Technical guide for LINCE evaluation

CCN-STIC 2002: LINCE evaluation methodology explained

CCN-STIC 2002 sets out the LINCE evaluation methodology: minimum evidence, evaluation stages, effort limits and how findings are handled during the process.

What CCN-STIC 2002 is

It is the guide that defines how a LINCE evaluation is actually carried out. It sets out the minimum evidence, the evaluator's activities and the order in which the work is performed.

What it regulates inside LINCE

It governs the practical evaluation work: minimum evidence, test environment, optional modules, findings, verdict and results.

The methodology also defines 25 days of effort and a maximum 8-week timeline from the start of the evaluation.

Quick answer

What it is

The CCN guide that explains how a LINCE evaluation is carried out in practice.

Who should read it

Manufacturers and technical teams preparing documentation, evidence and the evaluation environment.

What it helps clarify

Minimum evidence, evaluation stages, handling of findings and remediation workflow.

When it becomes relevant

Before starting the evaluation process, to make sure the methodology is clearly understood.

Practical evaluation phases

  • Stage 1: Security Target analysis.
  • Stage 2: product installation and review of installation, configuration and operation guides.
  • Stage 3: functional testing.
  • Stage 4: vulnerability analysis.
  • Stage 5: TOE penetration testing.

What the manufacturer should prepare

  • Security declaration and supporting documentation.
  • A deliverable containing the exact product version to be evaluated.
  • Capacity to remediate findings within realistic timeframes.

What the methodology really covers

  • Analysis of the Security Target.
  • Product installation and review of operation, usage and configuration guides.
  • Functional testing, vulnerability analysis and penetration testing.
  • Optional modules for source code, cryptographic mechanisms or biometrics when applicable.

What limits should be kept in mind

The guide itself defines LINCE as a basic security evaluation with bounded scope and effort. It is intended for products seeking entry into the ENS medium category.

Typical documentation and evidence

The work is not limited to running tests. The evaluation needs enough documentation to make scope, configuration and security functionality assessable without ambiguity or over-reliance on verbal context from the team.

When that documentary baseline is weak, the process becomes slower.

What happens if vulnerabilities are found

It does not mean the project has failed. Issues must be corrected and the new version must be verified to confirm that the identified problems have been solved.

Checklist before starting the evaluation

1. Route confirmed

Confirm that LINCE is the correct route and the product should not follow CICLON.

2. Scope locked

Define the exact version, features and limits of the evaluation.

3. Evidence ready

Have the baseline documentation and environment available for the evaluation.

4. Remediation capacity

Make sure the team can react quickly when findings appear.

How CYBSER helps

We prepare the Security Target, review the documentation, carry out the evaluation, report findings and verify remediation before closing the report for the Certification Body.

We handle the full process so your team can stay focused on the product.

Review readiness for LINCE evaluation See CCN-STIC 2001

Consult the official guide

If you need the full text or want to verify a specific point in the methodology, you can consult the CCN guide here.

View CCN-STIC 2002 →

Frequently asked questions about CCN-STIC 2002

Does CCN-STIC 2002 define the manufacturer’s minimum preparation?
Yes. The guide sets out minimum evidence such as the Security Target, installation, configuration and operation guides needed to reach a secure configuration, and the test environment needed to execute the TOE.
What happens if vulnerabilities are found during the evaluation?
That is a normal part of the process. Issues must be corrected and the new version must be verified to confirm that the identified problems have been solved, and the necessary checks are repeated before the evaluation report is closed.
Can CCN-STIC 2002 help estimate timeline and effort?
Yes. The methodology defines 25 days of effort and a maximum timeline of 8 weeks from the start. The real timeline still depends on product type, documentation readiness and the amount of remediation required.

Need to review whether your product is ready for evaluation?

We analyse scope, documentation and technical readiness before the LINCE evaluation begins.