Structure
The structure of the STIC Products and Services Catalogue (CPSTIC) is defined in the CCN-STIC 140 guide "Reference taxonomy for ICT security products". It is basically organised in three (3) lists:
Each of them is made up of several categories which, in turn, are made up of several families.
Qualified Products and Services
This list includes products and services that form part of the security architecture of ICT systems that are under the scope of the ENS in one of its BASIC, MEDIUM or HIGH categories, i.e. those that develop their activity in the operational context of the ENS and implement functionalities that increase the security level of the system in one of its dimensions (availability [D], integrity [I], confidentiality [C], authenticity [A] and traceability [T]).
For a product or service to be qualified, it must comply with the Fundamental Security Requirements (FSR) defined for each family, included in the corresponding annexes of the CCN-STIC 140 guide:
Family | Annexes (RFS) | |
ENS Alta | ENS Media | |
Anti-virus/EPP (Endpoint Protection Platform) | B.1 | B.1M |
EDR (Endpoint Detection and Response) | B.2 | B.2M |
Herramientas de gestión de red | B.3 | B.3M |
Herramientas de actualización de sistemas | B.4 | |
Herramientas de filtrado de navegación | B.5 | B.5M |
Sistemas de gestión de eventos de seguridad (SIEM) | B.6 | B.6M |
Device management tools (UEM) | B.8 | No Aplica |
Sistemas de orquestación, automatización y respuesta de seguridad (SOAR) | B.9 | No Aplica |
Family | Annexes (RFS) | |
ENS Alta | ENS Media | |
Enrutadores | D.1 | D.1M |
Switches | D.2 | D.2M |
Cortafuegos | D.3 | D.3M |
Proxies | D.4 | D.4M |
Dispositivos de Red Inalámbricos | D.5 | D.5M |
Pasarelas seguras de intercambio de datos | D.6 | No Aplica |
Diodos de datos | D.7 | No Aplica |
Redes privadas virtuales (IPSec) | D.8A | No Aplica |
Redes privadas virtuales (SSL) | D.8B | No Aplica |
Herramientas de voz por IP (VoIP) | D.9A | D.9AM |
Herramientas de mensajería instantánea (IM) | D.9B | D.9BM |
Herramientas de videoconferencia | D.9C | D.9C-M |
Web Application Firewall (WAF) | D.10 | D.10M |
Redes definidas por software (SDN) | D.11 |
Family | Annexes (RFS) | |
ENS Alta | ENS Media | |
Almacenamiento cifrado de datos | E.1 | |
Cifrado y compartición segura de información | E.2 | |
Herramientas de Borrado Seguro | E.3 | E.3M |
Sistemas de prevención de fugas de datos | E.4 | |
Herramientas para firma electrónica | E.5 | No Aplica |
Módulo de Seguridad Hardware (HSM) | E.6 | |
Gestión de metadatos | E.7M |
Family | Annexes (RFS) | |
ENS Alta | ENS Media | |
Dispositivos móviles | F.1 | No Aplica |
Sistemas operativos | F.2 | No Aplica |
Protección de correo electrónico | F.3 | F.3M |
Tarjetas inteligentes | F.4 | No Aplica |
Copias de seguridad | F.5 | |
Plataformas confiables | F.6 | |
Virtualización | F.7 | F.7M |
Balanceadores de carga | F.8 | F.8M |
Herramientas CASB | F.9 | F.9M |
Hiperconvergencia | F.10 | F.10M |
Herramientas de Videoidentificación | F.11 | F.11M |
Infraestructura de escritorio virtual (VDI) | F.12 | F.12M |
Conmutadores KVM | F.13 | |
Sistemas de Gestión de Bases de Datos (DBMS) | F.14 |
Family | Annexes (RFS) | |
ENS Alta | ENS Media | |
Estaciones de carga de vehículos eléctricos | O.1M |
Security product development tools
Other tools
Approved Products and Services
The taxonomy of products approved for the handling of classified information shall be the same as for qualified products together with the following categories:
Protection in tactical environments
Tempest
The Fundamental Security Requirements (FSR) shall be the same as those set out in this guide for qualified products, updated with those specific to encryption products set out in CCN-STIC-130 Approval Requirements for Encryption Products for Handling Classified National Information.
Compliance and Governance Products and Services
The list of Compliance and Governance Products and Services includes products and services that are not part of the security architecture of an ICT system, but which implement functionalities that facilitate compliance with security regulations. This group includes, for example, auditing tools, risk analysis or system/equipment basing.
From the point of view of inclusion in the CPSTIC, no specific requirements have been defined for these products and no certifications are required, although they are assessed in an accredited laboratory.
This list has a single category, Compliance and Governance, which is composed of the following families:
CG.1
Security Governance and Planning
CG.2
Safety and Compliance Regulations
CG.3
Risk Analysis and Management
CG.4
Notification and Management of Cyber Incidents
CG.5
Cyber Intelligence Exchange
CG.6
Cybersecurity Awareness and Training