CTO

Jose is an expert consultant on the Common Criteria standard with more than 10 years of experience. Jose has a wide background in other security assurance standards in the field of the information technology as Common Criteria, FIPS 140-2, FIPS 140-3, GP TEE, PCI-PTS, LINCE. Jose has served as an evaluator, Technical Leader and CC Consultant for Epoche&Espri and as CC lab manager and Cyber Security Service Manager for Applus+. His experience has led him to participate as a speaker in various editions of the ICCC (International Common Criteria Conference) and ICMC (International Cryptographic Module Conference). He has been the “Chairman” of a subgroup within the ISCI WG1 Eurosmart Initiative to develop the CC Methodology. He is also member of different working groups as ISO SC27 or Global Platform TEE and an active member of the group ERNCIP “IACS Cybersecurity certification“.

In 2017 he founded with Javier what is now known as jtsec. He is currently in charge of promoting the commercial expansion of the company from its headquarters in Madrid as CTO. In addition, he represents jtsec in various national and international forums and is responsible for quality.