CPSTIC procedure

CCN-STIC 106: product and service inclusion in the CPSTIC Catalogue

CCN-STIC 106 defines what must be submitted, how the CCN reviews the evidence and which routes exist to qualify products and services in the CPSTIC Catalogue.

What CCN-STIC 106 is

CCN-STIC 106 is the guide that defines the procedure for including qualified STIC products and services in the CPSTIC Catalogue. For a manufacturer or provider, it is the document that structures the request, the Centro Criptologico Nacional (CCN) review and the qualification routes.

It should be read alongside CCN-STIC 140, which defines the families and Fundamental Security Requirements, and with the relevant evaluation route: LINCE or CICLON.

Important caveat

The guide dates from April 2024 and still uses STIC evaluation terminology in the cloud-service sections. Today that part should be read together with CICLON, without implying that STIC evaluation has disappeared in other scenarios.

Quick answer

What it regulates

The inclusion of qualified products and services in CPSTIC.

Who should read it

Manufacturers, providers and teams preparing CPSTIC entry or renewal.

What it clarifies

Documentation, RFS, ITC, RITC, PES, ENS category, exceptional treatment and evidence.

What to read too

CCN-STIC 140, LINCE for on-prem products and CICLON for cloud services.

What it regulates

  • The inclusion procedure for qualified products in CPSTIC.
  • The inclusion procedure for qualified services in CPSTIC.
  • The evidence required depending on ENS category, starting certification and identified risks.

Annexes that matter

  • Continuous qualification strategy.
  • Complementary STIC evaluations.
  • Qualification of product series.
  • Qualification of versions.

How product inclusion begins

The request may cover new inclusion or renewal, and it may be submitted by the manufacturer, a supplier or a public administration body. If a manufacturer or supplier request is formally endorsed by a public administration body, the CCN treats it as priority. That endorsement is mandatory in the exceptional route for products without Common Criteria or LINCE certification that are considered of strategic interest to the Administration and have no equivalent product already qualified in CPSTIC through an ordinary route.

Before evaluation is discussed, the product must be mapped to one or more families under CCN-STIC 140, because that is where the RFS used as the benchmark are defined. If no family fits the product or service properly, the CPSTIC structure also allows an Other tools placement, with a more specific reading of scope and evidence.

Minimum documentation

  • The Security Target from the relevant Common Criteria or LINCE certification.
  • A Preliminary RFS Conformity Report prepared by the applicant.
  • The product versioning policy.
  • The Secure Use Procedure (PES), required to close inclusion. If inclusion is granted provisionally, the PES must be delivered within a maximum period of six months.

What the CCN reviews

The CCN reviews the documentation, performs a complementary risk analysis and issues the Technical Qualification Report (ITC). The result is communicated through the Result of the Technical Qualification Report (RITC), which may be favourable or unfavourable.

The three cases defined by the guide

Case 1

The RFS are already covered

If previous certifications or evaluations already cover the applicable RFS and the CCN analysis does not identify uncovered complementary risks, no additional external laboratory evaluation is required.

Case 2

Exceptional route

This applies to products without CC or LINCE, of strategic interest to the Administration and with no equivalent product in the catalogue outside that route.

Case 3

Certification or complementary STIC

If the product does not fit the previous cases, the CCN may request a new Common Criteria or LINCE certification, or a complementary STIC evaluation.

What changes by ENS category

For products seeking High ENS qualification, the general route usually starts from a Common Criteria certification. Even so, CCN-STIC 106 also allows High category qualification from a valid LINCE certification through a complementary STIC evaluation. That evaluation analyses the High and Medium category RFS and tests those not already covered by the starting certification. We can manage it within the CPSTIC Catalogue inclusion service. For Medium and Basic categories, the minimum reference is usually LINCE.

Cryptography

Whenever cryptographic algorithms are used, the CCN validates that they are acceptable for ENS and aligned with CCN-STIC 807.

Acronyms worth spelling out

RFS

Fundamental Security Requirements. They define the functionality a product must implement within its applicable CCN-STIC 140 family.

ITC

Technical Qualification Report. It records the CCN review and any additional evidence that may be required.

RITC

Result of the Technical Qualification Report. It communicates the favourable or unfavourable outcome.

PES

Secure Use Procedure. It must be available to close CPSTIC inclusion.

Cloud services

For cloud security services, the file is not the same as for an on-prem product. The guide requires reference to ENS certification, DAS, Security Target, a declaration of log delivery capability and a Transparency Report.

Current reading

For cloud products and services, CCN-STIC 106 should be combined with CICLON and CCN-STIC 2010, where the current evaluation method, monitoring logic, DAS, ST and service-specific evidence are defined.

Qualification and exclusion

With a favourable RITC, the product or service is considered qualified from the CCN notification, even if it has not yet been published. The guide also defines exclusion triggers: expiry or revocation of certifications, uncorrected critical vulnerabilities, failure to deliver the PES or end of security support, among others.

Continuous qualification

The continuous qualification strategy helps manage new functionality, new hardware models and new versions with minor differences from a certified baseline.

How CYBSER helps

We review the product, its fit within CPSTIC families, the starting certification and the tests needed to cover the applicable RFS. We also coordinate documentation, Security Target review, complementary STIC evaluations, LINCE or CICLON certification and PES preparation where needed.

See CPSTIC access service See more CCN-STIC guides

Frequently asked questions about CCN-STIC 106

Does CCN-STIC 106 replace CCN-STIC 140?
No. CCN-STIC 106 defines the CPSTIC inclusion procedure. CCN-STIC 140 defines the product families and Fundamental Security Requirements (RFS) used as the reference. If no family fits, the Other tools area may be considered.
Does CCN-STIC 106 still apply to cloud services?
Yes, but it should be read together with CICLON and CCN-STIC 2010. The guide still contains references to STIC evaluation for cloud services, while the current specific methodology for cloud products and services is CICLON.
Does CPSTIC qualification start only when the product appears in the catalogue?
Not necessarily. Once the RITC is favourable, the product or service is considered qualified from the CCN notification, even if it has not yet appeared in the next published edition of the catalogue.
Can a LINCE certification support High ENS qualification?
Yes, in specific cases. The general route for High ENS products usually points to Common Criteria, but CCN-STIC 106 allows High category qualification from a valid LINCE certification through a complementary STIC evaluation. That evaluation analyses the High and Medium category RFS and tests those not already covered. We can manage it within the CPSTIC Catalogue inclusion service.

Want to validate the right CPSTIC entry route?

We analyse the product, its CCN-STIC 140 fit and the most efficient evaluation route before opening the file.