Spanish Catalogue of Qualified Products: A New Way of Using CC for Procurement (R22c)
The acquisition of an IT security product handling national or sensitive information must be preceded by verification process warranting that the security mechanisms implemented in the product are adequate to protect such information.
Over the past year, the Spanish state, through its certification body, is making a considerable effort to encourage and facilitate the use of certified products in the National Administration. Different strategic lines have been used to achieve this:
• The creation of the ENS: a scheme that determines the security policy to be applied in the use of information technology, including the promotion of the use of certified or qualified devices and software.
• The promotion of Common Criteria as de facto standard for IT security certifications.
• The creation of a taxonomy and a catalogue of qualified products.
This session will focus on this last point:
The Spanish Reference taxonomy for IT security products has a set of product categories which, in turn, are divided into families: product type according to their main functionality (e. g. router, firewall, proxy, secure deletion tool, etc.).
For each product family of the taxonomy, a document has been defined containing the expected Fundamental Security Requirements (FSR), which should be taken as a reference for the development, evaluation and secure use of the products within each family, as well as a series of cases of intended use and expected operational environments.
These Fundamental Security Requirements are perfectly aligned with the Common Criteria standard, indicating for each product family the Protection Profile or requirements applicable allowing direct inclusion in the catalogue.
The development of this evaluation and certification scheme is allowing the Spanish administration to procure itself with IT equipment that has passed state-of-art security controls while providing manufacturers greater flexibility to evaluate their products quickly and efficiently, responding to fast changing market demands. The final consumer, the Spanish Administration, will have a simple and manageable catalogue that allows them to know what equipment they need to purchase in order to guarantee the security of the citizen.
This session will present this innovative approach for procurement that could be used by other different countries.