Spanish catalogue of qualified products - a new way of using CC for procurement

Javier Tallón
Javier TallónSecurity Expert at jtsec Beyond IT Security
SPANISH CATALOGUE OF QUALIFIED
PRODUCTS: A NEW WAY OF USING CC
FOR PROCUREMENT
• Who are we?
• Worldwide Procurement Initiatives
• Why a Product Catalogue?
• CPSTIC - Catalogue
• Conclusions
Index
Who are we?
Who are we?
• Jose Ruiz – CTO at jtsec
• jtsec – CC and FIPS 140-2 Consultancy company - Based in
Spain
• CCGEN Developers – Common Criteria Documentation
Development tool
• More than 10 years of experience working with different
labs and CBs as evaluator, lab manager and consultant
Why are we here?
• We support companies to meet their business
expectations. e.g.- sales to governments
• We like initiatives that make life easier
• We think that could be useful for other countries
• My father wanted to visit Canada ;)
The importance of procurement as a
prevention tool
Prevention ResponseDetección
Image
TrustworthyReputation
Business
Prestige
DoS
Data
leakage
Integrity
Brand value
Detection
Worldwide Procurement Initiatives
Worldwide Procurement Initiatives
• US Government Requirements
 CC is mandatory for all IT products with security
features that are deployed in U.S. National
Security Systems (NSS)
 Products are to be selected from the NIAP
PCL, meaning they have met a NIAP
approved Protection Profile
 DoD’s Information Network Approved Products
List (DoDIN APL)
 Common Criteria and very likely FIPS 140-2
validation are required
Worldwide Procurement Initiatives
• Australian Government Requirements
 CC is mandatory for all products providing
security functions within all Australian
Government systems, unless the risks of not
using CC products has been appropriately
accepted and documented.
 Products may be selected from the Australian
Evaluated Products List (EPL) or the CC portal.
Worldwide Procurement Initiatives
• Canadian Government Requirements
 CC should be included as a requirement in
Government of Canada RFPs/contracts
whenever possible.
 Certified products evaluated against the
Protection Profile for a given technology class
may be selected
Worldwide Procurement Initiatives
• French Government Requirements
 Types of certification used for procurement
 Common Criteria Certification
 First Level Security Certification – CSPN
 Acquisition Policy:
 CSPN for elementary qualification
 EAL3+VAN.3+FLR.3 for standard qualification or
 EAL4+VAN.5 +IMP.2+ DVS.2+FLR.3 for
reinforced qualification
Worldwide Procurement Initiatives
• UK Government Requirements
 Types of certification used for procurement
 Common Criteria Certification
 Commercial Product Assurance - CPA
 CPA: A security product that passes assessment is
awarded Foundation Grade certification -
demonstrate good commercial security practice
and suitable for lower threat environments.
 Should we just use CC? Ideally, yes
x CC does not always represent a necessary or
sufficient level of product assurance for the UK
public.
¿Why a product catalogue?
Legislation - IT Security products - ENS
• Legal framework
 RD 03/2010, 8th January
 RD 951/2015, 23rd October by modification
of RD 3/2010 -> ENS – National Security
Scheme
• Objective:
 To establish basic principles and minimum
requirements for the protection of
information
• Scope of application
 Public administration
Legislation - IT Security products - ENS
• Information protection. Security dimensions:
 Confidentiality
 Integrity
 Availability
 Traceability
 Authenticity
• System category:
 High
 Medium
 Basic
Legislation - IT Security products - ENS
• Current situation:
RD 951/2015 of 23rd October, amending RD
3/2010 regulating the ENS in the field of
Electronic Administration, ART. 18: “for the
procurement of information and
communication technology security
products to be used by public
administrations, those that have certified
the security functions related to the object
of their procurement shall be used in a
manner proportionate to the
category of the system and the level
of security identified…”
Legislation - IT Security products - ENS
• Moreover, for “High” products category in the ENS:
“RD 03/2010 of 8th January, regulated by the National
Security Scheme (ENS) in the field of electronic
administration. Annex 2. section 4.1.5 Certified
components: Products or equipment whose safety
features and level have been assessed in
accordance to European or International
standards and which are certified by
independent bodies of recognised standing shall
preferably be used. “
Why is not CC the answer?
• What does it mean that a product is certified?
 The product has been evaluated taking into
account the SFRs and SARs defined in the
Security Target
• Who performs the Security Target?
 The manufacturer
Why a product catalogue?
• Certified product Qualified for use in
administration?
• Only it is suitable if:
 The Security Target is complete, consistent and
technically accurate.
WARNING:
The ST is performed by the
manufacturer!
The CPSTIC. For what?
• Certified product Qualified for
use in administration?
• Only it is suitable if:
 The TOE involves the main
security functionality of the
product.
 Unfortunately, sometimes this
is not the case
Product
TOE
The CPSTIC. For what?
• Corollary: In order to be able to check if one product is
adequately certified, the government agency must have
the capacity to:
 Require product certification
 Check that the ST is technically suitable
 Check that it is complete
A catalogue will ease this task.
The CPSTIC
The CPSTIC
• The CPSTIC is the reference catalogue for the acquisition of IT products
in public organisms affected by the National Security Scheme (ENS).
• Scope:
 Qualified products. Sensitive information
 Approved products. Classified information
Qualified
Approved
Approved
encrypted
products
(CCN_STIC-
103)
The CPSTIC
• Scope:
 Which products are suitable to be included?
 The products that implement security
functionalities in a system in an active manner
The CPSTIC
• Related legislation:
 CCN-STIC-106. Inclusion
procedure of IT products
qualified in the CPSTIC
 CCN-STIC-140. Reference
taxonomies for IT security
products
 CCN-STIC-105. CPSTIC
CCN-
STIC-
106
CCNS
-STIC-
140
CCN-
STIC-
105
The CPSTIC
• CCN-STIC-106. Inclusion requirements:
 Common Criteria certified products. Low EAL
level required. The Security Target shall be
checked for compliance with the SFR.
 If you do not have Common Criteria certification,
an accredited laboratory will perform the
evaluation.
• CC certification may not be required where:
 The product is promoted by the Administration.
 It has a strategic interest.
 There are no substitute products on the market.
 A STIC evaluation could be applied.
The CPSTIC
• Inclusion procedure in the catalogue
Request for
product
recommendation
for use in
administration
Is there an
operational need
without CC
Are all ESR
included?
Is there a
recommended
PP?
CC
Certification
according to
recommended
PP
STIC
Methodology
Evaluation
Covering ESR
CC
Certification
ST Compliant
Is it certified by
CC?
ST review and
Certification
Report
New ST which it
is ESR
conformance
CPSTIC
The CPSTIC - Taxonomy
• CCN-STIC-140. Reference taxonomy. Two levels: Category/Family.
There are 6 categories and 33 families. Example:
•Network access control devices
•Biometric Devices
•Single Sign-On Devices
•Authentication Severs
•One-Time Password devices
Access Control
•Anti-Virus
•Endpoint Detection and Response tools
•Network management tools
•System update tools
•…
Operational Security
• IDS, IPS
• Honeypot/Honeynet
• Monitoring and traffic analysis
Security Monitoring
• For each family, Mandatory Security Requirements have been
defined.
ESR
ESR
ESR
The CPSTIC - Taxonomy
• CCN-STIC-140: Example:
•Routers
•Switches
•Firewalls
•Proxies
•Wireless network devices
•…
Communication
Protection
•Encrypted data storage devices
•Offline encryption devices
•Secure erasing tools
•Data leakage prevention systems
•…
Protection of
information and
information support
• Mobile devices
• Operating Systems
• Anti-spam tools
• Smartcards
Device/Service
protection
ESR
ESR
ESR
The CPSTIC – Family Description
• Requirements for each family:
 Product family description:
 Functionality
 Usage case
 Device’s scope
 CC evaluation requirements
 Threats analysis
 Environmental hypothesis
 Assets
 Threats
 Mandatory Security Requirements (MSR)
The CPSTIC. Example - Firewall
• “Firewall” family from “Communication Protection” category.
Options provided by the catalog:
 Evaluation according to the protection profiles
internationally defined for this type of product.
 Evaluation with EAL2 evaluation level or higher including the
SFRs listed in the Protection Profiles
 CCRA certificates are recognized (obviously)
 YOU CAN BE LISTED IN THE CATALOGUE!!!
The CPSTIC. Example – Secure Erase Tools
• “Secure Erasure Tools” family from “Information Protection and
Information Media”:
 No protection profiles have been published for this family
 The catalog includes the ESRs to be assessed during the
evaluation
 And the evaluation level required (e.g.EAL1)
The CPSTIC - Current status
If you need to consult it… Where can you find it?
 CCN-STIC-105 guide. STIC product catalogue
(CPSTIC).
(https://oc.ccn.cni.es/index.php/en/cis-product-
catalogue)
Periodically will be updated on CCN website
 Certification Body Web. (https://oc.ccn.cni.es)
 108 qualified products and 18 approved.
 18 different families.
 18 manufacturers.
 Continuous growth!
CPSTIC first version published in Dic2017
Conclusions
Conclusions
 Procurement is a key tool for prevention of vulnerabilities
 There are multiple government initiatives worldwide
 Just Common Criteria is unfortunately not the answer
 The CPSTIC is an innovative and flexible mechanism to solve
this issue
 It is compatible with cPPs avoiding the delays and the cost
of cPPs development
 Allow other evaluation methodologies to be used and
 Allow quick adoption of new technologies
jtsec: Beyond IT Security
c/ Abeto s/n Edificio CEG Oficina 2B
CP 18230 Granada – Atarfe – Spain
hello@jtsec.es
@jtsecES
www.jtsec.es
“Any fool can make something complicated. It
takes a genius to make it simple.”
Woody Guthrie
Annex 1. Summary of regulations and interest contacts
 For qualified products. (HIGH ENS).
 CCN-STIC-105 guide. Security Products Catalogue
 CCN-STIC-140 guide. Reference taxonomy for security
products
 CCN-STIC-106 guide. Addition procedure of qualified security
products in the CPSTIC.
 Available in:
 CCN-Cert site: https://www.ccn-
cert.cni.es/guias.html
 Certification Body site:
https://oc.ccn.cni.es
1 of 37

Recommended

jtsec Arqus Alliance presentation by
jtsec Arqus Alliance presentationjtsec Arqus Alliance presentation
jtsec Arqus Alliance presentationJavier Tallón
102 views15 slides
2020 Statistics Report. Is the industry surviving to lockdown? by
2020 Statistics Report. Is the industry surviving to lockdown?2020 Statistics Report. Is the industry surviving to lockdown?
2020 Statistics Report. Is the industry surviving to lockdown?Javier Tallón
67 views38 slides
Intrusion detection and anomaly detection system using sequential pattern mining by
Intrusion detection and anomaly detection system using sequential pattern miningIntrusion detection and anomaly detection system using sequential pattern mining
Intrusion detection and anomaly detection system using sequential pattern miningeSAT Journals
529 views7 slides
Eurosmart etsi-e-io t-scs-presentation by
Eurosmart etsi-e-io t-scs-presentationEurosmart etsi-e-io t-scs-presentation
Eurosmart etsi-e-io t-scs-presentationStefane Mouille
92 views41 slides
IEA DSM ExCo presentation Task XXIV by
IEA DSM ExCo presentation Task XXIVIEA DSM ExCo presentation Task XXIV
IEA DSM ExCo presentation Task XXIVSEA - Sustainable Energy Advice Ltd
1.1K views19 slides
Activity1 c1 by
Activity1 c1Activity1 c1
Activity1 c1FORMAEMPLEO
44 views18 slides

More Related Content

What's hot

Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS by
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSMaitena Ilardia
55 views21 slides
security in development lifecycle by
security in development lifecyclesecurity in development lifecycle
security in development lifecycleTelecomValley
556 views17 slides
Projects to Impact- Operationalizing Work from the Center by
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
630 views16 slides
CompTIA Security+ Objectives by
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectivessombat nirund
1.9K views16 slides
Private sector cyber resilience and the role of data diodes by
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesOllie Whitehouse
447 views16 slides
cybersecurity es by
cybersecurity escybersecurity es
cybersecurity esNithyesh Panathula
93 views1 slide

What's hot(20)

Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS by Maitena Ilardia
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCSDay2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Day2.2 Paving the Road Towards Continuous Certification: OSCAL and the EUCS
Maitena Ilardia55 views
security in development lifecycle by TelecomValley
security in development lifecyclesecurity in development lifecycle
security in development lifecycle
TelecomValley556 views
Projects to Impact- Operationalizing Work from the Center by MITRE ATT&CK
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK630 views
CompTIA Security+ Objectives by sombat nirund
CompTIA Security+ ObjectivesCompTIA Security+ Objectives
CompTIA Security+ Objectives
sombat nirund1.9K views
Private sector cyber resilience and the role of data diodes by Ollie Whitehouse
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
Ollie Whitehouse447 views
Digital Security by Design Vision by KTN
Digital Security by Design VisionDigital Security by Design Vision
Digital Security by Design Vision
KTN171 views
UN/ITU: Cybersecurity Skills Development - Salta, Argentina - 2010 by Dr David Probert
UN/ITU: Cybersecurity Skills Development - Salta, Argentina - 2010UN/ITU: Cybersecurity Skills Development - Salta, Argentina - 2010
UN/ITU: Cybersecurity Skills Development - Salta, Argentina - 2010
Dr David Probert1.2K views
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io... by CableLabs
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
IoT and Cybersecurity: What can be done? by Gerald Faulhaber at Inform[ED] Io...
CableLabs234 views
Secure App Aspirations: Why it is very difficult in the real world by Ollie Whitehouse
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse803 views
Big Crypto for Little Things by H4Diadmin
Big Crypto for Little ThingsBig Crypto for Little Things
Big Crypto for Little Things
H4Diadmin60 views
Cy Cops Company Presentation by ChaitanyaS
Cy Cops Company PresentationCy Cops Company Presentation
Cy Cops Company Presentation
ChaitanyaS406 views
First Impressions on Experimenting with Automated Monitoring Requirements of ... by MEDINA
First Impressions on Experimenting with Automated Monitoring Requirements of ...First Impressions on Experimenting with Automated Monitoring Requirements of ...
First Impressions on Experimenting with Automated Monitoring Requirements of ...
MEDINA 94 views
Networking Training in Chandigarh by E2Matrix
Networking Training in ChandigarhNetworking Training in Chandigarh
Networking Training in Chandigarh
E2Matrix33 views
AI in Manufacturing & the Proposed EU Artificial Intelligence Act by Barry O'Sullivan
AI in Manufacturing & the Proposed EU Artificial Intelligence ActAI in Manufacturing & the Proposed EU Artificial Intelligence Act
AI in Manufacturing & the Proposed EU Artificial Intelligence Act
Barry O'Sullivan183 views

Similar to Spanish catalogue of qualified products - a new way of using CC for procurement

Experiences evaluating cloud services and products by
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and productsJavier Tallón
8 views26 slides
Common Criteria service overview for Developers - jtsec a CC consultancy company by
Common Criteria service overview for Developers - jtsec a CC consultancy companyCommon Criteria service overview for Developers - jtsec a CC consultancy company
Common Criteria service overview for Developers - jtsec a CC consultancy companyJavier Tallón
770 views12 slides
Png w23 by
Png w23Png w23
Png w23SelectedPresentations
128 views8 slides
Servizi di mappatura per magazzini by
Servizi di mappatura per magazziniServizi di mappatura per magazzini
Servizi di mappatura per magazziniClaudia Marchi
121 views2 slides
CMMC Breakdown by
CMMC BreakdownCMMC Breakdown
CMMC BreakdownIgnyte Assurance Platform
90 views28 slides
How to Create Plan-of-Action to Secure Critical Information by
How to Create Plan-of-Action to Secure Critical InformationHow to Create Plan-of-Action to Secure Critical Information
How to Create Plan-of-Action to Secure Critical InformationKoenig Solutions Ltd.
178 views14 slides

Similar to Spanish catalogue of qualified products - a new way of using CC for procurement(20)

Experiences evaluating cloud services and products by Javier Tallón
Experiences evaluating cloud services and productsExperiences evaluating cloud services and products
Experiences evaluating cloud services and products
Javier Tallón8 views
Common Criteria service overview for Developers - jtsec a CC consultancy company by Javier Tallón
Common Criteria service overview for Developers - jtsec a CC consultancy companyCommon Criteria service overview for Developers - jtsec a CC consultancy company
Common Criteria service overview for Developers - jtsec a CC consultancy company
Javier Tallón770 views
Servizi di mappatura per magazzini by Claudia Marchi
Servizi di mappatura per magazziniServizi di mappatura per magazzini
Servizi di mappatura per magazzini
Claudia Marchi121 views
How to Create Plan-of-Action to Secure Critical Information by Koenig Solutions Ltd.
How to Create Plan-of-Action to Secure Critical InformationHow to Create Plan-of-Action to Secure Critical Information
How to Create Plan-of-Action to Secure Critical Information
Chapter 10 security standart by newbie2019
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019394 views
德國TSI公司簡報-2 by 俠客科技
德國TSI公司簡報-2德國TSI公司簡報-2
德國TSI公司簡報-2
俠客科技830 views
How to Achieve Functional Safety in Safety-Citical Embedded Systems by evatjohnson
How to Achieve Functional Safety in Safety-Citical Embedded SystemsHow to Achieve Functional Safety in Safety-Citical Embedded Systems
How to Achieve Functional Safety in Safety-Citical Embedded Systems
evatjohnson195 views
How to Achieve Functional Safety in Safety-Critical Embedded Systems by Intland Software GmbH
How to Achieve Functional Safety in Safety-Critical Embedded SystemsHow to Achieve Functional Safety in Safety-Critical Embedded Systems
How to Achieve Functional Safety in Safety-Critical Embedded Systems
Exporting to Uganda ? What is PvOC ? by Mugula Joseph
Exporting to Uganda ? What is PvOC ?Exporting to Uganda ? What is PvOC ?
Exporting to Uganda ? What is PvOC ?
Mugula Joseph323 views
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ... by Gaurav Singh Rajput
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
SIL Awareness | Introduction to Safety Life-Cycle | IEC - 61508 & IEC- 61511 ...
Cybersecurity Risk Management Program and Your Organization by McKonly & Asbury, LLP
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
Smart Manufacturing by CSA Group
Smart ManufacturingSmart Manufacturing
Smart Manufacturing
CSA Group465 views
How to Prepare for the New EU Medical Device Regulations (MDR) by Greenlight Guru
How to Prepare for the New EU Medical Device Regulations (MDR)How to Prepare for the New EU Medical Device Regulations (MDR)
How to Prepare for the New EU Medical Device Regulations (MDR)
Greenlight Guru2.6K views
Cyber-Security Certifications by Nithin Sai
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security Certifications
Nithin Sai257 views
Common Criteria Lab Hungary by LabSharegroup
Common Criteria Lab HungaryCommon Criteria Lab Hungary
Common Criteria Lab Hungary
LabSharegroup305 views

More from Javier Tallón

ICCC2023 Statistics Report, has Common Criteria reached its peak? by
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?Javier Tallón
26 views29 slides
ICCC23 -The new cryptographic evaluation methodology created by CCN by
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCNJavier Tallón
5 views44 slides
TAICS - Cybersecurity Certification for European Market.pptx by
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptxJavier Tallón
70 views31 slides
La ventaja de implementar una solución de ciberseguridad certificada por el C... by
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...Javier Tallón
9 views24 slides
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf by
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfJavier Tallón
14 views41 slides
Hacking your jeta.pdf by
Hacking your jeta.pdfHacking your jeta.pdf
Hacking your jeta.pdfJavier Tallón
13 views43 slides

More from Javier Tallón(20)

ICCC2023 Statistics Report, has Common Criteria reached its peak? by Javier Tallón
ICCC2023 Statistics Report, has Common Criteria reached its peak?ICCC2023 Statistics Report, has Common Criteria reached its peak?
ICCC2023 Statistics Report, has Common Criteria reached its peak?
Javier Tallón26 views
ICCC23 -The new cryptographic evaluation methodology created by CCN by Javier Tallón
ICCC23 -The new cryptographic evaluation methodology created by CCNICCC23 -The new cryptographic evaluation methodology created by CCN
ICCC23 -The new cryptographic evaluation methodology created by CCN
Javier Tallón5 views
TAICS - Cybersecurity Certification for European Market.pptx by Javier Tallón
TAICS - Cybersecurity Certification for European Market.pptxTAICS - Cybersecurity Certification for European Market.pptx
TAICS - Cybersecurity Certification for European Market.pptx
Javier Tallón70 views
La ventaja de implementar una solución de ciberseguridad certificada por el C... by Javier Tallón
La ventaja de implementar una solución de ciberseguridad certificada por el C...La ventaja de implementar una solución de ciberseguridad certificada por el C...
La ventaja de implementar una solución de ciberseguridad certificada por el C...
Javier Tallón9 views
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf by Javier Tallón
EUCA23 - Evolution of cryptographic evaluation in Europe.pdfEUCA23 - Evolution of cryptographic evaluation in Europe.pdf
EUCA23 - Evolution of cryptographic evaluation in Europe.pdf
Javier Tallón14 views
Evolucionado la evaluación Criptográfica by Javier Tallón
Evolucionado la evaluación CriptográficaEvolucionado la evaluación Criptográfica
Evolucionado la evaluación Criptográfica
Javier Tallón22 views
España y CCN como referentes en la evaluación de ciberseguridad de soluciones... by Javier Tallón
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
España y CCN como referentes en la evaluación de ciberseguridad de soluciones...
Javier Tallón8 views
EUCA22 Panel Discussion: Differences between lightweight certification schemes by Javier Tallón
EUCA22 Panel Discussion: Differences between lightweight certification schemesEUCA22 Panel Discussion: Differences between lightweight certification schemes
EUCA22 Panel Discussion: Differences between lightweight certification schemes
Javier Tallón16 views
EUCA22 - Patch Management ISO_IEC 15408 & 18045 by Javier Tallón
EUCA22 - Patch Management ISO_IEC 15408 & 18045EUCA22 - Patch Management ISO_IEC 15408 & 18045
EUCA22 - Patch Management ISO_IEC 15408 & 18045
Javier Tallón22 views
Cross standard and scheme composition - A needed cornerstone for the European... by Javier Tallón
Cross standard and scheme composition - A needed cornerstone for the European...Cross standard and scheme composition - A needed cornerstone for the European...
Cross standard and scheme composition - A needed cornerstone for the European...
Javier Tallón16 views
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)? by Javier Tallón
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
¿Cómo incluir productos y servicios en el catálogo CPSTIC (CCN-STIC 105)?
Javier Tallón33 views
Is Automation Necessary for the CC Survival? by Javier Tallón
Is Automation Necessary for the CC Survival?Is Automation Necessary for the CC Survival?
Is Automation Necessary for the CC Survival?
Javier Tallón10 views
CCCAB tool - Making CABs life easy - Chapter 2 by Javier Tallón
CCCAB tool - Making CABs life easy - Chapter 2CCCAB tool - Making CABs life easy - Chapter 2
CCCAB tool - Making CABs life easy - Chapter 2
Javier Tallón10 views
2022 CC Statistics report: will this year beat last year's record number of c... by Javier Tallón
2022 CC Statistics report: will this year beat last year's record number of c...2022 CC Statistics report: will this year beat last year's record number of c...
2022 CC Statistics report: will this year beat last year's record number of c...
Javier Tallón57 views
CCCAB, la apuesta europea por la automatización de los Organismos de Certific... by Javier Tallón
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
CCCAB, la apuesta europea por la automatización de los Organismos de Certific...
Javier Tallón59 views
Automating Common Criteria by Javier Tallón
Automating Common Criteria Automating Common Criteria
Automating Common Criteria
Javier Tallón127 views
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram... by Javier Tallón
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
III Encuentro del ENS- Usando el CPSTIC/ENECSTI en la administración - Herram...
Javier Tallón112 views

Recently uploaded

Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...ShapeBlue
74 views18 slides
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueShapeBlue
131 views23 slides
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...Jasper Oosterveld
28 views49 slides
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesShapeBlue
119 views15 slides
Five Things You SHOULD Know About Postman by
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
40 views43 slides
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...ShapeBlue
77 views12 slides

Recently uploaded(20)

Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue74 views
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue131 views
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ... by Jasper Oosterveld
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
ESPC 2023 - Protect and Govern your Sensitive Data with Microsoft Purview in ...
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue119 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman40 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue77 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson133 views
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue85 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 -  Week 4 Session 7Business Analyst Series 2023 -  Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray1080 views
DRBD Deep Dive - Philipp Reisner - LINBIT by ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue62 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker50 views
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... by ShapeBlue
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
ShapeBlue48 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue91 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays40 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi141 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue46 views

Spanish catalogue of qualified products - a new way of using CC for procurement

  • 1. SPANISH CATALOGUE OF QUALIFIED PRODUCTS: A NEW WAY OF USING CC FOR PROCUREMENT
  • 2. • Who are we? • Worldwide Procurement Initiatives • Why a Product Catalogue? • CPSTIC - Catalogue • Conclusions Index
  • 4. Who are we? • Jose Ruiz – CTO at jtsec • jtsec – CC and FIPS 140-2 Consultancy company - Based in Spain • CCGEN Developers – Common Criteria Documentation Development tool • More than 10 years of experience working with different labs and CBs as evaluator, lab manager and consultant
  • 5. Why are we here? • We support companies to meet their business expectations. e.g.- sales to governments • We like initiatives that make life easier • We think that could be useful for other countries • My father wanted to visit Canada ;)
  • 6. The importance of procurement as a prevention tool Prevention ResponseDetección Image TrustworthyReputation Business Prestige DoS Data leakage Integrity Brand value Detection
  • 8. Worldwide Procurement Initiatives • US Government Requirements  CC is mandatory for all IT products with security features that are deployed in U.S. National Security Systems (NSS)  Products are to be selected from the NIAP PCL, meaning they have met a NIAP approved Protection Profile  DoD’s Information Network Approved Products List (DoDIN APL)  Common Criteria and very likely FIPS 140-2 validation are required
  • 9. Worldwide Procurement Initiatives • Australian Government Requirements  CC is mandatory for all products providing security functions within all Australian Government systems, unless the risks of not using CC products has been appropriately accepted and documented.  Products may be selected from the Australian Evaluated Products List (EPL) or the CC portal.
  • 10. Worldwide Procurement Initiatives • Canadian Government Requirements  CC should be included as a requirement in Government of Canada RFPs/contracts whenever possible.  Certified products evaluated against the Protection Profile for a given technology class may be selected
  • 11. Worldwide Procurement Initiatives • French Government Requirements  Types of certification used for procurement  Common Criteria Certification  First Level Security Certification – CSPN  Acquisition Policy:  CSPN for elementary qualification  EAL3+VAN.3+FLR.3 for standard qualification or  EAL4+VAN.5 +IMP.2+ DVS.2+FLR.3 for reinforced qualification
  • 12. Worldwide Procurement Initiatives • UK Government Requirements  Types of certification used for procurement  Common Criteria Certification  Commercial Product Assurance - CPA  CPA: A security product that passes assessment is awarded Foundation Grade certification - demonstrate good commercial security practice and suitable for lower threat environments.  Should we just use CC? Ideally, yes x CC does not always represent a necessary or sufficient level of product assurance for the UK public.
  • 13. ¿Why a product catalogue?
  • 14. Legislation - IT Security products - ENS • Legal framework  RD 03/2010, 8th January  RD 951/2015, 23rd October by modification of RD 3/2010 -> ENS – National Security Scheme • Objective:  To establish basic principles and minimum requirements for the protection of information • Scope of application  Public administration
  • 15. Legislation - IT Security products - ENS • Information protection. Security dimensions:  Confidentiality  Integrity  Availability  Traceability  Authenticity • System category:  High  Medium  Basic
  • 16. Legislation - IT Security products - ENS • Current situation: RD 951/2015 of 23rd October, amending RD 3/2010 regulating the ENS in the field of Electronic Administration, ART. 18: “for the procurement of information and communication technology security products to be used by public administrations, those that have certified the security functions related to the object of their procurement shall be used in a manner proportionate to the category of the system and the level of security identified…”
  • 17. Legislation - IT Security products - ENS • Moreover, for “High” products category in the ENS: “RD 03/2010 of 8th January, regulated by the National Security Scheme (ENS) in the field of electronic administration. Annex 2. section 4.1.5 Certified components: Products or equipment whose safety features and level have been assessed in accordance to European or International standards and which are certified by independent bodies of recognised standing shall preferably be used. “
  • 18. Why is not CC the answer? • What does it mean that a product is certified?  The product has been evaluated taking into account the SFRs and SARs defined in the Security Target • Who performs the Security Target?  The manufacturer
  • 19. Why a product catalogue? • Certified product Qualified for use in administration? • Only it is suitable if:  The Security Target is complete, consistent and technically accurate. WARNING: The ST is performed by the manufacturer!
  • 20. The CPSTIC. For what? • Certified product Qualified for use in administration? • Only it is suitable if:  The TOE involves the main security functionality of the product.  Unfortunately, sometimes this is not the case Product TOE
  • 21. The CPSTIC. For what? • Corollary: In order to be able to check if one product is adequately certified, the government agency must have the capacity to:  Require product certification  Check that the ST is technically suitable  Check that it is complete A catalogue will ease this task.
  • 23. The CPSTIC • The CPSTIC is the reference catalogue for the acquisition of IT products in public organisms affected by the National Security Scheme (ENS). • Scope:  Qualified products. Sensitive information  Approved products. Classified information Qualified Approved Approved encrypted products (CCN_STIC- 103)
  • 24. The CPSTIC • Scope:  Which products are suitable to be included?  The products that implement security functionalities in a system in an active manner
  • 25. The CPSTIC • Related legislation:  CCN-STIC-106. Inclusion procedure of IT products qualified in the CPSTIC  CCN-STIC-140. Reference taxonomies for IT security products  CCN-STIC-105. CPSTIC CCN- STIC- 106 CCNS -STIC- 140 CCN- STIC- 105
  • 26. The CPSTIC • CCN-STIC-106. Inclusion requirements:  Common Criteria certified products. Low EAL level required. The Security Target shall be checked for compliance with the SFR.  If you do not have Common Criteria certification, an accredited laboratory will perform the evaluation. • CC certification may not be required where:  The product is promoted by the Administration.  It has a strategic interest.  There are no substitute products on the market.  A STIC evaluation could be applied.
  • 27. The CPSTIC • Inclusion procedure in the catalogue Request for product recommendation for use in administration Is there an operational need without CC Are all ESR included? Is there a recommended PP? CC Certification according to recommended PP STIC Methodology Evaluation Covering ESR CC Certification ST Compliant Is it certified by CC? ST review and Certification Report New ST which it is ESR conformance CPSTIC
  • 28. The CPSTIC - Taxonomy • CCN-STIC-140. Reference taxonomy. Two levels: Category/Family. There are 6 categories and 33 families. Example: •Network access control devices •Biometric Devices •Single Sign-On Devices •Authentication Severs •One-Time Password devices Access Control •Anti-Virus •Endpoint Detection and Response tools •Network management tools •System update tools •… Operational Security • IDS, IPS • Honeypot/Honeynet • Monitoring and traffic analysis Security Monitoring • For each family, Mandatory Security Requirements have been defined. ESR ESR ESR
  • 29. The CPSTIC - Taxonomy • CCN-STIC-140: Example: •Routers •Switches •Firewalls •Proxies •Wireless network devices •… Communication Protection •Encrypted data storage devices •Offline encryption devices •Secure erasing tools •Data leakage prevention systems •… Protection of information and information support • Mobile devices • Operating Systems • Anti-spam tools • Smartcards Device/Service protection ESR ESR ESR
  • 30. The CPSTIC – Family Description • Requirements for each family:  Product family description:  Functionality  Usage case  Device’s scope  CC evaluation requirements  Threats analysis  Environmental hypothesis  Assets  Threats  Mandatory Security Requirements (MSR)
  • 31. The CPSTIC. Example - Firewall • “Firewall” family from “Communication Protection” category. Options provided by the catalog:  Evaluation according to the protection profiles internationally defined for this type of product.  Evaluation with EAL2 evaluation level or higher including the SFRs listed in the Protection Profiles  CCRA certificates are recognized (obviously)  YOU CAN BE LISTED IN THE CATALOGUE!!!
  • 32. The CPSTIC. Example – Secure Erase Tools • “Secure Erasure Tools” family from “Information Protection and Information Media”:  No protection profiles have been published for this family  The catalog includes the ESRs to be assessed during the evaluation  And the evaluation level required (e.g.EAL1)
  • 33. The CPSTIC - Current status If you need to consult it… Where can you find it?  CCN-STIC-105 guide. STIC product catalogue (CPSTIC). (https://oc.ccn.cni.es/index.php/en/cis-product- catalogue) Periodically will be updated on CCN website  Certification Body Web. (https://oc.ccn.cni.es)  108 qualified products and 18 approved.  18 different families.  18 manufacturers.  Continuous growth! CPSTIC first version published in Dic2017
  • 35. Conclusions  Procurement is a key tool for prevention of vulnerabilities  There are multiple government initiatives worldwide  Just Common Criteria is unfortunately not the answer  The CPSTIC is an innovative and flexible mechanism to solve this issue  It is compatible with cPPs avoiding the delays and the cost of cPPs development  Allow other evaluation methodologies to be used and  Allow quick adoption of new technologies
  • 36. jtsec: Beyond IT Security c/ Abeto s/n Edificio CEG Oficina 2B CP 18230 Granada – Atarfe – Spain hello@jtsec.es @jtsecES www.jtsec.es “Any fool can make something complicated. It takes a genius to make it simple.” Woody Guthrie
  • 37. Annex 1. Summary of regulations and interest contacts  For qualified products. (HIGH ENS).  CCN-STIC-105 guide. Security Products Catalogue  CCN-STIC-140 guide. Reference taxonomy for security products  CCN-STIC-106 guide. Addition procedure of qualified security products in the CPSTIC.  Available in:  CCN-Cert site: https://www.ccn- cert.cni.es/guias.html  Certification Body site: https://oc.ccn.cni.es