CSPN and CC Certifications Issued by ANSSI in Cybersecurity

Today, there are many cybersecurity solutions on the market. However, not all of them offer the same level of robustness and reliability.

What is ANSSI's role and mission ?
What are the differences between first-level security certification and other security certifications ?
What are the advantages of First-Level Security Certification (CSPN) ?
What are the steps to certify a CSPN product ?
Does CSPN certification need to be renewed ?

Today, many cybersecurity solutions are present on the market. However, not all of them offer the same level of robustness and trust.

According to the Verizon Cybersecurity Report, "62% of system intrusion incidents are attributable to the initial compromise of a partner" (Source: Verizon).

It is therefore essential for enterprises to equip themselves with high-performing and reliable solutions in the long term.

This is why ANSSI (National Agency for Information Systems Security) has implemented two types of cybersecurity certifications: Common Criteria (CC) certification and First-Level Security Certification (CSPN). They make it possible to identify the most effective solutions recognized by ANSSI according to a well-defined evaluation and process.

Concretely, what are these certifications used for and what are the advantages for users and cybersecurity solution providers ?

ANSSI : What is its role and mission?

ANSSI is the national authority responsible for ensuring the security and defense of information systems for the State and companies classified as CIIs (Critical Infrastructure Operators). Directly attached to the General Secretariat for Defense and National Security (SGDSN), its role and missions are multiple:

Ensure the security and defense of the State's information systems;
Develop research in cybersecurity to anticipate computer attacks (monitoring, detection, alerts);
Develop the French cybersecurity sector;

Be an actor in promoting cybersecurity to businesses and individuals.

ANSSI has over 20 years of experience in security certification. It has implemented a certification process to award ANSSI Security Visas to companies offering a reliable and robust product. These are Common Criteria certifications and First, Level Security Certification - CSPN.

What are the differences between first-level security certification and other security certifications ?

Common Criteria Certification

This certification is recognized in many countries. Common Criteria has 7 evaluation assurance levels that determine the degree of confidence given to the evaluated product:

EAL1 – Functionally tested
EAL2 – Structurally tested
EAL3 – Methodically tested and verified
EAL4 – Methodically designed, tested and verified
EAL5 – Designed and tested in a semi-formal manner
EAL6 – Verified, designed and tested in a semi-formal manner
EAL7 – Verified, designed and tested in a formal manner

CC certification therefore provides security assurance on specific criteria for a product or system on a global scale. However, it proves complex to obtain for SMEs and mid-sized companies because it requires significant resources in terms of time and its cost is high. Based on this observation, France launched the First-Level Security Certification - CSPN.

First-Level Security Certification, CSPN ANSSI

Implemented in 2008, it focuses on product analysis and allows its security to be evaluated through a methodology and process developed by ANSSI, available on their website.

If you would like to learn more about CSPN-certified solutions, go here.

What are the advantages of First-Level Security Certification (CSPN) ?

Choosing a Trusted Provider

If you are looking for a cybersecurity solution, it is recommended to turn to a product certified by ANSSI. This ensures you are making the choice of a product offering secure and proven functionalities for your information system.

Bringing Your IS into Compliance

Some companies or organizations have regulatory compliance obligations regarding IT. This depends on their sector of activity. The most common regulations are:

GDPR (General Data Protection Regulation)
GDPR (General Data Protection Regulation)
PCI DSS (Payment Card Industry Data Security Standard)
ISO 27001 (International Information Security Standard)
NIS 2 Directive

By choosing a product certified with ANSSI CSPN Security Visa or CC, these organizations can ensure they comply with current standards and thus reduce risks related to security flaws.

Advantages as a Company or Provider of Certified Products

Certifications represent real added value for a company offering a cybersecurity solution. This attests to the high level of security to their customers and partners who use the solution. Thanks to these certifications, companies stand out and distinguish themselves in their market!

It is also constant work of evolving and updating the solution to comply with standards and the protection of users' sensitive data.

Download our datasheet to learn more about our bastion and all of its features

Download datasheet

What are the steps to certify a CSPN product?

Companies that conduct CSPN evaluations are Information Technology Security Evaluation Centers (CESTI) accredited by ANSSI. These centers must comply with a well-defined methodological framework. What are the steps to be ANSSI CSPN certified?

1. Preparation

First, each client must choose their evaluation center. In France, there are about ten CESTIs. The client must then prepare the necessary documentation for the security evaluation. This documentation includes, in particular, the product specifications, security specifications, technical documentation, etc. It allows ANSSI to understand the context of the product or solution's use, as well as the security requirements associated with it.

2. Security Evaluation

If the file is accepted by ANSSI, evaluation by the CESTI can begin within constrained time and resource limits (25 to 50 person-days over two months depending on the product type). The evaluator performs a detailed analysis of the product to identify any potential vulnerabilities or security flaws. This analysis may include penetration testing and code audits. The evaluator also verifies that the product or system complies with the security requirements set by ANSSI.

Compliance and Resistance Analysis

The objective is to verify that the analyzed product complies with the expected security specifications. Three evaluation criteria are taken into account regarding compliance: documentation analysis, source code review, and product testing.

Vulnerability Analysis by the Evaluator

The evaluator's task is to "extract relevant vulnerabilities and verify if and how they are exploitable on the product" among different types of vulnerabilities to address:

Those specific to the product;
Those related to the architecture and/or language used;
Those that are generic, possibly applicable to the product.

The evaluator will ensure that a monitoring system exists for these vulnerabilities on the product, record them, then search for a fix or method to limit the effects of the vulnerability.

3. Submission of the Technical Evaluation Report (RTE)

Following the security evaluation, the results of the analysis are synthesized in a Technical Evaluation Report. This document describes the results of the security analysis, any vulnerabilities identified, and recommendations for correcting them. This report allows the organization wishing to have its product or system certified to learn about any security flaws and the measures to put in place to remedy them.

4. Vulnerability Corrections

Once the evaluation report is received, the organization wishing to have its product or system certified must correct all identified vulnerabilities. Corrections must be made rigorously and completely to ensure the security of the product or system. The organization must then provide proof of the correction of vulnerabilities to the evaluator.

5. Issuance of CSPN Certification

If the product or solution meets ANSSI requirements, CSPN certification can then be issued. It attests to the level of trust and robustness of the product. The certified product will be listed on ANSSI's list and published on the official website.

Does CSPN Certification Need to Be Renewed?

When your solution is certified, it is valid for a given version. As a general rule, the validity period of a CSPN certification is 3 years. In short, renewing an ANSSI CSPN certification is essential to ensure that IT products and solutions remain secure, compliant with regulations, reliable and competitive in an ever-changing technological and threat environment. It also allows the company to demonstrate its commitment to customer security and its reputation.