Application for certification of products or laboratory accreditations by the CCN.
The Certification Agency legitimates the security of Information Technology products and systems, in accordance with the Regulation for the Evaluation and Certification of Security of Information Technologies and Communications (chapter V: Certification of products and systems) and after considering, among other evidence of the performance of the procedure, the evaluation reports issued by the accredited laboratories and carried out in accordance with the criteria, methods and standards for security evaluation indicated in the same regulation (chapter VI: Evaluation criteria and methodologies).
This certification is the result of an evaluation process regarding the security functions of a product or system (subject of the evaluation), which is carried out by an independent laboratory, accredited and technically qualified for this purpose and following a standard methodology. The aim is to verify that the subject of the evaluation complies correctly and effectively with the security functionality described in its documentation. Therefore, this certification implies the recognition of the veracity of the security properties of its corresponding security declaration. It does not, however, imply a declaration of suitability for use in any scenario or field of application. In assessing this suitability, other circumstances should be taken into account for the correct interpretation of the certificate, including the restrictions laid down in the security declaration.
Since the end of 2004, the OC / CCN has been applying various ICT security evaluation standards, among them; the one that is most recognised internationally: the Common Criteria for Information Technology Security Evaluation (also published as ISO/IEC15408). Within the framework of this standard, several applications for product certification have already been received and processed for possible use in the Spanish Electronic Administration. This standard defines the evaluation levels between EAL1 and EAL7. The CCRA is the international agreement that covers mutual recognition of certifications between levels EAL1 and EAL2.
It should be noted that the Royal Decree 3 / 2010 of 8 January, amended by the RD 951 / 2015 of 23 October, regulating the National Security Scheme (ENS) in the field of Electronic Administration, in relation to the “acquisition of security products and hiring of security services”, indicates the following in its article 18:
1. In the acquisition of information and communications technology security products to be used by public Administrations, those with certified security functionality related to the subject of their acquisition will be used in a manner proportionate to the category of the system and the level of security established, except in those cases in which the requirements of proportionality in terms of the risks assumed do not justify it in the opinion of the head of Security.
This certification must be in accordance with the regulations and standards of greater international recognition, and it will be the OC / CCN which, within its competencies, will determine the criteria to be complied with according to the intended use of the product to which it refers, that is, in relation to the level of evaluation and other additional security certifications required by law, as well as, in cases in which there are no certified products, as an exception.
In order to start this procedure, you must provide at least the information indicated below. The forms can be downloaded from the website of the certification Agency.
- Laboratory accreditation application form (FOR-005-Laboratory accreditation application)
- Security Declaration
- Application for Product Certification (FOR-001-Product Certification application)