CPSTIC Qualification

During the qualification process a IT product (TOE) tests its security functionality effectiveness, as well as its strength against attacks. Once these characteristics are validated positively, the product is recognized as qualified product, being part of the Spanish CPSTIC Catalogue .

Initial qualification

To obtain the initial qualification, the first step is to identify the family that the product belongs to and provide a rationale explaining how the product is compliant with the security functionality defined in the family annex. This rationale has to be approved by the CPSTIC. If the product has passed a previous evaluation, by means of a differential analysis the previously evaluated functionality will be considered as valid, and so not required to be tested.

After the CPSTIC approval, an evaluation shall be carried out to check the strength of the functionality not tested before, this testing is executed by a certified laboratory .

Usually the initial certification requires a Common Criteria or LINCE certification.

Our company provides the next services to developers during the initial qualification process:

  1. Family identification.
  2. Differential analysis.
  3. Evaluation deliverables (LINCE, Common Criteria, Cloud or complementary).
  4. Technical modifications to product documentation.
  5. Security functionality implementation assessment.
  6. Support through the qualification and evaluation process.

Qualification maintenance

Once the product is recognized by the Spanish Catalogue CPSTIC, the qualification shall be periodically updated. This update requirement can be caused by: expiration of the certificate issued by CPSTIC, expiration of the certification required (i.e. LINCE, Common Criteria), or product modification.

To keep qualification in time, it is recommended to choose a continuing qualification strategy. When a product, due to its lifecycle, is modified, a differential analysis shall be carried out in order to generate a rational explaining the impact of such modifications in the product’s security. In most cases, the product modification does not have impact in its security and the differential analysis is enough.

In cases that the product changes produce an impact in its functional security, an accredited laboratory has to validate the modifications by means of a security evaluation.

We support our customers throughout the maintenance process, offering the next services:

  1. Differential analysis.
  2. Evaluation deliverables updating.
  3. Technical modifications or creation of product documentation.
  4. Security product implementation assessment.
  5. Support during the evaluation process.