CPSTIC Qualification
Inclusion in the CPSTIC Catalogue
At Digital Cubes, we help ICT product manufacturers and developers define, prepare, and complete the qualification process required to include their products in the Spanish CPSTIC Catalogue of the Spanish National Cryptologic Centre.
Inclusion in the CPSTIC Catalogue is a key milestone for security products intended to be used in systems subject to the Spanish National Security Framework, especially in ENS Medium or ENS High environments. For many manufacturers, being listed in the catalogue is not only a technical milestone, but also a strategic requirement to compete in public tenders and sell to public administrations or to companies providing services to the public sector.
At Digital Cubes, we support developers throughout the entire process: from the initial analysis of the applicable CPSTIC family to document preparation, coordination with CPSTIC and laboratories, resolution of non-conformities, and subsequent maintenance of the qualification.
What is the CPSTIC Catalogue?
The CPSTIC Catalogue is the Catalogue of ICT Security Products and Services of the Spanish National Cryptologic Centre. It includes ICT security products and services that have successfully completed recognised evaluation or certification processes through which CPSTIC qualification is achieved.
When a product is included in the catalogue, its security functionality has been evaluated against a specific family, set of requirements, and methodology. This enables public entities and their providers to select suitable products to protect systems within the scope of the ENS.
CPSTIC qualification is especially relevant for products that provide security functions such as access control, communications protection, encryption, monitoring, endpoint protection, identity management, firewalls, switches, security platforms, cryptographic components, or other products that form part of a system’s security architecture.
Why is it important to be listed in CPSTIC?
Being included in the CPSTIC Catalogue can be decisive for selling ICT security products to the Spanish public sector.
The ENS requires, where applicable, that security products and services used in Medium or High category systems have qualified security functionality. For this reason, when a public administration or a company providing services to the public administration needs to acquire a security product, inclusion in CPSTIC can become a decisive technical requirement, a competitive advantage, and a differentiating factor compared to non-qualified products.
For the manufacturer, the inclusion process makes it possible to:
- Access commercial opportunities in the public sector.
- Align the product with ENS requirements.
- Demonstrate that the security functionality has been evaluated.
- Reduce barriers in tenders and procurement processes.
Identification of the CPSTIC family
The first step in the process is to identify the CPSTIC family to which the product belongs.
Each family defines the type of product, the expected functional scope, and the fundamental security requirements that must be met. This phase is critical because incorrect identification of the family can lead to delays, changes in strategy, unnecessary documentation, or even the need to rethink the evaluation.
In some cases, the product does not clearly fit into an existing family or implements security functionality in a way that differs from what is expected by the CPSTIC taxonomy. In these cases, it is necessary to analyse the situation with CPSTIC and define a specific strategy.
At Digital Cubes, we help to:
- Analyse the product’s security functionality.
- Identify the applicable CPSTIC family.
- Review the fundamental security requirements.
- Determine whether the product meets the required requirements.
- Identify functional or documentary gaps.
- Prepare the initial justification for CPSTIC.
- Manage special cases where there is no clearly applicable family.
ENS Medium or ENS High?
Once the family has been identified, the qualification strategy must be defined: ENS Medium, ENS High, or a progressive route.
The decision should not be based solely on the technical level, but also on the manufacturer’s commercial strategy. If the objective is exclusively the Spanish national market, a progressive route may make sense: first entering at ENS Medium level and later assessing whether to move up to ENS High. If the product has an international strategy or already requires Common Criteria for other markets, it may be more efficient to go directly through a Common Criteria-based route.
Digital Cubes helps define this strategy to avoid duplicated work, reduce rework, and align the certification process with the product’s commercial objectives.
As general guidance:
- For ENS Medium, the usual route is based on a LINCE certification that covers the requirements of the corresponding CPSTIC family.
- For ENS High, the usual route is based on a Common Criteria certification or on a strategy that covers the requirements demanded for that level.
- When the product already has a previous certification, it may be possible to reuse part of the work through a gap analysis.
- When there are gaps between the existing certification and the CPSTIC requirements, a Complementary STIC Evaluation may be necessary.
Our CPSTIC consulting service
At Digital Cubes, we offer a comprehensive consulting service for manufacturers and developers seeking to include their products in the CPSTIC Catalogue.
Our support covers the entire qualification lifecycle:
Initial analysis and qualification strategy
We analyse the product, its security functionality, its use cases, and its architecture to identify the applicable CPSTIC family and justify its fit within the taxonomy.
Based on this analysis, we help define the most suitable qualification strategy, assessing whether LINCE, Common Criteria, or, where available, the reuse of a previous certification is the best option, as well as the target level between ENS Medium and ENS High.
Requirements assessment and document preparation
We review the fundamental security requirements of the applicable family to identify potential gaps, functional change needs, or additional evidence.
We prepare the Security Target and all documentation required to initiate the qualification procedure, including forms, document references, and technical justifications.
In addition, we generate or adapt the technical documentation required by the applicable evaluation methodology, as well as user manuals, administration guides, installation guides, and secure configuration guides.
Coordination, evaluation, and technical support
We support the developer in technical communication with CPSTIC, especially during the initial validation of the family, scope, and documentation. We also assist in selecting and coordinating with accredited laboratories to perform the required evaluation.
During the process, we help resolve comments, clarifications, and non-conformities, both documentary and technical, including advice on implementation changes where necessary.
Completion and catalogue inclusion
Once the evaluation has been completed and the corresponding certification has been obtained, we help prepare the final communication to CPSTIC and the information required for inclusion of the product in the catalogue.
Frequently Asked Questions (FAQ)
Is it mandatory to be listed in the CPSTIC Catalogue?
For security products or services that form part of the security architecture of systems subject to the ENS, especially in Medium or High categories, it is necessary and highly relevant for the procurement process.
In practice, being included in the catalogue can be decisive for competing in public tenders or selling to public sector providers.
What is the difference between qualification and certification?
Certification is the result of an evaluation performed under a specific methodology, such as LINCE or Common Criteria. CPSTIC qualification is the process through which the product, supported by that certification or evaluation, can be included in the CPSTIC Catalogue for a specific family and category.
What certification do I need to enter CPSTIC?
It depends on the family, the target ENS category, and the product’s starting point. In many cases, LINCE may be suitable for ENS Medium, while Common Criteria may be necessary for ENS High.
If a previous certification already exists, its reuse can be analysed through a gap analysis.
Can I use an existing Common Criteria certification?
It depends on the family, the target ENS category, and the product’s starting point. In many cases, LINCE may be suitable for ENS Medium, while Common Criteria may be necessary for ENS High.
If a previous certification already exists, its reuse can be analysed through a gap analysis.
What happens if my product does not clearly fit into a CPSTIC family?
In that case, the product, its security functionality, and its use case must be analysed in order to justify its fit or submit a query to CPSTIC. Digital Cubes can help you prepare this justification and define the most appropriate strategy.
How long does the CPSTIC inclusion process take?
It depends on the chosen route, the product’s readiness, the availability of documentation, the laboratory’s workload, CPSTIC comments, and the potential appearance of non-conformities. This is why it is important to perform a pre-assessment before committing to commercial deadlines or specific tenders.
What documentation needs to be prepared?
Normally, it will be necessary to prepare a Security Target, product documentation, manuals, initiation forms, technical evidence, and specific documentation for the applicable evaluation methodology.
In Common Criteria, the documentary workload is usually much greater than in LINCE.
What happens if the product changes after entering the catalogue?
Changes must be analysed to determine whether they impact the evaluated security functionality. In many cases, a gap analysis will be sufficient, but if the change affects the security scope, a documentation update or an additional evaluation may be required.