CSPN: What U.S. companies need to know about the security certification process

March 22, 2017

CSPN: What U.S. companies need to know about the security certification process

  Impact of the Internet of Things (IoT) on the certification process In the rapidly evolving IoT market, product security validation and certification is critical, especially in an age where...


Impact of the Internet of Things (IoT) on the certification process

In the rapidly evolving IoT market, product security validation and certification is critical, especially in an age where every device, regardless of significance, is now a target for hackers.

While Common Criteria (CC) and the Federal Information Processing Standard (FIPS) have long been the gold standard of certifications, the Certification Securite de Premier Niveau (CSPN) is fast-becoming popular in Europe, but currently only legally applies to the French marketplace. If your company has an Internet-enabled device it wants to sell to the French government – such as a phone or camera, for example – it must be CSPN certified.

CSPN provides faster testing timelines than other traditional certifications while still providing confidence of security maturity. The standard currently only applies in one European country, but American companies should pay close attention as it is likely that CSPN – or a similar lightweight certification process – will soon be adopted not only across the European Union, but in the United States as well.

Why CSPN is necessary

CSPN is equally robust as CC and FIPS, which is why it is viewed as a trusted certification process. It defines the processes to allow accredited third-party entities to evaluate and ensure that a target product or system meets the security requirements defined in its security target.

There are many reasons for CSPN’s importance, including:

  1. Companies operating within the IoT space (where technology evolves continuously and rapid time to market is key to success) must ensure they meet critical standards.
  2. CSPN is widely adopted by the French government and French industries to assure a first level of security.
  3. CSPN is a relatively short process of eight weeks, with a fixed amount of employee time required (25 employee days, and 10 additional employee days if cryptographic algorithms need to be evaluated).
  4. Costs are contained and continuity programs are considered natively in the process, allowing product evolution.

The numerous critical steps along the path to CSPN certification are explained below in specific detail, including the participants and their interactions during the evaluation period.

Roles and responsibilities

The certification sponsor provides the product, its security target, and its documentation. When essential product security functions are based on cryptographic mechanisms, the sponsor also provides the documentation that describes these mechanisms. In addition, the sponsor signs a contract with an evaluation facility licensed by ANSSI, the French Network and Information Security Agency, to carry out the security evaluation. Ultimately, the sponsor receives the final version of a validated ANSSI Evaluation Technical Report (ETR) and decides whether or not to publish it.

The evaluation facility is licensed for the technical domains in which its skills are estimated to be sufficient by ANSSI. An evaluation facility can only evaluate products in the technical domains for which it has been licensed. However, more than one evaluation facility may be necessary to cover all the skills needed to analyze a product. Once a contract is signed, the evaluation facility inspects the product according to the criteria and methodologies drafted by ANSSI for CSPN, and then summarizes the results of the evaluation into an ETR that is shared with ANSSI for validation. The evaluation facility and its personnel are obliged to maintain professional secrecy for the products they evaluate and the results they obtain during the evaluation.

The list of evaluation facilities licensed for CSPN-criteria is kept up-to-date on the ANSSI website.

ANSSI’s certification body drafts the evaluation criteria and generic method for CSPN, as well as methods specific to certain types of products. It drafts the procedures, forms, and all documents necessary to implement the CSPN standard, including:

  • Evaluation facility licensing procedure
  • Templates for drafting security targets
  • Evaluation technical reports
  • Certification reports
  • CSPN request form

ANSSI ensures that the evaluation facilities satisfy the criteria listed in the licensing procedure. It analyzes the certification request files (security target, test duration, etc.) and authorizes or prohibits the launch of the evaluation. ANSSI also validates the ETR drafted by the evaluation facility, proposes follow up for each evaluation (certified or not), drafts the certification report, and issues the certificate.

With the sponsor’s agreement, ANSSI publishes the security target and the certification report of the certified CSPN product on its website.

The developer is responsible for providing technical assistance to the evaluators if necessary, including training, testing, and provisioning of an evaluation platform. This also helps developers protect a company’s intellectual property and product-related deliverables.

The certification sponsor may propose the presence of an observer (such as a risk manager) who is associated with the evaluation monitoring and has a specific interest in relation to the results or conduct of the evaluation. Observers, however, are subject to ANSSI approval.

The observer is kept informed about the evaluation and the results, and may ask to receive the ETR or an abbreviated version of it.

The CSPN process

Before sending a CSPN certification request to ANSSI a sponsor must provide or comply with the following:

  • The security target of the product must be outlined and contain the commercial name of the product, a reference uniquely identifying it, and the exact version submitted for evaluation. The product must be presented describing its common usage, by whom it will be operated, under what context (the technical environment), the assets the product is protecting, the threats against which the product offers protection, and the associated security counter measures.
  • A user and admin guide enabling the installation, administration, and operation of the product.
  • A description of the cryptographic mechanisms implemented in the product (if any) and the associated tests to enable an evaluator to verify the conformity of the implemented mechanisms with the security target.
  • The product’s technical domain. In case the sponsor is not comfortable with the defined domains, they can contact ANSSI to determine whether CSPN applies and which facility can evaluate the product.
  • The evaluation facility must have access to the product and the testing equipment (if necessary) to implement the evaluation.
  • The sponsor must not have started or completed a CC certification on a similar version of the product.

Once the sponsor has collected all the necessary documentation, it can contact an evaluation facility and sign a contract for the technical domain that applies to the product.

The sponsor then provides ANSSI with the following documentation:

  • The certification request
  • The product security target (as described above)
  • If applicable, documentation regarding cryptographic mechanisms

If a request is not accepted, sponsors must return to the preparation phase and address missing points. For example, these include the security target not being properly formulated, incomplete descriptions, or overly complex evaluation in the fixed time frame of the CSPN.

Upon reception of an ANSSI letter, the evaluation facility can begin the project (under time and workload constraints) according to a formalized framework defined by ANSSI to ensure consistent results across the licensed evaluation facilities, as well as to facilitate comparison of similar products evaluated by different facilities. ANSSI may request to be involved in some or all of the process and if the facility exceeds the time planned for the evaluation, ANSSI may decide to close the certification process. This, however, does not relieve the sponsor from any contract obligation with the evaluation facility. As previously stated, CSPN certification must be carried out within an eight-week calendar period. The sponsor may propose an adaptation of the time frame for specific cases, however ANSSI reserves the right to refuse if it considers that CSPN is not well suited for this kind of product.

The evaluation facility shall describe in its report the testing platform used to assess the conformity of the product against the security target and eventually include any other information regarding performance, interoperability with other appliances, and system usage.

The purpose of the evaluation is to assess product conformity with its security target, the effectiveness of the security functions against identified threats, and the impact of the product on host system security. It should be noted that the evaluation facility scores the theoretical resistance of the security functions and provides an expert opinion on their effectiveness.

The results of the analysis, based on available product documentation and known vulnerabilities of similar products, are then summarized in the ETR, which must contain:

  • A reminder of the analysis context (usage context, analysis duration, and security functions)
  • A summary of the documentation providing a description of the security or security-related functions
  • The functional expectations of the product (summary of its security characteristics)
  • An inventory of the product vulnerabilities (information from the CERT-FR, public bases, or the developer) and the applicable available corrections
  • A list of the main analysis tools used
  • A summary of the results of the tests performed on the product
  • Scoring for the resistance of the security mechanisms and the cryptographic mechanisms, where applicable
  • A report and scoring for any exploitable vulnerabilities identified
  • An opinion on the product’s ergonomics and recommendations for use or configuration in the planned usage context

Final stages of CSPN

Upon completion of the evaluation, ANSSI may require additional work from the evaluation facility if it is considered insufficient. If the ETR indicates the product does not meet the security target, then the certification process ends.

However if the product meets the security target, the evaluation facility will then present the results to ANSSI. A product demonstration may be requested for this face-to-face meeting and the sponsor’s attendance may be required. If the outcome of both the ETR review and the evaluation are positive, ANSSI will draft the certification report. ANSSI will score the resistance of the product security features and, if applicable, of the cryptographic mechanisms. Once the draft certification report is sent to the sponsor for validation and signed, ANSSI will announce it on their website, if the sponsor agrees.

It is important to note that certification applies to a specific version of the product and new versions are not inherently covered. To overcome this, the CSPN scheme provides a continuity process to determine how a new version of the product may benefit from the certification at reduced costs. Similarly, the sponsor may request periodic reviews to analyze the impact of new vulnerabilities on the product.

It could be several years before a CSPN-like certification process becomes popular in the U.S. but by taking steps now to become familiarized with this process, your company will be ready when the time comes – and better positioned to bring secure products to market faster.

Telemaco Melia, PhD, MBA is Business Development and Product Manager at Kudelski Security. Telemaco holds a Master’s degree in computer science from Politecnico di Torino (Italy), and a PhD. from the Telematics department of University of Goettingen (Germany), as well as an executive MBA from ESSEC Business School, Paris (France).

Kudelski Security



LinkedIn: www.linkedin.com/company/kudelski-security