LINCE Certification
LINCE Certification
LINCE certification makes it possible to evaluate and certify the security of ICT products in a more agile and limited way than more complex schemes, such as Common Criteria.
It is especially aimed at manufacturers and developers that need to demonstrate the security of their product for use in the Spanish market, particularly when the objective is to facilitate the inclusion of the product in the CCN Catalogue of ICT Security Products and Services, CPSTIC.
At Digital Cubes, we support manufacturers throughout the preparation, evaluation and technical support process, helping to reduce risks, avoid delays and prepare the documentation needed to approach the evaluation with confidence.
What is LINCE?
LINCE, the National Essential Security Certification, is a security evaluation methodology for ICT products developed by the Spanish National Cryptologic Centre.
Its objective is to verify that the security functions claimed by the product are consistent, properly documented and provide resistance against threats within the scope defined for the evaluation.
Unlike Common Criteria, LINCE is designed as a lighter scheme, with limited effort and duration, making it a suitable route for products that require a national security certification without assuming the complexity of a high-assurance evaluation.
What types of products is LINCE certification suitable for?
LINCE may be a suitable option for any product intended to provide security to information systems related to public administrations.
This includes, among others:
- Security software.
- Physical or virtual appliances.
- ICT products that process sensitive information or provide security functionality.
- On-premises solutions deployed in the customer’s infrastructure.
- Hardware products with security functions.
- Firmware or embedded components.
The initial analysis makes it possible to determine whether LINCE is the appropriate route or whether alternatives such as Common Criteria, EUCC, CICLON or a complementary CPSTIC evaluation should be considered.
LINCE and CPSTIC
The reason for initiating a LINCE certification is to include the product in the Catalogue of ICT Security Products and Services, CPSTIC.
This catalogue is a key reference for public bodies and entities subject to the Spanish National Security Framework, as it identifies products whose security functionality has been evaluated.
Digital Cubes helps the manufacturer understand which evaluation route applies to its product, which catalogue family may correspond to it, what evidence is required and how to prepare the documentation to facilitate the evaluation and inclusion process.
LINCE vs Common Criteria
LINCE and Common Criteria are different schemes and respond to different needs.
LINCE is usually more suitable when the product requires a national certification, with limited effort and time, aimed at the Spanish market and at environments where a high-depth evaluation is not required.
Common Criteria may be more appropriate when the product requires international recognition, a higher level of assurance or certification for more demanding environments.
Digital Cubes helps select the most appropriate route based on the product, the target market, customer requirements and the manufacturer’s certification strategy.
Our LINCE Consultancy Service
Digital Cubes provides technical and documentary support throughout all phases of the process:
1. Initial product analysis
We review the product, its architecture, deployment model, security functions and commercial or regulatory objectives.
The objective is to determine whether LINCE is the appropriate route, identify early risks and define a realistic roadmap before starting the formal process.
2. Definition of the TOE scope
We help correctly define the TOE, Target of Evaluation, by identifying the product and version to be evaluated, the included and excluded components, the operational environment and external dependencies. We also establish the secure configuration, relevant security functions and usage assumptions and restrictions.
An incorrect definition of the scope may lead to delays, questions during the evaluation or the need to redo documentation.
3. Security Target
We prepare the product Security Target, the central document of the LINCE evaluation.
This document describes the certification scope, the security functions, the product environment and the basis on which the laboratory will perform the evaluation.
4. Adaptation of guides and manuals
We review and adapt the product documentation so that it is useful both during the evaluation and for the end user.
This may include:
- Secure installation guide.
- Secure configuration guide.
- Administration manual.
- Operation manual.
- Environmental requirements.
- Update procedures.
- Secure usage recommendations.
- Certified configuration.
5. Support for optional modules
When required by the scope, we provide support in the preparation of optional modules such as:
- MEC: Cryptographic Evaluation Module.
- MCF: Source Code Review Module.
- MEB: Biometric Evaluation Module.
These modules make it possible to increase the depth of the evaluation in specific areas of the product.
6. Coordination with the laboratory and support during the evaluation
During the evaluation, Digital Cubes acts as technical support for the manufacturer, helping to answer questions from the laboratory, prepare clarifications, review observations and coordinate the delivery of additional documentation or evidence.
7. Resolution of non-conformities
It is common for observations, questions or documentary or technical findings to arise during an evaluation.
Digital Cubes helps analyse, prioritise and resolve them through:
- Justified technical responses.
- Documentary adjustments.
- Remediation recommendations.
- Configuration reviews.
- Coordination with the development team.
- Follow-up until open points are closed.
8. Support for CPSTIC inclusion
When the manufacturer’s objective is inclusion in CPSTIC, we can help prepare the documentation and evidence needed to facilitate the process following the evaluation.
This may include reviewing the fit of the product within the corresponding family, preparing additional information and providing documentary support associated with the inclusion process.
Frequently Asked Questions (FAQ)
Do I need LINCE to enter CPSTIC?
It depends on the type of product, its category, its CPSTIC family and the applicable inclusion route. For many ICT products, LINCE may be a suitable route, but each case must be analysed individually.
What documentation does the manufacturer need?
A Security Target, installation, configuration and operation documentation, a description of the product environment, information about the security functions and supporting technical evidence are usually required.
How long does a LINCE certification take?
The LINCE methodology is designed to have limited effort and duration. However, the actual timeline depends on the maturity of the product, the quality of the existing documentation, the availability of the technical team and the speed with which observations are resolved.
What happens if non-conformities appear?
It is common for questions, observations or findings to arise during the evaluation. Digital Cubes helps prepare responses, update documentation and coordinate technical actions to resolve them efficiently.
Does LINCE have international recognition?
LINCE is a Spanish national scheme. If the manufacturer requires international recognition, it may be advisable to consider Common Criteria or other certification schemes.
Is a specific version of the product certified?
Yes. The certification is associated with a specific version and configuration of the product. If the product evolves, it may be necessary to analyse the impact of the changes and consider continuity, update or recertification processes.
When is the best time to start preparing?
It is advisable to start before formally contracting the evaluation, especially if the product documentation is not certification-oriented. A prior analysis helps detect gaps, reduce risks and avoid delays during the evaluation.
Does Digital Cubes issue the LINCE certification?
No. LINCE certification is issued by the Certification Body. Digital Cubes acts as a specialised consultancy, helping the manufacturer prepare the product, the documentation and the technical responses required during the process.