Qualified products and services
These cover products and services for sensitive ENS information in High, Medium or Basic categories. This is the usual route when the objective is to appear as a qualified CPSTIC solution.
CPSTIC taxonomy
CCN-STIC 140: CPSTIC taxonomy and Fundamental Security Requirements
CCN-STIC 140 defines CPSTIC families, the applicable RFS and how ICT security products and services fit into the CPSTIC Catalogue.
What CCN-STIC 140 is
CCN-STIC 140 is the guide that establishes the reference taxonomy for ICT security products and services. It defines CPSTIC families, delimits the minimum functionality of each product type and provides the basis for preparing entry into the CPSTIC Catalogue.
It does not replace the inclusion procedure. To understand how the file is opened, which documentation is submitted and how the CCN issues the ITC and RITC, it should be read alongside CCN-STIC 106.
Practical criterion
Before preparing an evaluation, the target family must be identified. That decision determines the RFS, the evidence and the CPSTIC category where the product will appear.
Quick answer
What it regulates
The CPSTIC taxonomy, product families and associated RFS.
Who should read it
Manufacturers, providers and teams preparing CPSTIC inclusion, renewal or fit analysis.
What it does not do
It does not define the file or qualification procedure by itself; that part is handled through CCN-STIC 106.
What to read too
CCN-STIC 106 for inclusion, LINCE for on-prem products and CICLON for cloud products and services.
The three CPSTIC categories
The taxonomy does more than group products by family. It also places each solution in the CPSTIC category that matches its purpose and the type of information or system it is intended to protect.
Approved products
These apply to products for classified information. In these cases, additional approval logic, cryptological evaluation, TEMPEST or other specific requirements may apply.
Conformity and governance
This area groups tools that are not a direct part of the system security architecture, but support compliance, risk, incident management, intelligence, training or security governance.
Families and RFS
Families group products by their main security function. A product may fit one family or several families if it includes complementary capabilities that need to be analysed separately.
RFS, or Fundamental Security Requirements, define the functionality the product must implement within the applicable families. That is why it is important to identify the target families in CCN-STIC 140.
How it affects your product
The family defines which security capabilities the product must cover under the applicable RFS, which evidence will be reviewed and the CPSTIC category where it will appear once qualified.
Other tools
When the product's main function does not fit any published family correctly, it may be treated as Other tools. This is a fit route that requires prior analysis to define what the product does, which risks it covers and how it covers them.
Cloud products
CCN-STIC 140 also covers products and services deployed or delivered in the cloud. In that case, Annex G and the CICLON / CCN-STIC 2010 methodology must be taken into account.
Acronyms worth spelling out
CPSTIC
Catalogue of ICT Security Products and Services.
RFS
Fundamental Security Requirements. These are the technical conditions the product must satisfy in the applicable CPSTIC families.
ENS
Spanish National Security Framework. Among other aspects, it determines the category of the system where the product will be used.
PES
Secure Use Procedure. It describes the secure configuration and operation of the specific version to be included in CPSTIC.
How CYBSER helps
We review the product, propose its fit in CPSTIC, identify the applicable families and RFS, and handle the full process, including documentation and evaluation in the most efficient way.
Frequently asked questions about CCN-STIC 140
Does CCN-STIC 140 define the CPSTIC inclusion procedure?
No. CCN-STIC 140 defines the taxonomy, families and RFS. The inclusion procedure is explained in CCN-STIC 106.
Does a product need to fit one CPSTIC family only?
Not always. A product may fit one or several families if it implements complementary functionality covered by the taxonomy.
What if the product does not fit any family?
The Other tools area may be considered. That fit requires prior analysis to define what the product does, which risks it covers and how it covers them.
Does CCN-STIC 140 apply to cloud products?
Yes. Cloud products and services must take Annex G into account and follow the CICLON methodology defined in CCN-STIC 2010.
Want to validate the product's CPSTIC fit?
We analyse family, RFS, inclusion route, documentation and evaluation to prepare the file in the most efficient way.