Structure

The structure of the STIC Products and Services Catalogue (CPSTIC) is defined in the CCN-STIC 140 guide "Reference taxonomy for ICT security products". It is basically organised in three (3) lists:

Each of them is made up of several categories which, in turn, are made up of several families.

Qualified Products and Services

This list includes products and services that form part of the security architecture of ICT systems that are under the scope of the ENS in one of its BASIC, MEDIUM or HIGH categories, i.e. those that develop their activity in the operational context of the ENS and implement functionalities that increase the security level of the system in one of its dimensions (availability [D], integrity [I], confidentiality [C], authenticity [A] and traceability [T]).

For a product or service to be qualified, it must comply with the Fundamental Security Requirements (FSR) defined for each family, included in the corresponding annexes of the CCN-STIC 140 guide:

Access control

Family	Annexes (RFS)
	ENS Alta	ENS Media
Control de Acceso a Red (NAC)	A.1	A.1M
Dispositivos Biométricos	A.2
Dispositivos Single Sign-On	A.3
Servidores de Autenticación	A.4	A.4M
Gestión de Acceso Privilegiado (PAM)	A.6	A.6M
Gestión de Identidades (IM)	A.7	A.7M

Operational safety

Family	Annexes (RFS)
Anti-virus/EPP (Endpoint Protection Platform)	B.1	B.1M
EDR (Endpoint Detection and Response)	B.2	B.2M
Herramientas de gestión de red	B.3	B.3M
Herramientas de actualización de sistemas	B.4
Herramientas de filtrado de navegación	B.5	B.5M
Sistemas de gestión de eventos de seguridad (SIEM)	B.6	B.6M
Device management tools (UEM)	B.8	No Aplica
Sistemas de orquestación, automatización y respuesta de seguridad (SOAR)	B.9	No Aplica

Security monitoring

Family	Annexes (RFS)
Dispositivos de prevención y detección de intrusiones	C.1	C.1M
Sistemas Honeypot / Honeynet	C.2
Captura, Monitorización y Análisis de Tráfico	C.3	C.3M
Herramientas de sandbox	C.4	C.4M

Protection of communications

Family	Annexes (RFS)
Enrutadores	D.1	D.1M
Switches	D.2	D.2M
Cortafuegos	D.3	D.3M
Proxies	D.4	D.4M
Dispositivos de Red Inalámbricos	D.5	D.5M
Pasarelas seguras de intercambio de datos	D.6	No Aplica
Diodos de datos	D.7	No Aplica
Redes privadas virtuales (IPSec)	D.8A	No Aplica
Redes privadas virtuales (SSL)	D.8B	No Aplica
Herramientas de voz por IP (VoIP)	D.9A	D.9AM
Herramientas de mensajería instantánea (IM)	D.9B	D.9BM
Herramientas de videoconferencia	D.9C	D.9C-M
Web Application Firewall (WAF)	D.10	D.10M
Redes definidas por software (SDN)	D.11

Protection of Information and Information Media

Family	Annexes (RFS)
Almacenamiento cifrado de datos	E.1
Cifrado y compartición segura de información	E.2
Herramientas de Borrado Seguro	E.3	E.3M
Sistemas de prevención de fugas de datos	E.4
Herramientas para firma electrónica	E.5	No Aplica
Módulo de Seguridad Hardware (HSM)	E.6
Gestión de metadatos		E.7M

Protection of Equipment and Services

Family	Annexes (RFS)
Dispositivos móviles	F.1	No Aplica
Sistemas operativos	F.2	No Aplica
Protección de correo electrónico	F.3	F.3M
Tarjetas inteligentes	F.4	No Aplica
Copias de seguridad	F.5
Plataformas confiables	F.6
Virtualización	F.7	F.7M
Balanceadores de carga	F.8	F.8M
Herramientas CASB	F.9	F.9M
Hiperconvergencia	F.10	F.10M
Herramientas de Videoidentificación	F.11	F.11M
Infraestructura de escritorio virtual (VDI)	F.12	F.12M
Conmutadores KVM	F.13
Sistemas de Gestión de Bases de Datos (DBMS)	F.14

Cloud services

Family	Annexes (RFS)
Servicios en la nube	G	G

Cryptographic mechanisms

Family	Annexes (RFS)
Requisitos para mecanismos criptográficos	H	H

Protection of facilities and infrastructure

Family	Annexes (RFS)
Cámaras IP		I.1M
Herramientas de gestión de vídeo		I.2M

OT security

Family	Annexes (RFS)
Estaciones de carga de vehículos eléctricos		O.1M

Security product development tools

Other tools

Approved Products and Services

The taxonomy of products approved for the handling of classified information shall be the same as for qualified products together with the following categories:

Protection in tactical environments

Tempest

The Fundamental Security Requirements (FSR) shall be the same as those set out in this guide for qualified products, updated with those specific to encryption products set out in CCN-STIC-130 Approval Requirements for Encryption Products for Handling Classified National Information.

Compliance and Governance Products and Services

The list of Compliance and Governance Products and Services includes products and services that are not part of the security architecture of an ICT system, but which implement functionalities that facilitate compliance with security regulations. This group includes, for example, auditing tools, risk analysis or system/equipment basing.

From the point of view of inclusion in the CPSTIC, no specific requirements have been defined for these products and no certifications are required, although they are assessed in an accredited laboratory.

This list has a single category, Compliance and Governance, which is composed of the following families: