Evaluation methods and criteria

Criteria and methodology for evaluation, in the current versions used by the Body of Certification:

Common Criteria

Errata to CC:2022 and CEM:2022.

Application of the latest published version of this document is mandatory.

CCV3.1R5 version is the last from the 3.1 series, and may optionally be used for evaluation starting no later than the 30th of June 2024.

STs conformant to CC:2022 based on PPs certified according to CC3.1 will be accepted up to the 31st of December 2027.

Assurance continuity activities (maintenance, re-evaluation and re-assessment) based on CC 3.1 evaluations can be started for up to 2 years from the initial certification date.

For further information: CCRA transition policy.

LINCE - Certificación Nacional Esencial de Seguridad

The LINCE methodology is aimed at the evaluation and certification of ICT security products for inclusion in the CPSTIC catalog as a qualified product for systems affected by the ENS with a medium or basic category and can also be used to carry out complementary STIC Evaluations in accordance with what is specified in the CCN-STIC-106 and CCN-STIC-140 guides.

ITSEC/ITSEM

ISO

  • ISO/IEC 19790, Security Requirements for Cryptographic Modules
  • ISO/IEC 24759, Test Requirements for Cryptographic Modules

The ISO/IEC 19790:2012 and ISO/IEC 24759 standards are aimed at the evaluation and certification of the security requirements of cryptographic modules used within security systems that protect confidential information in computer and telecommunications systems that are of interest to the Public Administration in Spain. Before applying for this type of certification, the CCN must be contacted.