A Qualified Product is the same as as product with Common Criteria Certification?
The answer is NO, for the reasons explained below.
The fact that a product as a functional Common Criteria Certification means that it has successfully passed an evaluation process in an independent approved laboratory, from which it can be stated that its Declaration of Security is correct with a certain level of confidence or "assurance" (EAL).
This means that the evaluation and subsequent certification process checks that the security functional features declared for the product have been correctly implemented, without assessing whether they are sufficient for the product to be considered as secure for a certain case of use as might be envisaged in the ENS.
Working from the basis that the Declaration of Security is drawn up by the manufacturer, the case might arise that the certification does not include all the security functional features considered necessary by the CCN for a determined type of product.
It should not be forgotten that Common Criteria provides an evaluation methodology, it answers the 'how?' but not the 'what?' which would involve asking: what security functional features are included in my certification?
Over the last few months, the CCN has made a considerable effort to answer this question. Working from a taxonomy of ICT security products organised into families, a list has been defined for each of them with the Fundamental Security Requirements (FSR) that should at least include one product belonging to this family in its certification so that it can be in the CPSTIC. Both the taxonomy and the FSR corresponding to each family are included in the recently-published default CCN-STIC-140 guide.
In summary, as a general rule, we can say that a Qualified Product will be a product that meets the following requirements:
- It holds a Common Criteria certification that is currently in force.
- This certification should include the requirements defined by the CCN in the CCN-STIC-140 guide for this product family.
- The manufacturer or any Public Sector organisation interested in including it in the CPSTIC should have formally requested this from the CCN.
In addition, as an exceptional measure, and for the sake of filling certified product gaps for some families, the CCN is considering the possibility of qualifying products that do not have the CC certification or where it is incomplete when the following conditions can be met:
- There are no certified products for a determined family.
- There is no manufacturer that promotes the certification from a technical and economic point of view.
- The product is considered to be of strategic interest for the Administration.
- It has successfully passed an ICT security evaluation process, previously agreed with the CCN.
Figure 1 Certified Products vs. Qualified Products.
Is it mandatory to use the catalogue to procure products for the ENS?
It is not mandatory to use the CPSTIC, although it is convenient. We work from the basis that use of certified products should be included in the best practice manuals when purchasing technology, basically because they have been assessed by an approved laboratory for this, helping to detect and correct a wide range of vulnerabilities that improve the product's security guarantees.
In addition, as mentioned previously, when the system in which the product is going to be used is affected by the ENS, it should comply with the standard regulating it, which specifically states the use of products that have attained certification for the security functional features related to their purchase when the system is classified in the HIGH category and the general convenience of using them for the rest of the systems.
Therefore, anyone in charge of purchasing ICT products for one of the aforementioned systems should not only check that it is certified but that its certification is complete, consistent and technically suitable. This is a difficult premise to meet, basically for two reasons:
Exceptional cases aside, these managers are not usually familiar with Common Criteria terminology.
With colossal effort, it is not feasible to obtain in-depth knowledge of the specific implementations of the wide range of ICT products currently on the market, never mind decide which requirements are appropriate.
Consequently, the CPSTIC meets a double function:
- It performs the task of analysing certifications and thereby picking out which are appropriate and meet the requirements defined for this product family.
- It standardises criteria when defining which functional features the product should implement.
Where can I find products for a classified system?
In the event that the system handles national classified information, products can be used that are published in the CPSTIC approved product section, the pdf CCN-STIC 103 guide (52 KB) , Catalogue of products with cryptological certification and the default CCN-STIC 104 guide , Catalogue of products with ZONING certification. If no product in these catalogues suits the system's needs, written authorisation should be requested from the CCN stating the product you wish to use and justifying this need.
How does this Product Catalogue relate to Centralised Contracting by the Ministry of Inland Revenue and Public Function?
It is not related to it at all; they are not mutually exclusive and could be used together when required by administrative procedures for product purchasing.
The CPSTIC is merely a technical security catalogue that compiles a series of products offering certain levels of guarantees to be used in systems that handle sensitive or classified information, whilst Centralised Contracting is an administrative catalogue developed around a series of framework agreements negotiated with companies in order to improve contracting and standardisation of quality levels for services and provisions purchased by the General Administration in Spain.