· CYBSER

CICLON guide for including cloud products in CPSTIC

What CICLON is, how its iterative evaluation works, and why this methodology matters for cloud products targeting the Spanish public sector.

CICLON guide for including cloud products in CPSTIC

CICLON guide for including cloud products in CPSTIC

The move to the cloud has transformed how software is built and consumed, but it has also created a major challenge for cybersecurity certification. Traditional methodologies such as LINCE certification, Common Criteria, or EUCC require assessing fixed versions of a product or even physical access to it, which makes them unsuitable for dynamic cloud environments such as SaaS, PaaS, and IaaS services.

To address this need, Spain’s National Cryptologic Centre (CCN) has designed the CICLON methodology (CCN-STIC 2010). If your company wants to sell cloud solutions to the Spanish Public Administration or to organisations regulated by the National Security Scheme (ENS), understanding CICLON is now an essential step.

Below, we break down what this new framework involves and how it will reshape the path to inclusion in the CPSTIC Catalogue.

What is the CICLON methodology and why is it a breakthrough?

Iterative National Cloud Certification (CICLON) is the new official framework for assessing ICT products hosted in the cloud across all threat levels.

Unlike conventional certifications, CICLON introduces a fundamental shift: it relies on a Composite Assurance Percentage (PGC) that reflects the product’s security level and how it evolves over time. If vulnerabilities or non-conformities are found during the evaluation process, the verdict automatically becomes FAIL and the PGC drops to 0.

Instead of a static certificate, CICLON assigns the product a Composite Assurance Percentage (PGC). This percentage reflects the product’s security level in a more realistic way and is updated regularly to adapt to the constant evolution of cloud services and newly disclosed vulnerabilities.

The Two Phases of the CICLON Process

To keep this Assurance Percentage (PGC) alive and current, the methodology divides the process into two major operational phases:

1. Evaluation Phase (Initial)

This is the main and most comprehensive phase of the process. Its key stages include:

  • Document Review: Assessment of the Security Target (ST) and the Service Architecture Document (DAS), where security responsibilities are clearly divided between the product manufacturer and the cloud infrastructure provider.
  • Functional Testing: Direct verification that the declared security functions actually exist and work as intended, including checks to ensure that implemented protections cannot be bypassed or tampered with.
  • Penetration Testing: Execution of a gray-box intrusion test to identify exploitable vulnerabilities and insecure configurations in web and cloud environments (AWS, Azure, GCP).
  • Cryptographic Analysis: Review of external communications, the algorithms in use, and the cryptographic configuration to identify insecure or legacy uses that affect the initial evaluation score.
  • Outcome: A Technical Evaluation Report (ETR) that calculates the product’s initial score.

2. Monitoring Phase (Iterative)

Once the initial evaluation has been completed, the product enters a cycle of regular reviews throughout the validity of its certification. This phase assesses:

  • Third-party libraries: Continuous review of the Software Bill of Materials (SBOM) delivered in CycloneDX format, including transitive dependencies, hashes, signatures, and newly disclosed public vulnerabilities (CVEs) in the components used by the product.
  • Integration components: Review that the external components the service depends on remain evaluated under the CICLON methodology itself.
  • Cloud provider certifications: Verification that the underlying infrastructure (AWS, Azure, and others) maintains its ENS or EUCS (European Cybersecurity Certification Scheme for Cloud Services) certification.
  • Outcome: A Technical Monitoring Report (MTR) that periodically updates the Composite Assurance Percentage (PGC).

Your Key to the Public Sector: Inclusion in the CPSTIC Catalogue

Being included in the CPSTIC Catalogue is the essential requirement for accessing procurement opportunities with the Spanish Public Administration and with organisations subject to the ENS.

With CICLON now in force, cloud software vendors finally have a clear, official roadmap adapted to their technology for entering this catalogue with an approach designed specifically for cloud environments.

How can CYBSER help?

Navigating CCN requirements, drafting the Security Target (ST), preparing the Service Architecture Document (DAS), and executing both the evaluation and iterative monitoring phases can become a significant burden for development teams if the process is not structured properly from the start.

At CYBSER, we manage the full certification lifecycle:

  1. Strategic Assessment: We review your cloud architecture to confirm whether CICLON is the right route for your product.
  2. Expert Documentation: We prepare the ST and help prepare the DAS so it clearly reflects the architecture and responsibilities of the service, adapting the methodology to the technical reality of your product so your team can stay focused on development.
  3. Technical execution of evaluation and monitoring: We execute the functional testing, pentesting under the CCN methodology, and the ongoing monitoring phase, providing clear technical evidence at each stage.

Ready to certify your cloud product and open the door to the Spanish market? Contact us and we will design your roadmap to success in the CPSTIC Catalogue.

Share:

Continue exploring

See CICLON certification service Understand the route to CPSTIC Compare with LINCE certification Talk to the CYBSER team
Back to Blog