When it applies
CICLON is the route built for SaaS, PaaS and IaaS products delivered from cloud environments.
National Iterative Cloud Certification
CICLON Certification: The Definitive Route for Your Cloud Product in Spain
Accelerate the entry of your SaaS, PaaS or IaaS platform into the Spanish public sector. We manage CICLON certification end-to-end, including documentation, technical evaluation and ongoing monitoring, turning the new cloud framework into the clearest route to the CPSTIC Catalogue.
Designed for cloud products that need certification under the National Security Scheme (ENS), public procurement and access to the CPSTIC Catalogue in Spain.
Experts in the Cloud Methodology
Deep knowledge of CCN-STIC-2010 and the operational reality of CICLON certification for cloud products in Spain.
Collaborative Engagement
We work with your technical team as a hands-on certification partner, preparing the documentation, executing the testing, carrying out periodic monitoring and revalidating detected non-conformities.
Agile and Continuous Process
A practical model aligned with cloud release cycles, without forcing you to freeze the product to keep moving.
Quick answers
What CICLON means in practice
If your product is delivered from the cloud and your objective is CPSTIC or ENS-related entities in Spain, these are the core points you need to understand first.
What it requires
The process revolves around the Security Target (ST), the Service Architecture Document (DAS), technical evaluation, pentesting and an iterative monitoring phase.
How it differs from LINCE
LINCE fits non-cloud products. CICLON is built for cloud architectures and continuous change over time.
Why it matters
It is the route that allows cloud products to enter CPSTIC under an evaluation model adapted to real cloud operations.
What is the CICLON Methodology?
CICLON (Certificación Iterativa Cloud Nacional) is the official framework created by the Centro Criptológico Nacional (CCN) to assess the security of ICT products deployed in cloud environments. It is the reference route for cloud products that need to demonstrate security before accessing ENS-related entities and the Spanish public sector.
Unlike traditional schemes, CICLON relies on a continuous assurance model based on the Composite Assurance Percentage (PGC). Our role is to act as your expert partner: we prepare the Security Target (ST), help prepare the Service Architecture Document (DAS), and execute the Evaluation and Monitoring phases so your team can stay focused on product work.
See the official CCN-STIC 2010 methodologyCICLON
Iterative and continuous certification purpose-built for cloud products targeting the Spanish public sector.
CICLON or LINCE?
Choose the right certification path according to how your product is deployed.
Choose CICLON
CloudThe right fit for cloud-native products that need to prove security in SaaS, PaaS or IaaS environments.
- ✓ Cloud deployment and shared-responsibility model
- ✓ Continuous monitoring of the SBOM, relevant dependencies, CICLON evaluation of integration components, and cloud-provider ENS or EUCS certification
- ✓ Frequent fit for CPSTIC ambitions in regulated cloud scenarios
Choose LINCE
Software / no cloudThe better fit for products deployed on customer infrastructure, installed on-premises or delivered outside a cloud service model.
- ✓ Point-in-time evaluation instead of iterative monitoring
- ✓ Useful for on-premises software, installed applications and non-cloud products
- ✓ Clear path when the cloud model is not central to the product
CICLON vs. LINCE vs. Common Criteria
A practical comparison for software companies targeting the Spanish public sector.
| Feature | CICLON |  LINCE |  Common Criteria / EUCC |
|---|---|---|---|
| Target Environment | SaaS, PaaS, IaaS | Software on-premises / no cloud | International recognition for hardware and software |
| Result | Composite Assurance Percentage (PGC); if non-conformities are found, the verdict is FAIL and the PGC is 0 | Pass / Fail | Pass / Fail |
| Testing Approach | Cloud/web pentesting under the CCN methodology plus ongoing monitoring | Functional testing and point-in-time vulnerability review | Exhaustive process and documentation audit |
| Time and Effort | Variable depending on architecture and product functionality | Low (weeks) | High (months/years) |
Key Benefits of CICLON Certification
Access the Public Sector with Cloud Solutions
CICLON is the cloud security route expected for SaaS, PaaS and IaaS products that need to prove assurance before pursuing CPSTIC and public-sector opportunities.
Stop Freezing Versions
The monitoring phase is designed for real cloud operations, allowing the product to keep evolving while the assurance level is maintained over time.
Differentiate Through PGC
Obtain a transparent score based on measurable security evidence that reinforces long-term confidence that the product remains secure over time.
Demonstrated Cloud Security
The assessment follows the CCN methodology for cloud products, validating both the web layer and the relevant cloud exposure.
Why teams rely on CYBSER for CICLON
CICLON requires more than regulatory knowledge. It requires a partner able to understand the product, adapt the framework to its technical reality and execute the process with sound judgement in cloud environments.
ST and DAS documentation support
We structure the documentation package around the product, the cloud scope and the shared-responsibility model to reduce unnecessary iterations and keep the evaluation moving with clarity from the start.
Cloud architecture context
We work comfortably with AWS, Azure and GCP environments, third-party dependencies, interfaces and cryptographic decisions that shape the evaluation scope.
Lab and CCN coordination
We reduce friction by aligning your team, the lab workflow and the expected certification deliverables through the whole engagement.
Need to know whether your SaaS, PaaS or IaaS product really fits CICLON?
We can review the architecture, identify the likely certification scope and define a clear roadmap for the documentation, evaluation and monitoring that will follow.
Execution model
How We Execute a CICLON Evaluation
We structure the work in five clear phases so your team knows what is required, what is being evaluated and what needs to happen next at every stage.
Documents
ST preparation and DAS support, with the product scope and cloud responsibilities clearly separated.
Evaluation
Functional checks, cryptographic review and grey-box pentesting under the CCN methodology.
Monitoring
Recurring reviews to keep the assurance level aligned with the real state of the product.
01
PhaseInitial Fit and Planning
We review how the product is delivered, the relevant functionality, the cloud provider context and the likely CICLON scope before starting the evaluation.
02
PhaseST and DAS Preparation
We prepare the Security Target (ST) and help prepare the Service Architecture Document (DAS), clearly separating your product responsibilities from the cloud environment.
03
PhaseTechnical Evaluation
We analyse the architecture, run functional checks, review cryptography and execute the grey-box pentest under the CCN methodology.
04
PhaseNon-conformities, re-testing and Technical Evaluation Report (ETR)
If functional or penetration testing reveals non-conformities, we report them, verify the implemented fixes and repeat the necessary checks before issuing the Evaluation Technical Report (ETR).
05
PhaseOngoing Monitoring
We keep reviewing the Software Bill of Materials (SBOM) in CycloneDX format, newly disclosed vulnerabilities, whether integration components remain evaluated under the CICLON methodology, and the National Security Scheme (ENS) or European Union Cybersecurity Certification Scheme for Cloud Services (EUCS) certification status of the cloud provider so the PGC remains up to date.
The Direct Route to CICLON Certification
Cloud certification requires a partner who understands both regulation and modern architectures. That is how we reduce friction, shorten decision cycles and improve your route to the Spanish public sector.
- ✓
Shared Responsibility Model Management: We define precisely which controls belong to your software and which are inherited from AWS, Azure or GCP, avoiding wasted effort.
- ✓
Continuous Monitoring Support: We stay after the initial evaluation and manage the recurring CICLON iterations so newly discovered issues do not silently degrade your assurance level.
- ✓
We Steer the Process: We handle the submission workflow, the communication with the CCN and the coordination of the process from start to finish.
Is CICLON right for my product?
Our evaluation is the required fit for:
- Software-as-a-Service (SaaS) platforms
- Platform-as-a-Service (PaaS) solutions
- Infrastructure-as-a-Service (IaaS) providers
- Cloud products that need CPSTIC access for public tenders
Frequently Asked Questions
What is the Composite Assurance Percentage (PGC)?
The PGC is the continuous assurance score used in CICLON to reflect the product security level over time. If non-conformities are found during the evaluation, the verdict becomes FAIL and the PGC is 0. The score is then updated through periodic reviews.
Is my product suitable for CICLON?
If your product is delivered in the cloud as SaaS, PaaS or IaaS, CICLON is the official route expected by the CCN for access to CPSTIC. If the product is deployed on-premises or is not delivered as a cloud service, LINCE is typically the better fit.
What is the Service Architecture Document (DAS)?
It is a key private document in CICLON that describes how the product is structured in the cloud, its internal and external interfaces, and how sensitive information flows. We help prepare it so it accurately reflects the service architecture within the CICLON process.
Why is a monitoring phase required?
Cloud environments evolve continuously. CICLON therefore requires periodic monitoring of the SBOM in CycloneDX format, cloud dependencies, whether relevant integration components remain evaluated under the CICLON methodology, and provider certifications such as ENS or EUCS so the assurance score reflects the current reality.
What happens if vulnerabilities are found in the web/cloud environment?
If the pentest performed under the CCN methodology identifies exploitable weaknesses, we deliver a detailed report and work with your development team so the required fixes can be implemented and verified before the final package is submitted.
How much does a CICLON certification cost?
The effort depends on architecture complexity, number of interfaces, cryptography usage, integrated third-party components and the target scope. Timelines and cost vary according to the product. We start with an initial analysis to define a realistic project plan and proposal.
Does CICLON replace LINCE for cloud products?
In practical terms, yes. If the product is delivered as SaaS, PaaS or IaaS, CICLON is the route built for that cloud model. LINCE remains the better fit for on-premises and non-cloud products.
Can a SaaS product enter CPSTIC through CICLON?
That is one of the main reasons CICLON exists. The methodology creates a viable route for cloud products that need to enter CPSTIC under an evaluation model adapted to cloud operations.
What happens if the product changes during monitoring?
CICLON assumes change over time. The monitoring phase exists precisely to reassess the SBOM in CycloneDX format, dependencies, whether integration components remain evaluated under the CICLON methodology, and other relevant changes so the assurance level stays current.
If my cloud product needs CPSTIC, do I need CICLON?
If your cloud product needs to enter CPSTIC, CICLON is the route built for that scenario. If CPSTIC is not the objective and there is no need to provide formal assurance evidence to ENS-related entities, another route may be more appropriate.
Ready to certify your cloud product and unlock the Spanish public market?
Tell us about your architecture and we will design the right CICLON roadmap, from documentation and technical evaluation to continuous monitoring.